§ DORA · Article 6

DORA Article 6: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 6 · All obligations · DORA
At a glance
Article 6 of the DORA imposes 18 obligations on Financial entities, Internal auditors. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 6

Obligation 1
Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system to address ICT risk quickly, efficiently and comprehensively. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
establish
Deadline
Penalty
Obligation 2
The ICT risk management framework shall include strategies, policies, procedures, ICT protocols and tools necessary to protect all information assets, ICT assets, and relevant physical components from risks including damage and unauthorised access. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
include
Deadline
Penalty
Obligation 3
Financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools in accordance with their ICT risk management framework. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
deploy
Deadline
Penalty
Obligation 4
Financial entities shall provide complete and updated information on ICT risk and on their ICT risk management framework to the competent authorities upon their request. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
provide
Deadline
upon request
Penalty
Obligation 5
Financial entities, other than microenterprises, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function to avoid conflicts of interest. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Size threshold
other than microenterprises
Sector scope
Financial sector
Action required
assign
Deadline
Penalty
Exemptions
microenterprises
Obligation 6
Financial entities shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model or an internal risk management and control model. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
ensure
Deadline
Penalty
Obligation 7
The ICT risk management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
review
Deadline
at least once a year
Penalty
Obligation 8
The ICT risk management framework shall be continuously improved on the basis of lessons derived from implementation and monitoring. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
improve
Deadline
continuously
Penalty
Obligation 9
A report on the review of the ICT risk management framework shall be submitted to the competent authority upon its request. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
submit
Deadline
upon request
Penalty
Obligation 10
The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Size threshold
other than microenterprises
Sector scope
Financial sector
Action required
audit
Deadline
regular basis
Penalty
Exemptions
microenterprises
Obligation 11
Internal auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Internal auditors
Sector scope
Financial sector
Action required
possess
Deadline
Penalty
Obligation 12
The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
conduct
Deadline
Penalty
Obligation 13
Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
establish
Deadline
Penalty
Obligation 14
The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented, including methods to address ICT risk and attain specific ICT objectives. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
include
Deadline
Penalty
Obligation 15
The digital operational resilience strategy shall explain how the ICT risk management framework supports the financial entity’s business strategy and objectives. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
explain
Deadline
Penalty
Obligation 16
The digital operational resilience strategy shall establish the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analyse the impact tolerance for ICT disruptions. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
establish
Deadline
Penalty
Obligation 17
The digital operational resilience strategy shall set out clear information security objectives, including key performance indicators and key risk metrics. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
set out
Deadline
Penalty
Obligation 18
The digital operational resilience strategy shall explain the ICT reference architecture and any changes needed to reach specific business objectives. Regulation (EU) 2022/2554, Article 6, Article 6
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
explain
Deadline
Penalty
§ Frequently asked

Questions about Article 6

Who must comply with Article 6 of the DORA? +
Financial entities, Internal auditors.
What does Article 6 of the DORA require? +
establish include deploy
What is the compliance deadline for DORA Article 6? +
at least once a year; continuously; regular basis; upon request
Need a cross-border briefing on DORA Article 6?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles