Digital Operational Resilience Act

Rec. 1

In the digital age, information and communication technology (ICT)...

Rec. 2

The use of ICT has in the past decades gained a pivotal role in the...

Rec. 3

The European Systemic Risk Board (ESRB) reaffirmed in a 2020 report...

Rec. 4

In recent years, ICT risk has attracted the attention of...

Rec. 5

Despite Union and national targeted policy and legislative...

Rec. 6

In its Communication of 8 March 2018 entitled ‘FinTech Action plan:...

Rec. 7

In April 2019, the European Supervisory Authority (European Banking...

Rec. 8

The Union financial sector is regulated by a Single Rulebook and...

Rec. 9

Legislative disparities and uneven national regulatory or supervisory...

Rec. 10

To date, due to the ICT risk related provisions being only partially...

Rec. 11

As the Single Rulebook has not been accompanied by a comprehensive...

Rec. 12

This Regulation aims to consolidate and upgrade ICT risk requirements...

Rec. 13

Financial entities should follow the same approach and the same...

Rec. 14

A Regulation helps reduce regulatory complexity, fosters supervisory...

Rec. 15

Directive (EU) 2016/1148 of the European Parliament and of the...

Rec. 16

However, as this Regulation increases the level of harmonisation of...

Rec. 17

In accordance with Article 4(2) of the Treaty on European Union and...

Rec. 18

To enable cross-sector learning and to effectively draw on...

Rec. 19

Given the strong interlinkages between the digital resilience and the...

Rec. 20

Cloud computing service providers are one category of digital...

Rec. 21

In order to maintain full control over ICT risk, financial entities...

Rec. 22

ICT-related incident reporting thresholds and taxonomies vary...

Rec. 23

To reduce the administrative burden and potentially duplicative...

Rec. 24

To enable competent authorities to fulfil supervisory roles by...

Rec. 25

Digital operational resilience testing requirements have been...

Rec. 26

In addition, where no ICT testing is required, vulnerabilities remain...

Rec. 27

Financial entities’ reliance on the use of ICT services is partly...

Rec. 28

The extensive use of ICT services is evidenced by complex contractual...

Rec. 29

Even though Union financial services law contains certain general...

Rec. 30

A certain lack of homogeneity and convergence regarding the...

Rec. 31

Taking into account the potential systemic risk entailed by increased...

Rec. 32

With ICT risk becoming more and more complex and sophisticated, good...

Rec. 33

In addition, doubts about the type of information that can be shared...

Rec. 34

Financial entities should be encouraged to exchange among themselves...

Rec. 35

In order to maintain a high level of digital operational resilience...

Rec. 36

Notwithstanding the broad coverage envisaged by this Regulation, the...

Rec. 37

Account information service providers, referred to in Article 33(1)...

Rec. 38

As larger financial entities might enjoy wider resources and can...

Rec. 39

Some financial entities benefit from exemptions or are subject to a...

Rec. 40

Since the entities referred to in Article 2(5), points (4) to (23),...

Rec. 41

Similarly, in order to align this Regulation to the scope of...

Rec. 42

Under sector-specific Union law, some financial entities are subject...

Rec. 43

Similarly, financial entities which qualify as microenterprises or...

Rec. 44

As only those financial entities identified for the purposes of the...

Rec. 45

To ensure full alignment and overall consistency between financial...

Rec. 46

Moreover, the principle of the management body’s full and ultimate...

Rec. 47

Inspired by relevant international, national and industry best...

Rec. 48

To keep pace with an evolving cyber threat landscape, financial...

Rec. 49

Efficient business continuity and recovery plans are necessary to...

Rec. 50

While this Regulation allows financial entities to determine their...

Rec. 51

The propagators of cyber-attacks tend to pursue financial gains...

Rec. 52

The direct reporting should enable financial supervisors to have...

Rec. 53

While all financial entities should be required to carry out incident...

Rec. 54

This Regulation should require credit institutions, payment...

Rec. 55

The ESAs should be tasked with assessing the feasibility and...

Rec. 56

In order to achieve a high level of digital operational resilience,...

Rec. 57

Financial entities involved in cross-border activities and exercising...

Rec. 58

To draw on the expertise already acquired by certain competent...

Rec. 59

Since this Regulation does not require financial entities to cover...

Rec. 60

Pooled testing within the meaning of this Regulation – involving the...

Rec. 61

In order to take advantage of internal resources available at...

Rec. 62

To ensure a sound monitoring of ICT third-party risk in the financial...

Rec. 63

To address the complexity of the various sources of ICT risk, while...

Rec. 64

A financial entity should at all times remain fully responsible for...

Rec. 65

The conduct of such monitoring should follow a strategic approach to...

Rec. 66

A thorough pre-contracting analysis should underpin and precede the...

Rec. 67

To address the systemic impact of ICT third-party concentration risk,...

Rec. 68

To evaluate and monitor on a regular basis the ability of an ICT...

Rec. 69

When renegotiating contractual arrangements to seek alignment with...

Rec. 70

The definition of ‘critical or important function’ provided for in...

Rec. 71

Irrespective of the criticality or importance of the function...

Rec. 72

In addition to such contractual provisions, and with a view to...

Rec. 73

Contracts for the provision of ICT services supporting critical or...

Rec. 74

Such contractual arrangements should also provide for dedicated exit...

Rec. 75

Moreover, the voluntary use of standard contractual clauses developed...

Rec. 76

With a view to promoting convergence and efficiency in relation to...

Rec. 77

The Oversight Framework should apply only to critical ICT third-party...

Rec. 78

Similarly, financial entities providing ICT services to other...

Rec. 79

The digital transformation experienced in financial services has...

Rec. 80

The Oversight Framework largely depends on the degree of...

Rec. 81

Against this background, the need of the Lead Overseer to impose...

Rec. 82

The requirement to set up a subsidiary in the Union should not...

Rec. 83

Critical ICT third-party service providers should be able to provide...

Rec. 84

To facilitate communication with the Lead Overseer and to ensure...

Rec. 85

The Oversight Framework should be without prejudice to Member States’...

Rec. 86

To leverage the multi-layered institutional architecture in the...

Rec. 87

To ensure that critical ICT third-party service providers are...

Rec. 88

Lead Overseers should be granted the necessary powers to conduct...

Rec. 89

Due to the significant impact of being designated as critical, this...

Rec. 90

Competent authorities should duly include the task of verifying...

Rec. 91

The exercise of the oversight should be guided by three operational...

Rec. 92

The Oversight Framework should not replace, or in any way or for any...

Rec. 93

To avoid duplications and overlaps, competent authorities should...

Rec. 94

To promote convergence at international level as regards the use of...

Rec. 95

To leverage the specific competences, technical skills and expertise...

Rec. 96

Whereas costs resulting from oversight tasks would be fully funded...

Rec. 97

Competent authorities should have all required supervisory,...

Rec. 98

In order to further quantify and qualify the criteria for the...

Rec. 99

Regulatory technical standards should ensure the consistent...

Rec. 100

To facilitate the comparability of reports on major ICT-related...

Rec. 101

Since further requirements have already been specified through...

Rec. 102

Since this Regulation, together with Directive (EU) 2022/2556 of the...

Rec. 103

Consequently, the scope of the relevant articles related to...

Rec. 104

The potential systemic cyber risk associated with the use of ICT...

Rec. 105

Since the objective of this Regulation, namely to achieve a high...

Rec. 106

The European Data Protection Supervisor was consulted in accordance...