§ DORA · Article 19

DORA Article 19: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 19 · All obligations · DORA
At a glance
Article 19 of the DORA imposes 17 obligations on Competent authority, Credit institutions classified as significant, Financial entities and 2 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 19

Obligation 1
Financial entities shall report major ICT-related incidents to the relevant competent authority in accordance with paragraph 4. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
report
Deadline
Penalty
Obligation 2
Member States shall designate a single competent authority as the relevant competent authority responsible for carrying out the functions and duties provided for in this Article where a financial entity is subject to supervision by more than one national competent authority. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Member States
Sector scope
Financial sector
Action required
designate
Deadline
Penalty
Obligation 3
Credit institutions classified as significant shall report major ICT-related incidents to the relevant national competent authority designated in accordance with Article 4 of Directive 2013/36/EU. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Credit institutions classified as significant
Sector scope
Banking
Action required
report
Deadline
Penalty
Obligation 4
The relevant national competent authority shall immediately transmit the report of major ICT-related incidents from significant credit institutions to the ECB. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Relevant national competent authority
Sector scope
Banking
Action required
transmit
Deadline
immediately
Penalty
Obligation 5
Financial entities shall produce the initial notification and reports using the templates referred to in Article 20 after collecting and analysing all relevant information. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
produce
Deadline
Penalty
Obligation 6
Financial entities shall submit the initial notification and reports to the competent authority. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
submit
Deadline
Penalty
Obligation 7
In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entities shall notify the competent authority about it via alternative means. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
notify
Deadline
Penalty
Obligation 8
The initial notification and reports shall include all information necessary for the competent authority to determine the significance of the major ICT-related incident and assess possible cross-border impacts. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
include
Deadline
Penalty
Obligation 9
Financial entities shall, without undue delay as soon as they become aware of it, inform their clients about the major ICT-related incident and about the measures that have been taken to mitigate the adverse effects of such incident where it has an impact on the financial interests of clients. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
inform
Deadline
without undue delay as soon as they become aware of it
Penalty
Obligation 10
In the case of a significant cyber threat, financial entities shall, where applicable, inform their clients that are potentially affected of any appropriate protection measures which the latter may consider taking. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
inform
Deadline
Penalty
Obligation 11
Financial entities shall, within the time limits to be laid down in accordance with Article 20, submit an initial notification to the relevant competent authority. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
submit
Deadline
within the time limits to be laid down in accordance with Article 20
Penalty
Obligation 12
Financial entities shall submit an intermediate report after the initial notification as soon as the status of the original incident has changed significantly or the handling of the major ICT-related incident has changed based on new information available. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
submit
Deadline
as soon as the status of the original incident has changed significantly
Penalty
Obligation 13
Financial entities shall submit updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
submit
Deadline
every time a relevant status update is available
Penalty
Obligation 14
Financial entities shall submit a final report when the root cause analysis has been completed and when the actual impact figures are available to replace estimates. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
submit
Deadline
when the root cause analysis has been completed
Penalty
Obligation 15
In case of outsourcing reporting obligations to a third-party service provider, the financial entity remains fully responsible for the fulfilment of the incident reporting requirements. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
remain responsible
Deadline
Penalty
Obligation 16
Upon receipt of the initial notification and of each report, the competent authority shall, in a timely manner, provide details of the major ICT-related incident to EBA, ESMA or EIOPA. Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Competent authority
Sector scope
Financial sector
Action required
provide
Deadline
in a timely manner
Penalty
Obligation 17
Upon receipt of the initial notification and of each report, the competent authority shall, in a timely manner, provide details of the major ICT-related incident to the ECB in the case of financial entities referred to in Article 2(1), points (a), (b) and (d). Regulation (EU) 2022/2554, Article 19, Article 19
Obligated entity
Competent authority
Sector scope
Financial sector
Action required
provide
Deadline
in a timely manner
Penalty
§ Frequently asked

Questions about Article 19

Who must comply with Article 19 of the DORA? +
Competent authority, Credit institutions classified as significant, Financial entities, Member States, Relevant national competent authority.
What does Article 19 of the DORA require? +
report designate transmit
What is the compliance deadline for DORA Article 19? +
as soon as the status of the original incident has changed significantly; every time a relevant status update is available; immediately; in a timely manner; when the root cause analysis has been completed; within the time limits to be laid down in accordance with Article 20; without undue delay as soon as they become aware of it
Need a cross-border briefing on DORA Article 19?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles