§ DORA · Article 9
DORA Article 9: Obligations, Deadlines & Penalties
At a glance
Article 9 of the DORA imposes 19 obligations on financial entities.
§ Obligations
All obligations under Article 9
Obligation 1
Financial entities shall continuously monitor and control the security and functioning of ICT systems and tools.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
monitor
- Deadline
-
—
- Penalty
-
—
Obligation 2
Financial entities shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
deploy
- Deadline
-
—
- Penalty
-
—
Obligation 3
Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 4
Financial entities shall maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
Obligation 5
Financial entities shall use ICT solutions and processes that are appropriate in accordance with Article 4 to ensure the security of the means of transfer of data.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
use
- Deadline
-
—
- Penalty
-
—
Obligation 6
Financial entities shall use ICT solutions and processes that minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
minimise
- Deadline
-
—
- Penalty
-
—
Obligation 7
Financial entities shall use ICT solutions and processes that prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
prevent
- Deadline
-
—
- Penalty
-
—
Obligation 8
Financial entities shall use ICT solutions and processes that ensure that data is protected from risks arising from data management, including poor administration, processing-related risks and human error.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
protect
- Deadline
-
—
- Penalty
-
—
Obligation 9
Financial entities shall develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 10
Financial entities shall establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected information assets in the event of cyber-attacks.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 11
Financial entities shall implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 12
Financial entities shall establish a set of policies, procedures and controls that address access rights and ensure a sound administration thereof.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 13
Financial entities shall implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 14
Financial entities shall implement protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 15
Financial entities shall implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 16
Financial entities shall ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
verify
- Deadline
-
—
- Penalty
-
—
Obligation 17
Financial entities shall have appropriate and comprehensive documented policies for patches and updates.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 18
Financial entities shall design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
design
- Deadline
-
—
- Penalty
-
—
Obligation 19
The ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place.
Regulation (EU) 2022/2554, Article 9, Article 9
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
approve
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 9
Who must comply with Article 9 of the DORA?
+
financial entities.
What does Article 9 of the DORA require?
+
monitor deploy implement