DORA
RTS ICT Risk Management
RTS ICT Incident classification
RTS Third Party ICT service policy
ITS Register of Information
RTS Harmonization of conditions
enabling the conduct of oversight activities RTS Joint examination teams RTS & ITS Major incident reporting RTS Subcontracting ICT services RTS Threat-led penetration testing GUIDELINES Estimation of aggregated
annual costs and losses GUIDELINES Oversight cooperation
and information exchange
enabling the conduct of oversight activities RTS Joint examination teams RTS & ITS Major incident reporting RTS Subcontracting ICT services RTS Threat-led penetration testing GUIDELINES Estimation of aggregated
annual costs and losses GUIDELINES Oversight cooperation
and information exchange
CHAPTER II - ICT risk management
Article 05 - Governance and organisation
Article 06 - ICT risk management framework
Article 07 - ICT systems, protocols and tools
Article 08 - Identification
Article 09 - Protection and prevention
Article 10 - Detection
Article 11 - Response and recovery
Article 12 - Backup policies and procedures, restoration and recovery procedures and methods
Article 13 - Learning and evolving
Article 14 - Communication
Article 15 - Further harmonisation of ICT risk management tools, methods, processes and policies
Article 16 - Simplified ICT risk management framework
CHAPTER III - ICT-related incident management, classification and reporting
Article 17 - ICT-related incident management process
Article 18 - Classification of ICT-related incidents and cyber threats
Article 19 - Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Article 20 - Harmonisation of reporting content and templates
Article 21 - Centralisation of reporting of major ICT-related incidents
Article 22 - Supervisory feedback
Article 23 - Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions
CHAPTER V - Managing of ICT third-party risk
Article 28 - General principles
Article 29 - Preliminary assessment of ICT concentration risk at entity level
Article 30 - Key contractual provisions
Article 31 - Designation of critical ICT third-party service providers
Article 32 - Structure of the Oversight Framework
Article 33 - Tasks of the Lead Overseer
Article 34 - Operational coordination between Lead Overseers
Article 35 - Powers of the Lead Overseer
Article 36 - Exercise of the powers of the Lead Overseer outside the Union
Article 37 - Request for information
Article 38 - General investigations
Article 39 - Inspections
Article 40 - Ongoing oversight
Article 41 - Harmonisation of conditions enabling the conduct of the oversight activities
Article 42 - Follow-up by competent authorities
Article 43 - Oversight fees
Article 44 - International cooperation
CHAPTER VII - Competent authorities
Article 46 - Competent authorities
Article 47 - Cooperation with structures and authorities established by Directive (EU) 2022/2555
Article 48 - Cooperation between authorities
Article 49 - Financial cross-sector exercises, communication and cooperation
Article 50 - Administrative penalties and remedial measures
Article 51 - Exercise of the power to impose administrative penalties and remedial measures
Article 52 - Criminal penalties
Article 53 - Notification duties
Article 54 - Publication of administrative penalties
Article 55 - Professional secrecy
Article 56 - Data Protection
CHAPTER IX - Transitional and final provisions
Article 58 - Review clause
Article 59 - Amendments
Article 60 - Amendments to Regulation (EU) No 648/2012
Article 60 - Amendments to Regulation (EU) No 648/2012; (1)
Article 60 - Amendments to Regulation (EU) No 648/2012; (2)
Article 60 - Amendments to Regulation (EU) No 648/2012; (3)
Article 60 - Amendments to Regulation (EU) No 648/2012; (4)
Article 60 - Amendments to Regulation (EU) No 648/2012; (5)
Article 60 - Amendments to Regulation (EU) No 648/2012; (6)
Article 60 - Amendments to Regulation (EU) No 648/2012; (7)
Article 61 - Amendments to Regulation (EU) No 909/2014
Article 61 - Amendments to Regulation (EU) No 909/2014; (1)
Article 61 - Amendments to Regulation (EU) No 909/2014; (2)
Article 61 - Amendments to Regulation (EU) No 909/2014; (3)
Article 61 - Amendments to Regulation (EU) No 909/2014; (4)
Article 61 - Amendments to Regulation (EU) No 909/2014; (5)
Article 62 - Amendments to Regulation (EU) No 600/2014
Article 62 - Amendments to Regulation (EU) No 600/2014; (1)
Article 62 - Amendments to Regulation (EU) No 600/2014; (2)
Article 62 - Amendments to Regulation (EU) No 600/2014; (3)
Article 63 - Amendment to Regulation (EU) 2016/1011
Article 64 - Entry into force and application
Article 04 - Proportionality principle
1)
Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
2)
In addition, the application by financial entities of Chapters III, IV and V, Section I, shall be proportionate to their size and overall risk profile, and to the nature, scale and complexity of their services, activities and operations, as specifically provided for in the relevant rules of those Chapters.
3)
The competent authorities shall consider the application of the proportionality principle by financial entities when reviewing the consistency of the ICT risk management framework on the basis of the reports submitted upon the request of competent authorities pursuant to Article 6(5) and Article 16(2)
Chapter II (Articles 5 - 10)
General Provisions
Section I
Article 1
Backup policies and procedures, restoration and recovery procedures and methods
Article 2
Subject matter
Article 999
Testing of ICT tools and systems
Section II
Article 1
Backup policies and procedures, restoration and recovery procedures and methods
Article 2
Subject matter
Article 999
Testing of ICT tools and systems