§ DORA · Article 20
DORA Article 20: Obligations, Deadlines & Penalties
At a glance
Article 20 of the DORA imposes 7 obligations on Commission, ESAs (European Supervisory Authorities). At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 20
Obligation 1
The ESAs, through the Joint Committee and in consultation with ENISA and the ECB, shall develop common draft regulatory technical standards to establish report content for major ICT-related incidents, determine time limits for notifications, and establish content for significant cyber threat notifications.
Regulation (EU) 2022/2554, Article 20, Article 20
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
develop
- Deadline
-
—
- Penalty
-
—
Obligation 2
When developing draft regulatory technical standards, the ESAs shall take into account the size, overall risk profile, nature, scale, and complexity of the financial entity's services, activities, and operations.
Regulation (EU) 2022/2554, Article 20, Article 20
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
take into account
- Deadline
-
—
- Penalty
-
—
Obligation 3
The ESAs shall develop common draft implementing technical standards to establish standard forms, templates, and procedures for financial entities to report major ICT-related incidents and notify significant cyber threats.
Regulation (EU) 2022/2554, Article 20, Article 20
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
develop
- Deadline
-
—
- Penalty
-
—
Obligation 4
The ESAs shall submit the common draft regulatory technical standards and common draft implementing technical standards to the Commission.
Regulation (EU) 2022/2554, Article 20, Article 20
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
submit
- Deadline
-
17 July 2024
- Penalty
-
—
Obligation 5
The Commission shall adopt the common regulatory technical standards referred to in point (a) by exercising delegated power in accordance with specified regulations.
Regulation (EU) 2022/2554, Article 20, Article 20
- Obligated entity
-
Commission
- Sector scope
- Financial sector
- Action required
-
adopt
- Deadline
-
—
- Penalty
-
—
Obligation 6
The Commission shall adopt the common implementing technical standards referred to in point (b) by exercising conferred power in accordance with specified regulations.
Regulation (EU) 2022/2554, Article 20, Article 20
- Obligated entity
-
Commission
- Sector scope
- Financial sector
- Action required
-
adopt
- Deadline
-
—
- Penalty
-
—
Obligation 7
The ESAs shall provide justification when deviating from the approaches taken in the context of Directive (EU) 2022/2555.
Regulation (EU) 2022/2554, Article 20, Article 20
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
provide justification
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 20
Who must comply with Article 20 of the DORA?
+
Commission, ESAs (European Supervisory Authorities).
What does Article 20 of the DORA require?
+
develop take into account submit
What is the compliance deadline for DORA Article 20?
+
17 July 2024