Art. 5 Amendments to Directive 2014/59/EU | DORA directive | DORA

This article amends Directive 2014/59/EU, the Bank Recovery and Resolution Directive (BRRD), to embed digital operational resilience considerations into the resolution planning framework.

It updates the requirements around recovery and resolution plans, ensuring that institutions must now account for their network and information systems, ICT third-party dependencies, and the results of digital operational resilience testing as part of their resolvability assessments.

The article also tasks EBA with reviewing and updating its regulatory technical standards to align with DORA's requirements.

Important points:

Ensure your resolution planning documentation explicitly covers the digital operational resilience of network and information systems supporting critical functions and core business lines.
Identify critical ICT third-party service providers within your resolution planning materials, alongside system owners and service level agreements.
EBA is required to review and, where appropriate, update its regulatory technical standards to take account of the provisions of Chapter II of Regulation (EU) 2022/2554.

Directive 2014/59/EU is amended as follows:

Article 10 is amended as follows:
1. in paragraph 7, point (c) is replaced by the following:
  ‘a demonstration of how critical functions and core business lines could be legally and economically separated, to the extent necessary, from other functions so as to ensure continuity and digital operational resilience upon the failure of the institution;’;
2. in paragraph 7, point (q) is replaced by the following:
  ‘a description of essential operations and systems for maintaining the continuous functioning of the institution’s operational processes, including network and information systems as referred to in Regulation (EU) 2022/2554 of the European Parliament and of the Council(¹⁹);
3. in paragraph 9, the following subparagraph is added:
  ‘In accordance with Article 10 of Regulation (EU) No 1093/2010, EBA shall review and, if appropriate, update the regulatory technical standards in order to, inter alia, take account of the provisions of Chapter II of Regulation (EU) 2022/2554.’;
the Annex is amended as follows:
1. in Section A, point (16) is replaced by the following:
  ‘arrangements and measures necessary to maintain the continuous functioning of the institution’s operational processes, including network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554;’;
2. Section B is amended as follows:
  point (14) is replaced by the following:
  ‘an identification of the owners of the systems identified in point (13), service level agreements related thereto, and any software and systems or licenses, including a mapping to their legal entities, critical operations and core business lines, as well as an identification of critical ICT third-party service providers as defined in Article 3, point (23), of Regulation (EU) 2022/2554;’;
  the following point is inserted:
  ‘the results of institutions’ digital operational resilience testing under Regulation (EU) 2022/2554;’;
3. Section C is amended as follows:
  point (4) is replaced by the following:
  ‘the extent to which the service agreements, including contractual arrangements on the use of ICT services, that the institution maintains are robust and fully enforceable in the event of resolution of the institution;’;
  the following point is inserted:
  ‘the digital operational resilience of the network and information systems supporting critical functions and core business lines of the institution, taking into account major ICT-related incident reports and the results of digital operational resilience testing under Regulation (EU) 2022/2554;’.