Article 1 Digital Operational Resilience Act (DORA), Subject matter

1. This Regulation establishes uniform requirements to ensure the security of network and information systems that support the business processes of financial entities, aiming to achieve a high common level of digital operational resilience. These requirements include:

(a) Requirements Applicable to Financial Entities

1. ICT Risk Management: Financial entities must implement a comprehensive ICT risk management framework. This framework should encompass strategies, policies, and procedures to identify, assess, and mitigate ICT risks. It should address internal and external ICT vulnerabilities, safeguard information assets, and ensure continuous operational resilience.

2. Reporting of Major ICT-related Incidents: Entities are required to report major ICT-related incidents to competent authorities promptly. This reporting must include detailed information on the nature, impact, and response to the incident, enabling regulators to assess and respond to systemic risks effectively.

3. Digital Operational Resilience Testing: Financial entities must regularly test their digital operational resilience. This includes simulating various ICT disruptions and assessing the effectiveness of their response mechanisms. Such testing helps identify weaknesses and ensure preparedness for potential ICT incidents.

4. Information and Intelligence Sharing: Entities must engage in information sharing about cyber threats and vulnerabilities. This involves collaborating with other financial entities and relevant bodies to exchange information on emerging threats and best practices for mitigating them.

5. Managing ICT Third-Party Risks: Financial entities must implement measures to manage risks associated with ICT third-party service providers. This includes assessing the security and resilience of third-party services, establishing clear contractual obligations, and monitoring third-party performance.

(b) Contractual Arrangements with ICT Third-Party Service Providers

Financial entities are required to establish robust contractual arrangements with ICT third-party service providers. Contracts must clearly define the service provider's responsibilities, performance expectations, and security requirements. These agreements should ensure that third parties comply with the entity's digital operational resilience standards and facilitate effective oversight.

(c) Oversight Framework for Critical ICT Third-Party Providers

There must be an oversight framework for critical ICT third-party service providers. This framework ensures that these providers adhere to stringent operational and security standards when delivering services to financial entities. The oversight involves regular assessments, audits, and monitoring to ensure that critical providers maintain high levels of resilience and compliance.

(d) Cooperation and Supervision by Competent Authorities

DORA mandates cooperation among competent authorities to ensure effective supervision and enforcement of the regulation. Authorities must work together to share information, coordinate responses, and ensure compliance across the financial sector. This cooperation is essential for addressing systemic risks and maintaining overall financial stability.

2. Regarding financial entities identified as operators of essential services under national rules transposing Article 5 of Directive (EU) 2016/1148, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 1(7) of that Directive.

This article outlines the scope and objectives of the Digital Operational Resilience Act (DORA), focusing on enhancing digital operational resilience across financial entities through comprehensive ICT risk management, incident reporting, testing, information sharing, management of ICT third-party risks, oversight of critical ICT service providers, and regulatory cooperation among competent authorities.