§ DORA · Article 16

DORA Article 16: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 16 · All obligations · DORA
At a glance
Article 16 of the DORA imposes 12 obligations on ESAs (European Supervisory Authorities), and small institutions for occupational retirement provision, exempted electronic money institutions and 3 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 16

Obligation 1
Put in place and maintain a sound and documented ICT risk management framework that details mechanisms and measures for quick, efficient, and comprehensive management of ICT risk, including protection of relevant physical components and infrastructures. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
put in place and maintain
Deadline
Penalty
Obligation 2
Continuously monitor the security and functioning of all ICT systems. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
monitor
Deadline
Penalty
Obligation 3
Minimise the impact of ICT risk through the use of sound, resilient, and updated ICT systems, protocols, and tools appropriate to support activities and protect data availability, authenticity, integrity, and confidentiality. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
minimise
Deadline
Penalty
Obligation 4
Allow sources of ICT risk and anomalies in network and information systems to be promptly identified and detected, and ensure ICT-related incidents are swiftly handled. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
identify and detect
Deadline
Penalty
Obligation 5
Identify key dependencies on ICT third-party service providers. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
identify
Deadline
Penalty
Obligation 6
Ensure the continuity of critical or important functions through business continuity plans and response and recovery measures, including at least back-up and restoration measures. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
ensure
Deadline
Penalty
Obligation 7
Test, on a regular basis, the business continuity plans and measures, as well as the effectiveness of controls implemented for ICT risk management and minimisation. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
test
Deadline
Penalty
Obligation 8
Implement relevant operational conclusions from tests and post-incident analysis into the ICT risk assessment process, and develop ICT security awareness programmes and digital operational resilience training for staff and management according to needs and risk profile. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
implement and develop
Deadline
Penalty
Obligation 9
Document and review the ICT risk management framework periodically and upon the occurrence of major ICT-related incidents in compliance with supervisory instructions, and continuously improve it based on lessons derived from implementation and monitoring. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
document and review
Deadline
Penalty
Obligation 10
Submit a report on the review of the ICT risk management framework to the competent authority upon its request. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
Size threshold
small
Sector scope
financial sector
Action required
submit
Deadline
Penalty
Obligation 11
Develop common draft regulatory technical standards to specify elements of the ICT risk management framework, systems/protocols/tools, business continuity plans, testing rules, and review report content/format, taking into account entity size and risk profile. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
ESAs (European Supervisory Authorities)
Sector scope
financial sector
Action required
develop
Deadline
Penalty
Obligation 12
Submit draft regulatory technical standards to the Commission. Regulation (EU) 2022/2554, Article 16, Article 16
Obligated entity
ESAs (European Supervisory Authorities)
Sector scope
financial sector
Action required
submit
Deadline
17 January 2024
Penalty
§ Frequently asked

Questions about Article 16

Who must comply with Article 16 of the DORA? +
ESAs (European Supervisory Authorities), and small institutions for occupational retirement provision, exempted electronic money institutions, exempted institutions under Directive 2013/36/EU, exempted payment institutions, small and non-interconnected investment firms.
What does Article 16 of the DORA require? +
put in place and maintain monitor minimise
What is the compliance deadline for DORA Article 16? +
17 January 2024
Need a cross-border briefing on DORA Article 16?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles