§ DORA · Article 8

DORA Article 8: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 8 · All obligations · DORA
At a glance
Article 8 of the DORA imposes 10 obligations on financial entities. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 8

Obligation 1
Identify, classify and adequately document all ICT supported business functions, roles and responsibilities, information assets, ICT assets, and their dependencies in relation to ICT risk. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Sector scope
financial sector
Action required
identify
Deadline
Penalty
Obligation 2
Review the adequacy of the classification and relevant documentation of ICT supported business functions and assets as needed, and at least yearly. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Sector scope
financial sector
Action required
review
Deadline
at least yearly
Penalty
Obligation 3
On a continuous basis, identify all sources of ICT risk, including risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to ICT supported business functions and assets. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Sector scope
financial sector
Action required
identify
Deadline
continuous basis
Penalty
Obligation 4
Review on a regular basis, and at least yearly, the risk scenarios impacting the financial entity. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Sector scope
financial sector
Action required
review
Deadline
at least yearly
Penalty
Obligation 5
Perform a risk assessment upon each major change in the network and information system infrastructure, or in processes/procedures affecting ICT supported business functions, information assets, or ICT assets. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Size threshold
other than microenterprises
Sector scope
financial sector
Action required
assess
Deadline
upon each major change
Penalty
Exemptions
microenterprises
Obligation 6
Identify all information assets and ICT assets, including those on remote sites, network resources, and hardware equipment, and map those considered critical. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Sector scope
financial sector
Action required
identify
Deadline
Penalty
Obligation 7
Map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Sector scope
financial sector
Action required
map
Deadline
Penalty
Obligation 8
Identify and document all processes that are dependent on ICT third-party service providers, and identify interconnections with providers supporting critical or important functions. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Sector scope
financial sector
Action required
identify
Deadline
Penalty
Obligation 9
Maintain relevant inventories for ICT supported business functions, assets, and third-party dependencies, and update them periodically and every time any major change occurs. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Sector scope
financial sector
Action required
maintain
Deadline
periodically and upon major change
Penalty
Obligation 10
Conduct a specific ICT risk assessment on all legacy ICT systems on a regular basis, and at least yearly, and in any case before and after connecting technologies, applications, or systems. Regulation (EU) 2022/2554, Article 8, Article 8
Obligated entity
financial entities
Size threshold
other than microenterprises
Sector scope
financial sector
Action required
assess
Deadline
at least yearly and before/after connecting systems
Penalty
Exemptions
microenterprises
§ Frequently asked

Questions about Article 8

Who must comply with Article 8 of the DORA? +
financial entities.
What does Article 8 of the DORA require? +
identify review assess
What is the compliance deadline for DORA Article 8? +
at least yearly; at least yearly and before/after connecting systems; continuous basis; periodically and upon major change; upon each major change
Need a cross-border briefing on DORA Article 8?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles