Obligations in scope
Article 10 — Financial entities
Financial entities shall have in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure. Action required: have in place.
Article 10 — Financial entities
All detection mechanisms referred to in paragraph 1 shall be regularly tested in accordance with Article 25. Action required: test. Deadline: regularly.
Article 10 — Financial entities
The detection mechanisms shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff. Action required: enable.
Article 10 — Financial entities
Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks. Action required: monitor.
Article 10 — Data reporting service providers
Data reporting service providers shall have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports. Action required: have in place.
Article 14 — financial entities
Financial entities shall have in place crisis communication plans enabling a responsible disclosure of major ICT-related incidents or vulnerabilities to clients, counterparts, and the public as appropriate. Action required: have in place.
Article 14 — financial entities
Financial entities shall implement communication policies for internal staff and for external stakeholders, differentiating between staff involved in ICT risk management and staff that needs to be informed. Action required: implement.
Practical steps
What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.
- Art 10 — have in place (Financial entities)
- Art 10 — test (Financial entities)
- Art 10 — enable (Financial entities)
- Art 10 — monitor (Financial entities)
- Art 14 — implement (financial entities)
- Art 14 — task (financial entities)
- Art 18 — classify (Financial entities)
Obligation reference table
| Article | Obligated entity | Deadline | Penalty |
|---|---|---|---|
| Art 10 | Financial entities | — | — |
| Art 10 | Financial entities | regularly | — |
| Art 10 | Financial entities | — | — |
| Art 10 | Financial entities | — | — |
| Art 10 | Data reporting service providers | — | — |
| Art 14 | financial entities | — | — |
| Art 14 | financial entities | — | — |
| Art 14 | financial entities | — | — |
| Art 18 | Financial entities | — | — |
| Art 18 | Financial entities | — | — |
Penalty exposure
None of the 251 obligations on this page carry an explicit penalty figure in the DORA text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to DORA's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.
Cross-regulatory conflicts
DORA interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:
- DORA Art 11 ↔ GDPR Art 17 (medium) — [entity affected: Financial entities] DORA requires maintaining records and backups for business continuity and audit trails, which may conflict with GDPR's right to erasure if personal data is retained in backups longer than necessary for the original purpose.
- DORA Art 18 ↔ Data Act Art 18 (high) — [entity affected: Financial entities acting as data holders] DORA requires classification and reporting of ICT incidents based on specific criteria, while the Data Act requires anonymization or pseudonymization of data before sharing with public bodies, potentially conflicting if incident data contains personal data that must be preserved for forensic analysis under DORA.
- DORA Art 10 ↔ ePrivacy Directive Art 5 (high) — [entity affected: Financial entities providing electronic communications services] DORA requires monitoring of user activity and ICT anomalies, which may conflict with ePrivacy's strict prohibition on interception or surveillance of communications without user consent.
- DORA Art 12 ↔ ePrivacy Directive Art 6 (high) — [entity affected: Financial entities providing electronic communications services] DORA mandates backup and retention of data for business continuity, while ePrivacy requires traffic data to be erased or anonymized once no longer needed for transmission, creating tension over retention periods.
- DORA Art 18 ↔ GDPR Art 33 (high) — [entity affected: Financial entities] DORA requires reporting of major ICT incidents to competent authorities based on specific criteria, while GDPR requires notification of personal data breaches to supervisory authorities within 72 hours; differing timelines and definitions may create conflicting reporting priorities.
- DORA Art 19 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to define reporting timelines, potentially creating contradictory compliance schedules.
Related Fontvera pages
- dora article 9 financial entities
- dora obligations central securities depositories
- dora obligations ict services
- dora obligations ict third party
Check your full compliance exposure with the 5-minute Fontvera diagnostic →