§ DORA · Article 9

DORA Article 9: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 9 · All obligations · DORA
At a glance
Article 9 of the DORA imposes 19 obligations on financial entities.
§ Obligations

All obligations under Article 9

Obligation 1
Financial entities shall continuously monitor and control the security and functioning of ICT systems and tools. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
monitor
Deadline
Penalty
Obligation 2
Financial entities shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
deploy
Deadline
Penalty
Obligation 3
Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
implement
Deadline
Penalty
Obligation 4
Financial entities shall maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
maintain
Deadline
Penalty
Obligation 5
Financial entities shall use ICT solutions and processes that are appropriate in accordance with Article 4 to ensure the security of the means of transfer of data. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
use
Deadline
Penalty
Obligation 6
Financial entities shall use ICT solutions and processes that minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
minimise
Deadline
Penalty
Obligation 7
Financial entities shall use ICT solutions and processes that prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
prevent
Deadline
Penalty
Obligation 8
Financial entities shall use ICT solutions and processes that ensure that data is protected from risks arising from data management, including poor administration, processing-related risks and human error. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
protect
Deadline
Penalty
Obligation 9
Financial entities shall develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 10
Financial entities shall establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected information assets in the event of cyber-attacks. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
establish
Deadline
Penalty
Obligation 11
Financial entities shall implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
implement
Deadline
Penalty
Obligation 12
Financial entities shall establish a set of policies, procedures and controls that address access rights and ensure a sound administration thereof. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
establish
Deadline
Penalty
Obligation 13
Financial entities shall implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
implement
Deadline
Penalty
Obligation 14
Financial entities shall implement protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
implement
Deadline
Penalty
Obligation 15
Financial entities shall implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
implement
Deadline
Penalty
Obligation 16
Financial entities shall ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
verify
Deadline
Penalty
Obligation 17
Financial entities shall have appropriate and comprehensive documented policies for patches and updates. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 18
Financial entities shall design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
design
Deadline
Penalty
Obligation 19
The ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place. Regulation (EU) 2022/2554, Article 9, Article 9
Obligated entity
financial entities
Sector scope
financial sector
Action required
approve
Deadline
Penalty
§ Frequently asked

Questions about Article 9

Who must comply with Article 9 of the DORA? +
financial entities.
What does Article 9 of the DORA require? +
monitor deploy implement
Need a cross-border briefing on DORA Article 9?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles