§ DORA · Article 16
DORA Article 16: Obligations, Deadlines & Penalties
At a glance
Article 16 of the DORA imposes 12 obligations on ESAs (European Supervisory Authorities), and small institutions for occupational retirement provision, exempted electronic money institutions and 3 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 16
Obligation 1
Put in place and maintain a sound and documented ICT risk management framework that details mechanisms and measures for quick, efficient, and comprehensive management of ICT risk, including protection of relevant physical components and infrastructures.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
put in place and maintain
- Deadline
-
—
- Penalty
-
—
Obligation 2
Continuously monitor the security and functioning of all ICT systems.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
monitor
- Deadline
-
—
- Penalty
-
—
Obligation 3
Minimise the impact of ICT risk through the use of sound, resilient, and updated ICT systems, protocols, and tools appropriate to support activities and protect data availability, authenticity, integrity, and confidentiality.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
minimise
- Deadline
-
—
- Penalty
-
—
Obligation 4
Allow sources of ICT risk and anomalies in network and information systems to be promptly identified and detected, and ensure ICT-related incidents are swiftly handled.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
identify and detect
- Deadline
-
—
- Penalty
-
—
Obligation 5
Identify key dependencies on ICT third-party service providers.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
identify
- Deadline
-
—
- Penalty
-
—
Obligation 6
Ensure the continuity of critical or important functions through business continuity plans and response and recovery measures, including at least back-up and restoration measures.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 7
Test, on a regular basis, the business continuity plans and measures, as well as the effectiveness of controls implemented for ICT risk management and minimisation.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
test
- Deadline
-
—
- Penalty
-
—
Obligation 8
Implement relevant operational conclusions from tests and post-incident analysis into the ICT risk assessment process, and develop ICT security awareness programmes and digital operational resilience training for staff and management according to needs and risk profile.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
implement and develop
- Deadline
-
—
- Penalty
-
—
Obligation 9
Document and review the ICT risk management framework periodically and upon the occurrence of major ICT-related incidents in compliance with supervisory instructions, and continuously improve it based on lessons derived from implementation and monitoring.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
document and review
- Deadline
-
—
- Penalty
-
—
Obligation 10
Submit a report on the review of the ICT risk management framework to the competent authority upon its request.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
small and non-interconnected investment firms, exempted payment institutions, exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision
- Size threshold
- small
- Sector scope
- financial sector
- Action required
-
submit
- Deadline
-
—
- Penalty
-
—
Obligation 11
Develop common draft regulatory technical standards to specify elements of the ICT risk management framework, systems/protocols/tools, business continuity plans, testing rules, and review report content/format, taking into account entity size and risk profile.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- financial sector
- Action required
-
develop
- Deadline
-
—
- Penalty
-
—
Obligation 12
Submit draft regulatory technical standards to the Commission.
Regulation (EU) 2022/2554, Article 16, Article 16
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- financial sector
- Action required
-
submit
- Deadline
-
17 January 2024
- Penalty
-
—
§ Frequently asked
Questions about Article 16
Who must comply with Article 16 of the DORA?
+
ESAs (European Supervisory Authorities), and small institutions for occupational retirement provision, exempted electronic money institutions, exempted institutions under Directive 2013/36/EU, exempted payment institutions, small and non-interconnected investment firms.
What does Article 16 of the DORA require?
+
put in place and maintain monitor minimise
What is the compliance deadline for DORA Article 16?
+
17 January 2024