§ DORA · Article 19
DORA Article 19: Obligations, Deadlines & Penalties
At a glance
Article 19 of the DORA imposes 17 obligations on Competent authority, Credit institutions classified as significant, Financial entities and 2 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 19
Obligation 1
Financial entities shall report major ICT-related incidents to the relevant competent authority in accordance with paragraph 4.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
report
- Deadline
-
—
- Penalty
-
—
Obligation 2
Member States shall designate a single competent authority as the relevant competent authority responsible for carrying out the functions and duties provided for in this Article where a financial entity is subject to supervision by more than one national competent authority.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Member States
- Sector scope
- Financial sector
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 3
Credit institutions classified as significant shall report major ICT-related incidents to the relevant national competent authority designated in accordance with Article 4 of Directive 2013/36/EU.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Credit institutions classified as significant
- Sector scope
- Banking
- Action required
-
report
- Deadline
-
—
- Penalty
-
—
Obligation 4
The relevant national competent authority shall immediately transmit the report of major ICT-related incidents from significant credit institutions to the ECB.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Relevant national competent authority
- Sector scope
- Banking
- Action required
-
transmit
- Deadline
-
immediately
- Penalty
-
—
Obligation 5
Financial entities shall produce the initial notification and reports using the templates referred to in Article 20 after collecting and analysing all relevant information.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
produce
- Deadline
-
—
- Penalty
-
—
Obligation 6
Financial entities shall submit the initial notification and reports to the competent authority.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
submit
- Deadline
-
—
- Penalty
-
—
Obligation 7
In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entities shall notify the competent authority about it via alternative means.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 8
The initial notification and reports shall include all information necessary for the competent authority to determine the significance of the major ICT-related incident and assess possible cross-border impacts.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 9
Financial entities shall, without undue delay as soon as they become aware of it, inform their clients about the major ICT-related incident and about the measures that have been taken to mitigate the adverse effects of such incident where it has an impact on the financial interests of clients.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
inform
- Deadline
-
without undue delay as soon as they become aware of it
- Penalty
-
—
Obligation 10
In the case of a significant cyber threat, financial entities shall, where applicable, inform their clients that are potentially affected of any appropriate protection measures which the latter may consider taking.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
inform
- Deadline
-
—
- Penalty
-
—
Obligation 11
Financial entities shall, within the time limits to be laid down in accordance with Article 20, submit an initial notification to the relevant competent authority.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
submit
- Deadline
-
within the time limits to be laid down in accordance with Article 20
- Penalty
-
—
Obligation 12
Financial entities shall submit an intermediate report after the initial notification as soon as the status of the original incident has changed significantly or the handling of the major ICT-related incident has changed based on new information available.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
submit
- Deadline
-
as soon as the status of the original incident has changed significantly
- Penalty
-
—
Obligation 13
Financial entities shall submit updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
submit
- Deadline
-
every time a relevant status update is available
- Penalty
-
—
Obligation 14
Financial entities shall submit a final report when the root cause analysis has been completed and when the actual impact figures are available to replace estimates.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
submit
- Deadline
-
when the root cause analysis has been completed
- Penalty
-
—
Obligation 15
In case of outsourcing reporting obligations to a third-party service provider, the financial entity remains fully responsible for the fulfilment of the incident reporting requirements.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
remain responsible
- Deadline
-
—
- Penalty
-
—
Obligation 16
Upon receipt of the initial notification and of each report, the competent authority shall, in a timely manner, provide details of the major ICT-related incident to EBA, ESMA or EIOPA.
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Competent authority
- Sector scope
- Financial sector
- Action required
-
provide
- Deadline
-
in a timely manner
- Penalty
-
—
Obligation 17
Upon receipt of the initial notification and of each report, the competent authority shall, in a timely manner, provide details of the major ICT-related incident to the ECB in the case of financial entities referred to in Article 2(1), points (a), (b) and (d).
Regulation (EU) 2022/2554, Article 19, Article 19
- Obligated entity
-
Competent authority
- Sector scope
- Financial sector
- Action required
-
provide
- Deadline
-
in a timely manner
- Penalty
-
—
§ Frequently asked
Questions about Article 19
Who must comply with Article 19 of the DORA?
+
Competent authority, Credit institutions classified as significant, Financial entities, Member States, Relevant national competent authority.
What does Article 19 of the DORA require?
+
report designate transmit
What is the compliance deadline for DORA Article 19?
+
as soon as the status of the original incident has changed significantly; every time a relevant status update is available; immediately; in a timely manner; when the root cause analysis has been completed; within the time limits to be laid down in accordance with Article 20; without undue delay as soon as they become aware of it