AI Regulation ReferenceDigital Operational Resilience Act (DORA)
Obligations Covered
ICT Risk Management #
Requirements
| Requirement | Details |
|---|---|
| ICT risk management framework | Comprehensive framework for identifying, assessing, and mitigating ICT risks |
| Governance | Management body must approve and oversee the ICT risk management framework |
| Business continuity | Establish ICT business continuity and disaster recovery plans |
| Cyber risk management | Address cybersecurity risks as part of the ICT risk framework |
Penalties
| Violation | Fine |
|---|---|
| Non-compliance | Determined by national competent authorities per member state law |
ICT Incident Reporting #
Requirements
| Requirement | Details |
|---|---|
| Classify incidents | Classify ICT-related incidents using ESA criteria |
| Major incident reporting | Notify competent authorities of major ICT incidents |
| Reporting thresholds | >24 hours duration, >2 hours critical service disruption, ≥2 EU states affected, or >EUR 100,000 economic impact |
| Voluntary threat reporting | Encouraged to report significant cyber threats |
Penalties
| Violation | Fine |
|---|---|
| Non-compliance | Determined by national competent authorities per member state law |
Digital Operational Resilience Testing #
Requirements
| Requirement | Details |
|---|---|
| Resilience testing program | Conduct regular testing of ICT systems and tools |
| Threat-led penetration testing | Significant entities must perform TLPT aligned with TIBER-EU |
| Documentation and remediation | Document test results and remediate identified vulnerabilities |
| Register of ICT contracts | Maintain and submit register of third-party ICT contracts to authorities |
Penalties
| Violation | Fine |
|---|---|
| Non-compliance | Determined by national competent authorities per member state law |
Third-Party ICT Risk Management #
Requirements
| Requirement | Details |
|---|---|
| Contractual requirements | Key contractual provisions for ICT third-party service agreements |
| Concentration risk | Assess and manage concentration risk from third-party ICT dependencies |
| Critical provider oversight | Designated critical third-party providers (CTPPs) subject to ESA oversight |
| Exit strategies | Maintain exit strategies for critical ICT third-party services |
Penalties
| Violation | Fine |
|---|---|
| CTPP non-compliance | ESAs may impose periodic penalty payments on critical third-party providers |