Article 1, Subject Matter, Digital Operational Resilience Act (DORA)

Overview

1. In order to achieve a high common level of digital operational resilience, this Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities as follows:

(a) requirements applicable to financial entities in relation to:

(i) information and communication technology (ICT) risk management;

(ii) reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;

(iii) reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d);

(iv) digital operational resilience testing;

(v) information and intelligence sharing in relation to cyber threats and vulnerabilities;

(vi) measures for the sound management of ICT third-party risk;

(b) requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;

(c) rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities;

(d) rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.

2. In relation to financial entities identified as essential or important entities pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 4 of that Directive.

3. This Regulation is without prejudice to the responsibility of Member States’ regarding essential State functions concerning public security, defence and national security in accordance with Union law.

Summary Of Article 1

Article 1 of the Digital Operational Resilience Act (DORA) establishes a comprehensive framework to enhance the digital resilience of financial entities by implementing uniform requirements for their network and information system security. It outlines key obligations, including ICT risk management, mandatory reporting of significant ICT-related and payment-security incidents, and voluntary notifications of cyber threats to competent authorities. DORA also mandates regular digital operational resilience testing, promotes information sharing on cyber threats and vulnerabilities, and emphasizes sound management of ICT third-party risks.

Additionally, the Regulation specifies requirements for contracts between financial entities and ICT third-party service providers and introduces an Oversight Framework for critical third-party providers serving financial entities. It also includes rules for cooperation, supervision, and enforcement by competent authorities. For financial entities deemed essential or important under Directive (EU) 2022/2555, DORA is recognized as a sector-specific legal act, ensuring alignment with broader Union-level resilience objectives. Importantly, DORA respects the autonomy of Member States in managing essential state functions related to public security, defence, and national security, in compliance with Union law. Overall, Article 1 establishes DORA’s scope and purpose, ensuring a robust and unified approach to digital operational resilience across the EU financial sector.