§ DORA · Article 24
DORA Article 24: Obligations, Deadlines & Penalties
At a glance
Article 24 of the DORA imposes 8 obligations on financial entities. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 24
Obligation 1
Financial entities, other than microenterprises, shall establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework.
Regulation (EU) 2022/2554, Article 24, Article 24
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 2
The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with Articles 25 and 26.
Regulation (EU) 2022/2554, Article 24, Article 24
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 3
When conducting the digital operational resilience testing programme, financial entities, other than microenterprises, shall follow a risk-based approach taking into account the criteria set out in Article 4(2) and other relevant factors.
Regulation (EU) 2022/2554, Article 24, Article 24
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
follow
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 4
Financial entities, other than microenterprises, shall ensure that tests are undertaken by independent parties, whether internal or external.
Regulation (EU) 2022/2554, Article 24, Article 24
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 5
Where tests are undertaken by an internal tester, financial entities shall dedicate sufficient resources and ensure that conflicts of interest are avoided throughout the design and execution phases of the test.
Regulation (EU) 2022/2554, Article 24, Article 24
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 6
Financial entities, other than microenterprises, shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests.
Regulation (EU) 2022/2554, Article 24, Article 24
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 7
Financial entities, other than microenterprises, shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.
Regulation (EU) 2022/2554, Article 24, Article 24
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 8
Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions.
Regulation (EU) 2022/2554, Article 24, Article 24
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
ensure
- Deadline
-
at least yearly
- Penalty
-
—
- Exemptions
- microenterprises
§ Frequently asked
Questions about Article 24
Who must comply with Article 24 of the DORA?
+
financial entities.
What does Article 24 of the DORA require?
+
establish include follow
What is the compliance deadline for DORA Article 24?
+
at least yearly