§ DORA · Article 5

DORA Article 5: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 5 · All obligations · DORA
At a glance
Article 5 of the DORA imposes 13 obligations on Financial entities, Management body of the financial entity, Members of the management body of the financial entity.
§ Obligations

All obligations under Article 5

Obligation 1
Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
establish
Deadline
Penalty
Obligation 2
The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
define
Deadline
Penalty
Obligation 3
The management body shall bear the ultimate responsibility for managing the financial entity’s ICT risk. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
bear responsibility
Deadline
Penalty
Obligation 4
The management body shall put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality of data. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
put in place
Deadline
Penalty
Obligation 5
The management body shall set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
set
Deadline
Penalty
Obligation 6
The management body shall bear the overall responsibility for setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
approve
Deadline
Penalty
Obligation 7
The management body shall approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
review
Deadline
Penalty
Obligation 8
The management body shall approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
review
Deadline
Penalty
Obligation 9
The management body shall allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including ICT security awareness programmes and training. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
allocate
Deadline
Penalty
Obligation 10
The management body shall approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
review
Deadline
Penalty
Obligation 11
The management body shall put in place, at corporate level, reporting channels enabling it to be duly informed of arrangements with ICT third-party service providers, planned material changes, their impact, and major ICT-related incidents. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Management body of the financial entity
Sector scope
Financial sector
Action required
put in place
Deadline
Penalty
Obligation 12
Financial entities, other than microenterprises, shall establish a role to monitor arrangements with ICT third-party service providers or designate a member of senior management as responsible for overseeing the related risk exposure and documentation. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Financial entities
Size threshold
other than microenterprises
Sector scope
Financial sector
Action required
establish
Deadline
Penalty
Exemptions
microenterprises
Obligation 13
Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact, including by following specific training on a regular basis. Regulation (EU) 2022/2554, Article 5, Article 5
Obligated entity
Members of the management body of the financial entity
Sector scope
Financial sector
Action required
keep up to date
Deadline
Penalty
§ Frequently asked

Questions about Article 5

Who must comply with Article 5 of the DORA? +
Financial entities, Management body of the financial entity, Members of the management body of the financial entity.
What does Article 5 of the DORA require? +
establish define bear responsibility
Need a cross-border briefing on DORA Article 5?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles