§ DORA · Article 11
DORA Article 11: Obligations, Deadlines & Penalties
At a glance
Article 11 of the DORA imposes 15 obligations on Central securities depositories, ESAs, financial entities. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 11
Obligation 1
Financial entities shall put in place a comprehensive ICT business continuity policy as part of the ICT risk management framework.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
put in place
- Deadline
-
—
- Penalty
-
—
Obligation 2
Financial entities shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms to ensure continuity of critical functions, respond to incidents, activate containment measures, estimate impacts, and set out communication actions.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 3
Financial entities shall implement associated ICT response and recovery plans, which shall be subject to independent internal audit reviews for entities other than microenterprises.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises are exempt from independent internal audit reviews
Obligation 4
Financial entities shall put in place, maintain and periodically test appropriate ICT business continuity plans, notably regarding critical or important functions outsourced to ICT third-party service providers.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
put in place
- Deadline
-
—
- Penalty
-
—
Obligation 5
Financial entities shall conduct a business impact analysis (BIA) of their exposures to severe business disruptions, assessing potential impacts using quantitative and qualitative criteria.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
conduct
- Deadline
-
—
- Penalty
-
—
Obligation 6
Financial entities shall ensure that ICT assets and ICT services are designed and used in full alignment with the BIA, particularly regarding the redundancy of all critical components.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 7
Financial entities shall test the ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly, and in the event of substantive changes to ICT systems supporting critical or important functions.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
test
- Deadline
-
at least yearly
- Penalty
-
—
Obligation 8
Financial entities shall test the crisis communication plans established in accordance with Article 14.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
test
- Deadline
-
—
- Penalty
-
—
Obligation 9
Financial entities, other than microenterprises, shall include in the testing plans scenarios of cyber-attacks and switchovers between primary ICT infrastructure and redundant capacity.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 10
Financial entities shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account test results and audit recommendations.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
review
- Deadline
-
regularly
- Penalty
-
—
Obligation 11
Financial entities, other than microenterprises, shall have a crisis management function that sets out clear procedures to manage internal and external crisis communications upon activation of ICT business continuity or response plans.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
have
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 12
Financial entities shall keep readily accessible records of activities before and during disruption events when their ICT business continuity plans and ICT response and recovery plans are activated.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
keep
- Deadline
-
—
- Penalty
-
—
Obligation 13
Central securities depositories shall provide the competent authorities with copies of the results of the ICT business continuity tests, or of similar exercises.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
Central securities depositories
- Sector scope
- financial sector
- Action required
-
provide
- Deadline
-
—
- Penalty
-
—
Obligation 14
Financial entities, other than microenterprises, shall report to the competent authorities, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidents.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
report
- Deadline
-
upon request
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 15
The ESAs, through the Joint Committee, shall develop common guidelines on the estimation of aggregated annual costs and losses referred to in paragraph 10.
Regulation (EU) 2022/2554, Article 11, Article 11
- Obligated entity
-
ESAs
- Action required
-
develop
- Deadline
-
17 July 2024
- Penalty
-
—
§ Frequently asked
Questions about Article 11
Who must comply with Article 11 of the DORA?
+
Central securities depositories, ESAs, financial entities.
What does Article 11 of the DORA require?
+
put in place implement conduct
What is the compliance deadline for DORA Article 11?
+
17 July 2024; at least yearly; regularly; upon request