Laws › DORA
UE 2022/2554

Digital Operational Resilience Act

Mandatory digital operational resilience for the financial sector.

Official source : EUR-Lex CELEX:32022R2554 ↗

64articles
0with Luxgap guidance
24havg response time

CHAPTER I — General provisions

Art. 1
Subject matter
Art. 2
Scope
Art. 3
Definitions
Art. 4
Proportionality principle

CHAPTER II — ICT risk management

Art. 5
Governance and organisation
Art. 6
ICT risk management framework
Art. 7
ICT systems, protocols and tools
Art. 8
Identification
Art. 9
Protection and prevention
Art. 10
Detection
Art. 11
Response and recovery
Art. 12
Backup policies and procedures, restoration and recovery procedures and methods
Art. 13
Learning and evolving
Art. 14
Communication
Art. 15
Further harmonisation of ICT risk management tools, methods, processes and policies
Art. 16
Simplified ICT risk management framework

CHAPTER III — ICT-related incident management, classification and reporting

Art. 17
ICT-related incident management process
Art. 18
Classification of ICT-related incidents and cyber threats
Art. 19
Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Art. 20
Harmonisation of reporting content and templates
Art. 21
Centralisation of reporting of major ICT-related incidents
Art. 22
Supervisory feedback
Art. 23
Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions

CHAPTER IV — Digital operational resilience testing

Art. 24
General requirements for the performance of digital operational resilience testing
Art. 25
Testing of ICT tools and systems
Art. 26
Advanced testing of ICT tools, systems and processes based on TLPT
Art. 27
Requirements for testers for the carrying out of TLPT

CHAPTER V — Managing of ICT third-party risk

Art. 28
General principles
Art. 29
Preliminary assessment of ICT concentration risk at entity level
Art. 30
Key contractual provisions
Art. 31
Designation of critical ICT third-party service providers
Art. 32
Structure of the Oversight Framework
Art. 33
Tasks of the Lead Overseer
Art. 34
Operational coordination between Lead Overseers
Art. 35
Powers of the Lead Overseer
Art. 36
Exercise of the powers of the Lead Overseer outside the Union
Art. 37
Request for information
Art. 38
General investigations
Art. 39
Inspections
Art. 40
Ongoing oversight
Art. 41
Harmonisation of conditions enabling the conduct of the oversight activities
Art. 42
Follow-up by competent authorities
Art. 43
Oversight fees
Art. 44
International cooperation

CHAPTER VI — Information-sharing arrangements

Art. 45
Information-sharing arrangements on cyber threat information and intelligence

CHAPTER VII — Competent authorities

Art. 46
Competent authorities
Art. 47
Cooperation with structures and authorities established by Directive (EU) 2022/2555
Art. 48
Cooperation between authorities
Art. 49
Financial cross-sector exercises, communication and cooperation
Art. 50
Administrative penalties and remedial measures
Art. 51
Exercise of the power to impose administrative penalties and remedial measures
Art. 52
Criminal penalties
Art. 53
Notification duties
Art. 54
Publication of administrative penalties
Art. 55
Professional secrecy
Art. 56
Data Protection

CHAPTER VIII — Delegated acts

Art. 57
Exercise of the delegation

CHAPTER IX — Transitional and final provisions

Art. 58
Review clause
Art. 59
Amendments to Regulation (EC) No 1060/2009
Art. 60
Amendments to Regulation (EU) No 648/2012
Art. 61
Amendments to Regulation (EU) No 909/2014
Art. 62
Amendments to Regulation (EU) No 600/2014
Art. 63
Amendment to Regulation (EU) 2016/1011
Art. 64
Entry into force and application

Need to comply with DORA?

Our DPO and CISO team supports over 80 Luxembourg organisations. Free diagnosis, quote within 48h.

Request a diagnosis →