§ DORA · Article 6
DORA Article 6: Obligations, Deadlines & Penalties
At a glance
Article 6 of the DORA imposes 18 obligations on Financial entities, Internal auditors. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 6
Obligation 1
Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system to address ICT risk quickly, efficiently and comprehensively.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 2
The ICT risk management framework shall include strategies, policies, procedures, ICT protocols and tools necessary to protect all information assets, ICT assets, and relevant physical components from risks including damage and unauthorised access.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 3
Financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools in accordance with their ICT risk management framework.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
deploy
- Deadline
-
—
- Penalty
-
—
Obligation 4
Financial entities shall provide complete and updated information on ICT risk and on their ICT risk management framework to the competent authorities upon their request.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
provide
- Deadline
-
upon request
- Penalty
-
—
Obligation 5
Financial entities, other than microenterprises, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function to avoid conflicts of interest.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Size threshold
- other than microenterprises
- Sector scope
- Financial sector
- Action required
-
assign
- Deadline
-
—
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 6
Financial entities shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model or an internal risk management and control model.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 7
The ICT risk management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
review
- Deadline
-
at least once a year
- Penalty
-
—
Obligation 8
The ICT risk management framework shall be continuously improved on the basis of lessons derived from implementation and monitoring.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
improve
- Deadline
-
continuously
- Penalty
-
—
Obligation 9
A report on the review of the ICT risk management framework shall be submitted to the competent authority upon its request.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
submit
- Deadline
-
upon request
- Penalty
-
—
Obligation 10
The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Size threshold
- other than microenterprises
- Sector scope
- Financial sector
- Action required
-
audit
- Deadline
-
regular basis
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 11
Internal auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Internal auditors
- Sector scope
- Financial sector
- Action required
-
possess
- Deadline
-
—
- Penalty
-
—
Obligation 12
The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
conduct
- Deadline
-
—
- Penalty
-
—
Obligation 13
Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 14
The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented, including methods to address ICT risk and attain specific ICT objectives.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 15
The digital operational resilience strategy shall explain how the ICT risk management framework supports the financial entity’s business strategy and objectives.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
explain
- Deadline
-
—
- Penalty
-
—
Obligation 16
The digital operational resilience strategy shall establish the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analyse the impact tolerance for ICT disruptions.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 17
The digital operational resilience strategy shall set out clear information security objectives, including key performance indicators and key risk metrics.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
set out
- Deadline
-
—
- Penalty
-
—
Obligation 18
The digital operational resilience strategy shall explain the ICT reference architecture and any changes needed to reach specific business objectives.
Regulation (EU) 2022/2554, Article 6, Article 6
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
explain
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 6
Who must comply with Article 6 of the DORA?
+
Financial entities, Internal auditors.
What does Article 6 of the DORA require?
+
establish include deploy
What is the compliance deadline for DORA Article 6?
+
at least once a year; continuously; regular basis; upon request