§ DORA · Article 12

DORA Article 12: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 12 · All obligations · DORA
At a glance
Article 12 of the DORA imposes 18 obligations on central counterparties, central securities depositories, data reporting service providers and 2 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 12

Obligation 1
Financial entities shall develop and document backup policies and procedures specifying the scope of data subject to backup and minimum frequency based on criticality or confidentiality. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
develop and document
Deadline
Penalty
Obligation 2
Financial entities shall develop and document restoration and recovery procedures and methods as part of their ICT risk management framework. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
develop and document
Deadline
Penalty
Obligation 3
Financial entities shall set up backup systems that can be activated in accordance with backup policies and procedures, ensuring activation does not jeopardise security or data integrity. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
set up
Deadline
Penalty
Obligation 4
Financial entities shall undertake periodic testing of backup procedures and restoration and recovery procedures and methods. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
test
Deadline
periodically
Penalty
Obligation 5
When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
use
Deadline
Penalty
Obligation 6
Financial entities shall ensure ICT systems used for restoring backup data are securely protected from unauthorised access or ICT corruption and allow timely restoration of services. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
ensure
Deadline
Penalty
Obligation 7
Central counterparties shall ensure recovery plans enable the recovery of all transactions at the time of disruption to allow continued operation and settlement on the scheduled date. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
central counterparties
Sector scope
central counterparties
Action required
ensure
Deadline
Penalty
Obligation 8
Data reporting service providers shall maintain adequate resources and have back-up and restoration facilities in place to offer and maintain their services at all times. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
data reporting service providers
Sector scope
data reporting service providers
Action required
maintain
Deadline
Penalty
Obligation 9
Financial entities, other than microenterprises, shall maintain redundant ICT capacities equipped with resources, capabilities and functions adequate to ensure business needs. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Size threshold
other than microenterprises
Action required
maintain
Deadline
Penalty
Exemptions
microenterprises
Obligation 10
Microenterprises shall assess the need to maintain redundant ICT capacities based on their risk profile. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
microenterprises
Size threshold
microenterprises
Action required
assess
Deadline
Penalty
Obligation 11
Central securities depositories shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
central securities depositories
Sector scope
central securities depositories
Action required
maintain
Deadline
Penalty
Obligation 12
The secondary processing site of central securities depositories shall be located at a geographical distance from the primary processing site to ensure a distinct risk profile. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
central securities depositories
Sector scope
central securities depositories
Action required
locate
Deadline
Penalty
Obligation 13
The secondary processing site of central securities depositories shall be capable of ensuring continuity of critical or important functions identically to the primary site or providing necessary service levels. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
central securities depositories
Sector scope
central securities depositories
Action required
ensure
Deadline
Penalty
Obligation 14
The secondary processing site of central securities depositories shall be immediately accessible to staff to ensure continuity of critical or important functions if the primary site is unavailable. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
central securities depositories
Sector scope
central securities depositories
Action required
ensure
Deadline
Penalty
Obligation 15
Financial entities shall take into account whether a function is critical or important and the potential overall impact on market efficiency when determining recovery time and recovery point objectives. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
take into account
Deadline
Penalty
Obligation 16
Financial entities shall ensure that recovery time objectives ensure agreed service levels are met in extreme scenarios. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
ensure
Deadline
Penalty
Obligation 17
When recovering from an ICT-related incident, financial entities shall perform necessary checks, including multiple checks and reconciliations, to ensure the highest level of data integrity. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
perform
Deadline
Penalty
Obligation 18
Financial entities shall perform checks when reconstructing data from external stakeholders to ensure all data is consistent between systems. Regulation (EU) 2022/2554, Article 12, Article 12
Obligated entity
financial entities
Action required
perform
Deadline
Penalty
§ Frequently asked

Questions about Article 12

Who must comply with Article 12 of the DORA? +
central counterparties, central securities depositories, data reporting service providers, financial entities, microenterprises.
What does Article 12 of the DORA require? +
develop and document set up test
What is the compliance deadline for DORA Article 12? +
periodically
Need a cross-border briefing on DORA Article 12?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles