Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Regulation (EU) 2022/2554 lays down uniform rules on the security of network and information systems of financial entities, such as banks, insurance companies and investment firms.
It covers a wide range of European Union (EU) regulated financial entities, requiring them to withstand, respond to and recover from any disruption or threat involving information and communication technologies (ICT).
have in place internal governance and control measures that ensure effective and prudent management of ICT risk;
ensure that their management body defines, approves, oversees and is responsible for all the relevant arrangements;
have in place a sound, comprehensive and well-documented ICT risk management framework with the necessary strategies, policies, procedures, protocols and tools to respond quickly and efficiently;
use and maintain updated ICT systems, protocols and tools that are appropriate, reliable and technologically resilient, and that have sufficient capacity;
identify, classify and adequately document all ICT-supported business functions, roles and responsibilities, and review risk scenarios;
continuously monitor the security and operation of ICT systems and tools to minimise the impact of any ICT risk;
promptly detect anomalies and identify potential failure points;
put in place a comprehensive ICT business continuity policy with appropriate plans, procedures and mechanisms;
develop and document backup policies and restoration and recovery procedures;
deploy resources and staff to assess vulnerabilities, cyber threats and ICT-related incidents, especially cyberattacks, and analyse their potential impact on the entity’s digital operational resilience;
devise crisis communication plans to disclose at least major ICT-related incidents or vulnerabilities to clients, counterparts and the public.
ICT-related management, classification and reporting
Financial entities must:
define, establish and implement measures to detect, manage, record and notify ICT-related incidents;
classify incidents and determine their impact using criteria such as number of clients and counterparts affected, duration, geographical spread and data losses;
Financial entities, other than microenterprises, must:
establish, maintain and review a sound and comprehensive digital operational testing programme equipped with the necessary assessments, tests, methodologies, practices and tools;
carry out, at least every three years, threat-level penetration testing based on their risk profile and taking account of operational circumstances, and only use testers that are certified, possess the necessary expertise and suitability and have professional indemnity insurance.
Managing ICT third-party risk
Financial entities must:
manage third-party risk as an integral component of their overall ICT risk;
have in place contractual arrangements for ICT services to run their business operations in full compliance with the relevant legislation;
take account of the nature, scale, complexity and importance of ICT-related dependencies and any potential risks;
weigh the benefits and costs of alternative solutions when identifying and assessing any risks involved;
include in the contract each party’s rights and obligations and the service agreement.
Oversight framework of critical ICT third-party service providers
designate, on the basis of clear criteria, the ICT third-party service providers considered to be critical for financial entities,
appoint, as lead overseer for each critical third-party service provider, the ESA responsible for the financial entity concerned;
establishes an Oversight Forum to:
discuss relevant developments on ICT risk and vulnerabilities and promote a consistent EU monitoring approach,
assess oversight activities annually, promote moves to increase digital operational resilience and foster best practices,
submit comprehensive benchmarks for critical ICT third-party service providers;
mandates the lead overseer to:
be the primary contact point for critical ICT third-party service providers,
assess whether each critical provider has comprehensive, sound and effective rules, procedures, mechanisms and arrangements in place,
request all relevant information and documentation, conduct investigations and inspections (including in non-EU countries), specify remedial action and issue recommendations;
Under Delegated Regulation (EU) 2024/1502, ICT third-party service providers may be designated as critical and brought under the direct oversight of the ESAs following a two-step assessment.
Step1– quantitative criteria
The provider must meet measurable thresholds, such as:
the number of financial entities, or the share of their total assets, that depend on the provider’s services;
whether its services can be replaced, or whether switching to another provider would be difficult or costly.
Step2– qualitative criteria
Providers that satisfy step 1 are then assessed against broader considerations, including:
the potential systemic impact if their services were disrupted;
the degree of interdependence among financial entities using the same provider;
the criticality of the functions supported;
reliance on common subcontractors.
A provider is designated as critical only when it fulfils the criteria under both steps.
Information-sharing arrangements
Financial entities may exchange among themselves cyber-threat information and intelligence, provided that this:
aims to strengthen their digital operational resilience;
occurs within their trusted communities;
protects business confidentiality and personal data, and respects competition policy rules.
Penalties and remedial measures
Competent authorities:
have all the supervisory, investigatory and sanctioning powers needed to carry out their duties;
impose, and publish on their websites, the administrative penalties and remedial measures determined by national law.
ESAs draft regulatory technical standards for ICT risk management tools, classification and reporting of ICT-related incidents and conduct of oversight activities.
The Commission:
has the power to adopt delegated acts;
will submit, by , a review of the regulation, after consulting the ESAs and the European Systemic Risk Board, to the Parliament and the Council.
The reforms that followed the 2008 financial crisis primarily strengthened the sector’s financial stability. ICT risks were only addressed indirectly in some areas and continued to pose a challenge to the operational resilience, performance and stability of the EU financial system.
The regulation, known as DORA, is part of a larger digital finance package aiming to foster technological development and ensure financial stability and consumer protection. Its other elements cover a digital finance strategy, markets in crypto assets and distributed ledger technology.
Regulation (EU) 2022/2554 of the European Parliament and of the Council of on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, , pp. 1–79).
RELATED DOCUMENTS
Commission Delegated Regulation (EU) 2024/1502 of supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities (OJ L, 2024/1502, ).
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Digital Finance Strategy for the EU (COM(2020) 591 final, ).
Regulation (EU) 2016/1011 of the European Parliament and of the Council of on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds and amending Directives 2008/48/EC and 2014/17/EU and Regulation (EU) No 596/2014 (OJ L 171, , pp. 1–65).
Successive amendments to Regulation (EU) 2016/1011 have been incorporated into the original text. This consolidated version is of documentary value only.
Regulation (EU) No 909/2014 of the European Parliament and of the Council of on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, , pp. 1–72).
Regulation (EU) No 600/2014 of the European Parliament and of the Council of on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, , pp. 84–148).
Regulation (EU) No 648/2012 of the European Parliament and of the Council of on OTC derivatives, central counterparties and trade repositories (OJ L 201, , pp. 1–59).