§ DORA · Article 13
DORA Article 13: Obligations, Deadlines & Penalties
At a glance
Article 13 of the DORA imposes 11 obligations on Financial entities, Senior ICT staff. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 13
Obligation 1
Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, and analyse the impact they are likely to have on their digital operational resilience.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 2
Financial entities shall put in place post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, analysing the causes of disruption and identifying required improvements.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
conduct
- Deadline
-
after a major ICT-related incident
- Penalty
-
—
Obligation 3
Financial entities, other than microenterprises, shall, upon request, communicate to the competent authorities the changes that were implemented following post ICT-related incident reviews.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Size threshold
- other than microenterprises
- Sector scope
- Financial sector
- Action required
-
communicate
- Deadline
-
upon request
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 4
Lessons derived from digital operational resilience testing, real life ICT-related incidents, and supervisory reviews shall be duly incorporated on a continuous basis into the ICT risk assessment process.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
incorporate
- Deadline
-
on a continuous basis
- Penalty
-
—
Obligation 5
Findings from lessons learned shall form the basis for appropriate reviews of relevant components of the ICT risk management framework.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
review
- Deadline
-
—
- Penalty
-
—
Obligation 6
Financial entities shall monitor the effectiveness of the implementation of their digital operational resilience strategy and map the evolution of ICT risk over time.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
monitor
- Deadline
-
—
- Penalty
-
—
Obligation 7
Senior ICT staff shall report at least yearly to the management body on the findings referred to in paragraph 3 and put forward recommendations.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Senior ICT staff
- Sector scope
- Financial sector
- Action required
-
report
- Deadline
-
at least yearly
- Penalty
-
—
Obligation 8
Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes applicable to all employees and senior management.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
develop
- Deadline
-
—
- Penalty
-
—
Obligation 9
Where appropriate, financial entities shall include ICT third-party service providers in their relevant training schemes in accordance with Article 30(2), point (i).
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 10
Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis to understand the possible impact on ICT security requirements and digital operational resilience.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Size threshold
- other than microenterprises
- Sector scope
- Financial sector
- Action required
-
monitor
- Deadline
-
on a continuous basis
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 11
Financial entities, other than microenterprises, shall keep up-to-date with the latest ICT risk management processes to effectively combat current or new forms of cyber-attacks.
Regulation (EU) 2022/2554, Article 13, Article 13
- Obligated entity
-
Financial entities
- Size threshold
- other than microenterprises
- Sector scope
- Financial sector
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
§ Frequently asked
Questions about Article 13
Who must comply with Article 13 of the DORA?
+
Financial entities, Senior ICT staff.
What does Article 13 of the DORA require?
+
establish conduct communicate
What is the compliance deadline for DORA Article 13?
+
after a major ICT-related incident; at least yearly; on a continuous basis; upon request