§ DORA · Article 5
DORA Article 5: Obligations, Deadlines & Penalties
At a glance
Article 5 of the DORA imposes 13 obligations on Financial entities, Management body of the financial entity, Members of the management body of the financial entity.
§ Obligations
All obligations under Article 5
Obligation 1
Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 2
The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
define
- Deadline
-
—
- Penalty
-
—
Obligation 3
The management body shall bear the ultimate responsibility for managing the financial entity’s ICT risk.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
bear responsibility
- Deadline
-
—
- Penalty
-
—
Obligation 4
The management body shall put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality of data.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
put in place
- Deadline
-
—
- Penalty
-
—
Obligation 5
The management body shall set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
set
- Deadline
-
—
- Penalty
-
—
Obligation 6
The management body shall bear the overall responsibility for setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
approve
- Deadline
-
—
- Penalty
-
—
Obligation 7
The management body shall approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
review
- Deadline
-
—
- Penalty
-
—
Obligation 8
The management body shall approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
review
- Deadline
-
—
- Penalty
-
—
Obligation 9
The management body shall allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including ICT security awareness programmes and training.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
allocate
- Deadline
-
—
- Penalty
-
—
Obligation 10
The management body shall approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
review
- Deadline
-
—
- Penalty
-
—
Obligation 11
The management body shall put in place, at corporate level, reporting channels enabling it to be duly informed of arrangements with ICT third-party service providers, planned material changes, their impact, and major ICT-related incidents.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
put in place
- Deadline
-
—
- Penalty
-
—
Obligation 12
Financial entities, other than microenterprises, shall establish a role to monitor arrangements with ICT third-party service providers or designate a member of senior management as responsible for overseeing the related risk exposure and documentation.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Financial entities
- Size threshold
- other than microenterprises
- Sector scope
- Financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 13
Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact, including by following specific training on a regular basis.
Regulation (EU) 2022/2554, Article 5, Article 5
- Obligated entity
-
Members of the management body of the financial entity
- Sector scope
- Financial sector
- Action required
-
keep up to date
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 5
Who must comply with Article 5 of the DORA?
+
Financial entities, Management body of the financial entity, Members of the management body of the financial entity.
What does Article 5 of the DORA require?
+
establish define bear responsibility