Art. 1 Subject matter | DORA regulation | DORA

1. In order to achieve a high common level of digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, this Regulation lays down uniform requirements concerning the security of network and information systemsmeans security of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555; supporting the business processes of financial entities as follows:
  1. requirements applicable to financial entities in relation to:
    
    information and communication technology (ICT) risk management;
    
    reporting of major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and notifying, on a voluntary basis, significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; to the competent authorities;
    
    reporting of major operational or security payment-related incidentsmeans an operational or security payment-related incident that has a high adverse impact on the payment-related services provided; to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d);
    
    digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; testing;
    
    information and intelligence sharing in relation to cyber threatsmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; and vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;;
    
    measures for the sound management of ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;;
  2. requirements in relation to the contractual arrangements concluded between ICT third-party service providersmeans an undertaking providing ICT services; and financial entities;
  3. rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; when providing services to financial entities;
  4. rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.
1. In relation to financial entities identified as essential or important entities pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 4 of that Directive.
1. This Regulation is without prejudice to the responsibility of Member States’ regarding essential State functions concerning public security, defence and national security in accordance with Union law.