§ DORA · Article 26

DORA Article 26: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 26 · All obligations · DORA
At a glance
Article 26 of the DORA imposes 14 obligations on Competent authorities, Credit institutions, ESAs and 2 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 26

Obligation 1
Financial entities, excluding those in Article 16(1) and microenterprises, shall carry out advanced testing by means of TLPT at least every 3 years. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Size threshold
not microenterprises
Sector scope
Financial sector
Action required
carry out
Deadline
at least every 3 years
Penalty
Exemptions
Entities referred to in Article 16(1) and microenterprises
Obligation 2
Financial entities shall identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including outsourced services. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
identify
Deadline
Penalty
Obligation 3
Financial entities shall assess which critical or important functions need to be covered by the TLPT, with the result determining the precise scope and being validated by competent authorities. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
assess
Deadline
Penalty
Obligation 4
Where ICT third-party service providers are included in the scope of TLPT, the financial entity shall take necessary measures and safeguards to ensure their participation and retain full responsibility for compliance. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
ensure
Deadline
Penalty
Obligation 5
Financial entities shall apply effective risk management controls to mitigate risks of impact on data, damage to assets, and disruption to critical functions, with cooperation from ICT third-party service providers and testers. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
apply
Deadline
Penalty
Obligation 6
At the end of testing, the financial entity and external testers shall provide the designated authority a summary of findings, remediation plans, and documentation demonstrating compliance. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
provide
Deadline
At the end of the testing
Penalty
Obligation 7
The financial entity shall notify the relevant competent authority of the attestation, the summary of relevant findings, and the remediation plans. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
notify
Deadline
Penalty
Obligation 8
Financial entities shall contract testers for the purposes of undertaking TLPT in accordance with Article 27. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
contract
Deadline
Penalty
Obligation 9
When financial entities use internal testers for TLPT, they shall contract external testers every three tests. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
contract
Deadline
every three tests
Penalty
Obligation 10
Credit institutions classified as significant shall only use external testers in accordance with Article 27(1), points (a) to (e). Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Credit institutions
Size threshold
classified as significant
Sector scope
Credit institutions
Action required
use
Deadline
Penalty
Obligation 11
Competent authorities shall identify financial entities that are required to perform TLPT taking into account criteria set out in Article 4(2). Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Competent authorities
Sector scope
Financial sector
Action required
identify
Deadline
Penalty
Obligation 12
Member States may designate a single public authority in the financial sector to be responsible for TLPT-related matters and shall entrust it with all competences and tasks. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
Member States
Sector scope
Financial sector
Action required
designate
Deadline
Penalty
Obligation 13
The ESAs shall develop joint draft regulatory technical standards in accordance with the TIBER-EU framework to specify criteria, requirements, and cooperation needs for TLPT. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
ESAs
Sector scope
Financial sector
Action required
develop
Deadline
Penalty
Obligation 14
The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024. Regulation (EU) 2022/2554, Article 26, Article 26
Obligated entity
ESAs
Sector scope
Financial sector
Action required
submit
Deadline
17 July 2024
Penalty
§ Frequently asked

Questions about Article 26

Who must comply with Article 26 of the DORA? +
Competent authorities, Credit institutions, ESAs, Financial entities, Member States.
What does Article 26 of the DORA require? +
carry out identify assess
What is the compliance deadline for DORA Article 26? +
17 July 2024; At the end of the testing; at least every 3 years; every three tests
Need a cross-border briefing on DORA Article 26?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles