Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 23 Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions
Summary What does Article 23 of the DORA regulation say?
This brief but important article extends the scope of the Chapter's requirements — which primarily concern ICT-related incidents — to also cover operational or security payment-related incidents.
It acts as a bridging provision, ensuring that the incident management and reporting rules established in this Chapter are not limited to purely technology-driven events, but also capture broader payment-related disruptions, whether or not they are ICT-related in origin.
Crucially, this extension does not apply to all financial entities, but only to a defined subset of payment-focused entities.
Important points:
- The incident management and reporting requirements of this Chapter apply to both operational or security payment-related incidents and major operational or security payment-related incidents — not just ICT-related ones.
- This extension applies only to credit institutions, payment institutions, account information service providers, and electronic money institutions.
- Note that the scope here covers incidents whether or not they are ICT-related in origin, broadening the reach of the Chapter's obligations for these specific entity types.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The requirements laid down in this Chapter shall also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.
Relevant recitals
Recital 23 DORA consumes PSD2 major incident reporting
To reduce the administrative burden and potentially duplicative reporting obligations for certain financial entities, the requirement for the incident reporting pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council(12) should cease to apply to payment service providers that fall within the scope of this Regulation. Consequently, credit institutions, e-money institutions, payment institutions and account information service providers, as referred to in Article 33(1) of that Directive, should, from the date of application of this Regulation, report pursuant to this Regulation, all operational or security payment-related incidents which have been previously reported pursuant to that Directive, irrespective of whether such incidents are ICT-related.
Recital 54 Payment-related incident reporting
This Regulation should require credit institutions, payment institutions, account information service providers and electronic money institutions to report all operational or security payment-related incidents – previously reported under Directive (EU) 2015/2366 – irrespective of the ICT nature of the incident.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
electronic money institution
Definition
payment institution
Definition
major operational or security payment-related incident
Definition
account information service provider
Definition
credit institution
Definition
operational or security payment-related incident
Footnote 12