Digital Operational Resilience Act (DORA) DORA DORA ACT

Article 3 Digital Operational Resilience Act (DORA), Definitions

by Sneha Naskar

The Digital Operational Resilience Act (DORA) establishes a comprehensive framework for enhancing digital resilience within the financial sector. This regulatory framework provides definitions and key concepts essential for understanding and implementing the requirements related to ICT risk management, cybersecurity, and operational continuity. The following sections outline these definitions, which are crucial for ensuring that financial entities maintain robust systems and practices to safeguard their operations against various ICT-related risks and threats.

Article 3 Digital Operational Resilience Act (DORA), Definitions

Definitions and Key Concepts Under the Digital Operational Resilience Act (DORA)

  • Digital operational resilience: The ability of a financial entity to build, assure, and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.
  • Network and information system: This means that the network and information system are defined in point (1) of Article 4 of Directive (EU) No 2016/1148.
  • Security of network and information systems: This means the security of network and information systems as defined in point (2) of Article 4 of Directive (EU) No 2016/1148.
  • ICT risk: Means any reasonably identifiable circumstance in relation to the use of network and information systems - including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non-malicious event - which, if materialised, may compromise the security of the network and information systems, of any technology-dependant tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects.
  • Information asset: This means a collection of information, either tangible or intangible, that is worth protecting.
  • ICT-related incident: This means an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity.
  • Major ICT-related incident: This means an ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity.
  • Cyber threat: Means ‘cyber threat’ as defined in point (8) of Article 2 Regulation (EU) 2019/881 of the European Parliament and of the Council.
  • Cyber-attack: This means a malicious ICT-related incident by means of an attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset perpetrated by any threat actor.
  • Threat intelligence: Means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and which brings relevant and sufficient understanding for mitigating the impact of an ICT-related incident or cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations.
  • Defence-in-depth: This means an ICT-related strategy integrating people, processes and technology to establish a variety of barriers across multiple layers and dimensions of the entity.
  • Vulnerability: Means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited by a threat.
  • Threat led penetration testing: This means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the entity’s critical live production systems.
  • ICT third-party risk: This Means ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by further sub-contractors of the latter.
  • ICT third-party service provider: Means an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centres, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council.
  • ICT services: Means digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services.
  • Critical or important function: Means a function whose discontinued, defective or failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation, or its financial performance or the soundness or continuity of its services and activities.
  • Critical ICT third-party service provider: This means an ICT third-party service provider designated in accordance with Article 29 and subject to the Oversight Framework referred to in Articles 30 to 37.
  • ICT third-party service provider established in a third country: This means an ICT third-party service provider that is a legal person established in a third-country, has not set up business/presence in the Union, and has entered into a contractual arrangement with a financial entity for the provision of ICT services.
  • ICT sub-contractor established in a third country: This means an ICT sub-contractor that is a legal person established in a third-country, has not set up business/presence in the Union and has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third country.
  • ICT concentration risk: This means exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the ability of a financial entity, and ultimately of the Union’s financial system as a whole, to deliver critical functions, or to suffer other type of adverse effects, including large losses.
  • Management body: Means a management body as defined in point (36) of Article 4(1) of Directive 2014/65/EU, point (7) of Article 3(1) of Directive 2013/36/EU, point (s) of Article 2(1) of Directive 2009/65/EC, point (45) of Article 2(1) of Regulation (EU) No 909/2014, point (20) of Article 3(1) of Regulation (EU) 2016/1011 of the European Parliament and of the Council, point (u) of Article 3(1) of Regulation (EU) 20xx/xx of the European Parliament and of the Council [MICA] or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national legislation.
  • Credit institution: Means a credit institution as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council.
  • Investment firm: Means an investment firm as defined in point (1) of Article 4(1) of Directive 2014/65/EU.
  • Payment institution: Means a payment institution as defined in point (d) of Article 1(1) of Directive (EU) 2015/2366.
  • Electronic money institution: Means an electronic money institution as defined in point (1) of Article 2 of Directive 2009/110/EC of the European Parliament and of the Council.
DORA Compliance Framework
  • Central counterparty: Means a central counterparty as defined in point (1) of Article 2 of Regulation (EU) No 648/2012.
  • Trade repository: Means a trade repository as defined in point (2) of Article 2 of Regulation (EU) No 648/2012.
  • Central securities depository: This means a central securities depository as defined in point (1) of Article 2(1) of Regulation 909/2014.
  • Trading venue: This means a trading venue as defined in point (24) of Article 4(1) of Directive 2014/65/EU.
  • Manager of alternative investment funds: This means a manager of alternative investment funds as defined in point (b) of Article 4(1) of Directive 2011/61/EU.
  • Management company: This means a management company as defined in point (b) of Article 2(1) of Directive 2009/65/EC.
  • Data reporting service provider: This means a data reporting service provider as defined in point (63) of Article (4)(1) of Directive 2014/65/EU.
  • Insurance undertaking: This means an insurance undertaking as defined in point (1) of Article 13 of Directive 2009/138/EC.
  • Reinsurance undertaking: Means a reinsurance undertaking as defined in point (4) of Article 13 of Directive 2009/138/EC.
  • Insurance intermediary: This means an insurance intermediary as defined in point (3) of Article 2 of Directive (EU) 2016/97.
  • Ancillary insurance intermediary: This means ancillary insurance intermediary as defined in point (4) of Article 2 of Directive (EU) 2016/97.
  • Reinsurance intermediary: This means a reinsurance intermediary as defined in point (5) of Article 2 of Directive (EU) 2016/97.
  • Institution for occupational retirement pensions: Means institution for occupational retirement pensions as defined in point (6) of Article 1 of Directive 2016/2341.
  • Credit rating agency: This means a credit rating agency as defined in point (2) of Article 3(1) of Regulation (EU) 2019/2175.
  • Statutory auditor: This means a statutory auditor as defined in Article 2(1) of Directive 2014/56/EU.
  • Audit firm: This means an audit firm as defined in point (1) of Article 2 of Regulation (EU) No 537/2014.
  • Crypto-asset service provider: This means a crypto-asset service provider as defined in Article 1(2) of Regulation (EU) 2020/1003.
  • Issuer of crypto-assets: Means issuer of crypto-assets as defined in Article 1(3) of Regulation (EU) 2020/1003.
  • Issuer of asset-referenced tokens: This means the issuer of asset-referenced tokens as defined in Article 1(4) of Regulation (EU) 2020/1003.
  • Issuer of significant asset-referenced tokens: This means the issuer of significant asset-referenced tokens as defined in Article 1(5) of Regulation (EU) 2020/1003.
  • Administrator of critical benchmarks: Means administrator of critical benchmarks as defined in Article 3(1) of Regulation (EU) 2016/1011.
  • Crowdfunding service provider: This means a crowdfunding service provider as defined in point (1) of Article 4(1) of Regulation (EU) 2020/1503.
  • Securitisation repository: This means a securitisation repository as defined in point (3) of Article 2 of Regulation (EU) 2017/2402.
  • Digital service provider: This means a digital service provider as defined in Article 2(1) of Directive (EU) 2015/1535.
DORA Compliance Framework
More from: Digital Operational Resilience Act (DORA) DORA DORA ACT
Back to DORA Articles