Art. 4 Amendments to Directive 2013/36/EU | DORA directive | DORA

Article 4 amends Directive 2013/36/EU (the Capital Requirements Directive) to align it with DORA.

It makes several targeted changes across different provisions of that Directive, collectively ensuring that institutions' governance, business continuity, supervisory review, and third-party oversight obligations now explicitly incorporate and cross-reference DORA's requirements.

Rather than creating new standalone rules, this article effectively plugs DORA into the existing CRD framework.

Important points:

Institutions must set up and manage network and information systems in accordance with DORA as part of their broader governance arrangements.
Competent authorities are required to ensure that institutions' contingency and business continuity plans, including ICT-specific plans, are established, managed, and tested in accordance with Article 11 of DORA.
Risks revealed by digital operational resilience testing under DORA must now be included within the supervisory review and evaluation process for institutions.

Directive 2013/36/EU is amended as follows:

in Article 65(3), point (a)(vi) is replaced by the following:
‘third parties to whom the entities referred to in points (i) to (iv) have outsourced functions or activities, including ICT third-party service providers referred to in Chapter V of Regulation (EU) 2022/2554 of the European Parliament and of the Council(¹⁸);
in Article 74(1), the first subparagraph is replaced by the following:
‘Institutions shall have robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks they are or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554, and remuneration policies and practices that are consistent with and promote sound and effective risk management.’;
in Article 85, paragraph 2 is replaced by the following:
Competent authorities shall ensure that institutions have adequate contingency and business continuity policies and plans, including ICT business continuity policies and plans and ICT response and recovery plans for the technology they use for the communication of information, and that those plans are established, managed and tested in accordance with Article 11 of Regulation (EU) 2022/2554, in order to allow institutions to keep operating in the event of severe business disruption and limit losses incurred as a consequence of such disruption.’;
in Article 97(1), the following point is added:
‘risks revealed by digital operational resilience testing in accordance with Chapter IV of Regulation (EU) 2022/2554.’.