Obligations in scope
Article 12 — central securities depositories
Central securities depositories shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs. Action required: maintain.
Article 12 — central securities depositories
The secondary processing site of central securities depositories shall be located at a geographical distance from the primary processing site to ensure a distinct risk profile. Action required: locate.
Article 12 — central securities depositories
The secondary processing site of central securities depositories shall be capable of ensuring continuity of critical or important functions identically to the primary site or providing necessary service levels. Action required: ensure.
Article 12 — central securities depositories
The secondary processing site of central securities depositories shall be immediately accessible to staff to ensure continuity of critical or important functions if the primary site is unavailable. Action required: ensure.
Article 61 — CSD
A CSD shall identify sources of operational risk, both internal and external, and minimise their impact through the deployment of appropriate ICT tools, processes and policies set up and managed in accordance with Regulation (EU) 2022/2554. Action required: identify.
Article 61 — CSD
A CSD shall minimise the impact of operational risks through any other relevant appropriate tools, controls and procedures for other types of operational risk, including for all the securities settlement systems it operates. Action required: minimise.
Article 61 — CSD
For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan, including ICT business continuity policy and ICT response and recovery plans established in accordance with Regulation (EU) 2022/2554. Action required: establish.
Practical steps
What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.
- Art 12 — maintain (central securities depositories)
- Art 12 — locate (central securities depositories)
- Art 12 — ensure (central securities depositories)
- Art 61 — identify (CSD)
- Art 61 — minimise (CSD)
- Art 61 — establish (CSD)
- Art 61 — provide (CSD)
Obligation reference table
| Article | Obligated entity | Deadline | Penalty |
|---|---|---|---|
| Art 12 | central securities depositories | — | — |
| Art 12 | central securities depositories | — | — |
| Art 12 | central securities depositories | — | — |
| Art 12 | central securities depositories | — | — |
| Art 61 | CSD | — | — |
| Art 61 | CSD | — | — |
| Art 61 | CSD | — | — |
| Art 61 | CSD | — | — |
| Art 61 | CSD | — | — |
| Art 61 | CSD | — | — |
Penalty exposure
None of the 13 obligations on this page carry an explicit penalty figure in the DORA text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to DORA's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.
Cross-regulatory conflicts
DORA interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:
- DORA Art 11 ↔ GDPR Art 17 (medium) — [entity affected: Financial entities] DORA requires maintaining records and backups for business continuity and audit trails, which may conflict with GDPR's right to erasure if personal data is retained in backups longer than necessary for the original purpose.
- DORA Art 18 ↔ Data Act Art 18 (high) — [entity affected: Financial entities acting as data holders] DORA requires classification and reporting of ICT incidents based on specific criteria, while the Data Act requires anonymization or pseudonymization of data before sharing with public bodies, potentially conflicting if incident data contains personal data that must be preserved for forensic analysis under DORA.
- DORA Art 10 ↔ ePrivacy Directive Art 5 (high) — [entity affected: Financial entities providing electronic communications services] DORA requires monitoring of user activity and ICT anomalies, which may conflict with ePrivacy's strict prohibition on interception or surveillance of communications without user consent.
- DORA Art 12 ↔ ePrivacy Directive Art 6 (high) — [entity affected: Financial entities providing electronic communications services] DORA mandates backup and retention of data for business continuity, while ePrivacy requires traffic data to be erased or anonymized once no longer needed for transmission, creating tension over retention periods.
- DORA Art 18 ↔ GDPR Art 33 (high) — [entity affected: Financial entities] DORA requires reporting of major ICT incidents to competent authorities based on specific criteria, while GDPR requires notification of personal data breaches to supervisory authorities within 72 hours; differing timelines and definitions may create conflicting reporting priorities.
- DORA Art 19 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to define reporting timelines, potentially creating contradictory compliance schedules.
Related Fontvera pages
- dora article 9 financial entities
- dora obligations financial services
- dora obligations ict services
- dora obligations ict third party
Check your full compliance exposure with the 5-minute Fontvera diagnostic →