§ DORA · Article 8
DORA Article 8: Obligations, Deadlines & Penalties
At a glance
Article 8 of the DORA imposes 10 obligations on financial entities. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 8
Obligation 1
Identify, classify and adequately document all ICT supported business functions, roles and responsibilities, information assets, ICT assets, and their dependencies in relation to ICT risk.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
identify
- Deadline
-
—
- Penalty
-
—
Obligation 2
Review the adequacy of the classification and relevant documentation of ICT supported business functions and assets as needed, and at least yearly.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
review
- Deadline
-
at least yearly
- Penalty
-
—
Obligation 3
On a continuous basis, identify all sources of ICT risk, including risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to ICT supported business functions and assets.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
identify
- Deadline
-
continuous basis
- Penalty
-
—
Obligation 4
Review on a regular basis, and at least yearly, the risk scenarios impacting the financial entity.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
review
- Deadline
-
at least yearly
- Penalty
-
—
Obligation 5
Perform a risk assessment upon each major change in the network and information system infrastructure, or in processes/procedures affecting ICT supported business functions, information assets, or ICT assets.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
assess
- Deadline
-
upon each major change
- Penalty
-
—
- Exemptions
- microenterprises
Obligation 6
Identify all information assets and ICT assets, including those on remote sites, network resources, and hardware equipment, and map those considered critical.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
identify
- Deadline
-
—
- Penalty
-
—
Obligation 7
Map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
map
- Deadline
-
—
- Penalty
-
—
Obligation 8
Identify and document all processes that are dependent on ICT third-party service providers, and identify interconnections with providers supporting critical or important functions.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
identify
- Deadline
-
—
- Penalty
-
—
Obligation 9
Maintain relevant inventories for ICT supported business functions, assets, and third-party dependencies, and update them periodically and every time any major change occurs.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
maintain
- Deadline
-
periodically and upon major change
- Penalty
-
—
Obligation 10
Conduct a specific ICT risk assessment on all legacy ICT systems on a regular basis, and at least yearly, and in any case before and after connecting technologies, applications, or systems.
Regulation (EU) 2022/2554, Article 8, Article 8
- Obligated entity
-
financial entities
- Size threshold
- other than microenterprises
- Sector scope
- financial sector
- Action required
-
assess
- Deadline
-
at least yearly and before/after connecting systems
- Penalty
-
—
- Exemptions
- microenterprises
§ Frequently asked
Questions about Article 8
Who must comply with Article 8 of the DORA?
+
financial entities.
What does Article 8 of the DORA require?
+
identify review assess
What is the compliance deadline for DORA Article 8?
+
at least yearly; at least yearly and before/after connecting systems; continuous basis; periodically and upon major change; upon each major change