§ DORA · Article 13

DORA Article 13: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 13 · All obligations · DORA
At a glance
Article 13 of the DORA imposes 11 obligations on Financial entities, Senior ICT staff. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 13

Obligation 1
Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, and analyse the impact they are likely to have on their digital operational resilience. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
establish
Deadline
Penalty
Obligation 2
Financial entities shall put in place post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, analysing the causes of disruption and identifying required improvements. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
conduct
Deadline
after a major ICT-related incident
Penalty
Obligation 3
Financial entities, other than microenterprises, shall, upon request, communicate to the competent authorities the changes that were implemented following post ICT-related incident reviews. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Size threshold
other than microenterprises
Sector scope
Financial sector
Action required
communicate
Deadline
upon request
Penalty
Exemptions
microenterprises
Obligation 4
Lessons derived from digital operational resilience testing, real life ICT-related incidents, and supervisory reviews shall be duly incorporated on a continuous basis into the ICT risk assessment process. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
incorporate
Deadline
on a continuous basis
Penalty
Obligation 5
Findings from lessons learned shall form the basis for appropriate reviews of relevant components of the ICT risk management framework. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
review
Deadline
Penalty
Obligation 6
Financial entities shall monitor the effectiveness of the implementation of their digital operational resilience strategy and map the evolution of ICT risk over time. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
monitor
Deadline
Penalty
Obligation 7
Senior ICT staff shall report at least yearly to the management body on the findings referred to in paragraph 3 and put forward recommendations. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Senior ICT staff
Sector scope
Financial sector
Action required
report
Deadline
at least yearly
Penalty
Obligation 8
Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes applicable to all employees and senior management. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
develop
Deadline
Penalty
Obligation 9
Where appropriate, financial entities shall include ICT third-party service providers in their relevant training schemes in accordance with Article 30(2), point (i). Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
include
Deadline
Penalty
Obligation 10
Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis to understand the possible impact on ICT security requirements and digital operational resilience. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Size threshold
other than microenterprises
Sector scope
Financial sector
Action required
monitor
Deadline
on a continuous basis
Penalty
Exemptions
microenterprises
Obligation 11
Financial entities, other than microenterprises, shall keep up-to-date with the latest ICT risk management processes to effectively combat current or new forms of cyber-attacks. Regulation (EU) 2022/2554, Article 13, Article 13
Obligated entity
Financial entities
Size threshold
other than microenterprises
Sector scope
Financial sector
Action required
maintain
Deadline
Penalty
Exemptions
microenterprises
§ Frequently asked

Questions about Article 13

Who must comply with Article 13 of the DORA? +
Financial entities, Senior ICT staff.
What does Article 13 of the DORA require? +
establish conduct communicate
What is the compliance deadline for DORA Article 13? +
after a major ICT-related incident; at least yearly; on a continuous basis; upon request
Need a cross-border briefing on DORA Article 13?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles