§ DORA · Article 26
DORA Article 26: Obligations, Deadlines & Penalties
At a glance
Article 26 of the DORA imposes 14 obligations on Competent authorities, Credit institutions, ESAs and 2 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 26
Obligation 1
Financial entities, excluding those in Article 16(1) and microenterprises, shall carry out advanced testing by means of TLPT at least every 3 years.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Size threshold
- not microenterprises
- Sector scope
- Financial sector
- Action required
-
carry out
- Deadline
-
at least every 3 years
- Penalty
-
—
- Exemptions
- Entities referred to in Article 16(1) and microenterprises
Obligation 2
Financial entities shall identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including outsourced services.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
identify
- Deadline
-
—
- Penalty
-
—
Obligation 3
Financial entities shall assess which critical or important functions need to be covered by the TLPT, with the result determining the precise scope and being validated by competent authorities.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 4
Where ICT third-party service providers are included in the scope of TLPT, the financial entity shall take necessary measures and safeguards to ensure their participation and retain full responsibility for compliance.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 5
Financial entities shall apply effective risk management controls to mitigate risks of impact on data, damage to assets, and disruption to critical functions, with cooperation from ICT third-party service providers and testers.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
apply
- Deadline
-
—
- Penalty
-
—
Obligation 6
At the end of testing, the financial entity and external testers shall provide the designated authority a summary of findings, remediation plans, and documentation demonstrating compliance.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
provide
- Deadline
-
At the end of the testing
- Penalty
-
—
Obligation 7
The financial entity shall notify the relevant competent authority of the attestation, the summary of relevant findings, and the remediation plans.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 8
Financial entities shall contract testers for the purposes of undertaking TLPT in accordance with Article 27.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
contract
- Deadline
-
—
- Penalty
-
—
Obligation 9
When financial entities use internal testers for TLPT, they shall contract external testers every three tests.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
contract
- Deadline
-
every three tests
- Penalty
-
—
Obligation 10
Credit institutions classified as significant shall only use external testers in accordance with Article 27(1), points (a) to (e).
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Credit institutions
- Size threshold
- classified as significant
- Sector scope
- Credit institutions
- Action required
-
use
- Deadline
-
—
- Penalty
-
—
Obligation 11
Competent authorities shall identify financial entities that are required to perform TLPT taking into account criteria set out in Article 4(2).
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Competent authorities
- Sector scope
- Financial sector
- Action required
-
identify
- Deadline
-
—
- Penalty
-
—
Obligation 12
Member States may designate a single public authority in the financial sector to be responsible for TLPT-related matters and shall entrust it with all competences and tasks.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
Member States
- Sector scope
- Financial sector
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 13
The ESAs shall develop joint draft regulatory technical standards in accordance with the TIBER-EU framework to specify criteria, requirements, and cooperation needs for TLPT.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
ESAs
- Sector scope
- Financial sector
- Action required
-
develop
- Deadline
-
—
- Penalty
-
—
Obligation 14
The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024.
Regulation (EU) 2022/2554, Article 26, Article 26
- Obligated entity
-
ESAs
- Sector scope
- Financial sector
- Action required
-
submit
- Deadline
-
17 July 2024
- Penalty
-
—
§ Frequently asked
Questions about Article 26
Who must comply with Article 26 of the DORA?
+
Competent authorities, Credit institutions, ESAs, Financial entities, Member States.
What does Article 26 of the DORA require?
+
carry out identify assess
What is the compliance deadline for DORA Article 26?
+
17 July 2024; At the end of the testing; at least every 3 years; every three tests