§ DORA · Article 17

DORA Article 17: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 17 · All obligations · DORA
At a glance
Article 17 of the DORA imposes 9 obligations on Financial entities.
§ Obligations

All obligations under Article 17

Obligation 1
Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
define, establish and implement
Deadline
Penalty
Obligation 2
Financial entities shall record all ICT-related incidents and significant cyber threats. Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
record
Deadline
Penalty
Obligation 3
Financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents. Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
establish
Deadline
Penalty
Obligation 4
The ICT-related incident management process shall put in place early warning indicators. Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
put in place
Deadline
Penalty
Obligation 5
The ICT-related incident management process shall establish procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted, in accordance with the criteria set out in Article 18(1). Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
establish
Deadline
Penalty
Obligation 6
The ICT-related incident management process shall assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios. Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
assign
Deadline
Penalty
Obligation 7
The ICT-related incident management process shall set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate. Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
set out
Deadline
Penalty
Obligation 8
The ICT-related incident management process shall ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of such ICT-related incidents. Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
report
Deadline
Penalty
Obligation 9
The ICT-related incident management process shall establish ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner. Regulation (EU) 2022/2554, Article 17, Article 17
Obligated entity
Financial entities
Sector scope
financial sector
Action required
establish
Deadline
Penalty
§ Frequently asked

Questions about Article 17

Who must comply with Article 17 of the DORA? +
Financial entities.
What does Article 17 of the DORA require? +
define, establish and implement record establish
Need a cross-border briefing on DORA Article 17?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles