Article 55, Professional Secrecy, Digital Operational Resilience Act (DORA)

Overview

1. Any confidential information received, exchanged or transmitted pursuant to this Regulation shall be subject to the conditions of professional secrecy laid down in paragraph 2.

2. The obligation of professional secrecy applies to all persons who work, or who have worked, for the competent authorities pursuant to this Regulation, or for any authority or market undertaking or natural or legal person to whom those competent authorities have delegated their powers, including auditors and experts contracted by them.

3. Information covered by professional secrecy, including the exchange of information among competent authorities under this Regulation and competent authorities designated or established in accordance with Directive (EU) 2022/2555, shall not be disclosed to any other person or authority except by virtue of provisions laid down by Union or national law;

4. All information exchanged between the competent authorities pursuant to this Regulation that concerns business or operational conditions and other economic or personal affairs shall be considered confidential and shall be subject to the requirements of professional secrecy, except where the competent authority states, at the time of communication, that such information may be disclosed or where such disclosure is necessary for legal proceedings.

Summary Of Article 55

Article 55 of the Digital Operational Resilience Act (DORA) mandates that all confidential information exchanged or received under the regulation must adhere to professional secrecy rules. This obligation applies to individuals working for competent authorities or those delegated authority under DORA, including auditors and experts.

The professional secrecy applies to information exchanged among competent authorities, including those established under EU Directive 2022/2555, and prohibits disclosure to any third party unless specified by Union or national law.

Additionally, any information related to business, operational conditions, or personal and economic affairs shared between competent authorities is treated as confidential. Disclosure can only occur if expressly authorized by the competent authority or if required for legal proceedings.

This article ensures the protection of sensitive information and upholds confidentiality while allowing for disclosure in specific legal circumstances, balancing regulatory transparency with privacy and security.