Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 14 Communication


Summary What does Article 14 of the DORA regulation say?

This article sits within the broader ICT risk management framework established under Article 6 and focuses specifically on communication obligations.

It requires financial entities to have crisis communication plans in place for disclosing major ICT-related incidents or vulnerabilities to clients, counterparts, and the public.

Beyond external disclosure, it also addresses internal communication, requiring separate policies that distinguish between staff who are actively involved in managing ICT risk and those who simply need to be kept informed.

Finally, it mandates that at least one designated person within the entity is responsible for executing the communication strategy and handling public and media relations during ICT-related incidents.

Important points:

  • Have crisis communication plans in place for the responsible disclosure of major ICT-related incidents or vulnerabilities to clients, counterparts, and the public.
  • Implement separate communication policies for internal staff, distinguishing between those managing ICT risk and those who only need to be informed.
  • At least one person within the financial entity must be designated to implement the ICT incident communication strategy and handle public and media functions.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropriate.

    1. As part of the ICT risk management framework, financial entities shall implement communication policies for internal staff and for external stakeholders. Communication policies for staff shall take into account the need to differentiate between staff involved in ICT risk management, in particular the staff responsible for response and recovery, and staff that needs to be informed.

    1. At least one person in the financial entity shall be tasked with implementing the communication strategy for ICT-related incidents and fulfil the public and media function for that purpose.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod