§ DORA · Article 12
DORA Article 12: Obligations, Deadlines & Penalties
At a glance
Article 12 of the DORA imposes 18 obligations on central counterparties, central securities depositories, data reporting service providers and 2 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 12
Obligation 1
Financial entities shall develop and document backup policies and procedures specifying the scope of data subject to backup and minimum frequency based on criticality or confidentiality.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
develop and document
- Deadline
-
—
- Penalty
-
—
Obligation 2
Financial entities shall develop and document restoration and recovery procedures and methods as part of their ICT risk management framework.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
develop and document
- Deadline
-
—
- Penalty
-
—
Obligation 3
Financial entities shall set up backup systems that can be activated in accordance with backup policies and procedures, ensuring activation does not jeopardise security or data integrity.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
set up
- Deadline
-
—
- Penalty
-
—
Obligation 4
Financial entities shall undertake periodic testing of backup procedures and restoration and recovery procedures and methods.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
test
- Deadline
-
periodically
- Penalty
-
—
Obligation 5
When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
use
- Deadline
-
—
- Penalty
-
—
Obligation 6
Financial entities shall ensure ICT systems used for restoring backup data are securely protected from unauthorised access or ICT corruption and allow timely restoration of services.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 7
Central counterparties shall ensure recovery plans enable the recovery of all transactions at the time of disruption to allow continued operation and settlement on the scheduled date.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
central counterparties
- Sector scope
- central counterparties
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 8
Data reporting service providers shall maintain adequate resources and have back-up and restoration facilities in place to offer and maintain their services at all times.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
data reporting service providers
- Sector scope
- data reporting service providers
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
Obligation 9
Financial entities, other than microenterprises, shall maintain redundant ICT capacities equipped with resources, capabilities and functions adequate to ensure business needs.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 10
Microenterprises shall assess the need to maintain redundant ICT capacities based on their risk profile.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
microenterprises
- Size threshold
- microenterprises
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 11
Central securities depositories shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
central securities depositories
- Sector scope
- central securities depositories
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
Obligation 12
The secondary processing site of central securities depositories shall be located at a geographical distance from the primary processing site to ensure a distinct risk profile.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
central securities depositories
- Sector scope
- central securities depositories
- Action required
-
locate
- Deadline
-
—
- Penalty
-
—
Obligation 13
The secondary processing site of central securities depositories shall be capable of ensuring continuity of critical or important functions identically to the primary site or providing necessary service levels.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
central securities depositories
- Sector scope
- central securities depositories
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 14
The secondary processing site of central securities depositories shall be immediately accessible to staff to ensure continuity of critical or important functions if the primary site is unavailable.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
central securities depositories
- Sector scope
- central securities depositories
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 15
Financial entities shall take into account whether a function is critical or important and the potential overall impact on market efficiency when determining recovery time and recovery point objectives.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
take into account
- Deadline
-
—
- Penalty
-
—
Obligation 16
Financial entities shall ensure that recovery time objectives ensure agreed service levels are met in extreme scenarios.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 17
When recovering from an ICT-related incident, financial entities shall perform necessary checks, including multiple checks and reconciliations, to ensure the highest level of data integrity.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
perform
- Deadline
-
—
- Penalty
-
—
Obligation 18
Financial entities shall perform checks when reconstructing data from external stakeholders to ensure all data is consistent between systems.
Regulation (EU) 2022/2554, Article 12, Article 12
- Obligated entity
-
financial entities
- Action required
-
perform
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 12
Who must comply with Article 12 of the DORA?
+
central counterparties, central securities depositories, data reporting service providers, financial entities, microenterprises.
What does Article 12 of the DORA require?
+
develop and document set up test
What is the compliance deadline for DORA Article 12?
+
periodically