# Recitals

REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION, Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof, Having regard to the proposal from the European Commission, After transmission of the draft legislative act to the national parliaments, Having regard to the opinion of the European Central Bank, Having regard to the opinion of the European Economic and Social Committee, Acting in accordance with the ordinary legislative procedure, Whereas:

## (1)

In the digital age, information and communication technology (ICT) supports complex systems used for everyday activities. It keeps our economies running in key sectors, including the financial sector, and enhances the functioning of the internal market. Increased digitalisation and interconnectedness also amplify [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk), making society as a whole, and the financial system in particular, more vulnerable to [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat) or ICT disruptions.

## (2)

The use of ICT has in the past decades gained a pivotal role in the provision of financial services, to the point where it has now acquired a critical importance in the operation of typical daily functions of all financial entities. Digitalisation now covers, for instance, payments, which have increasingly moved from cash and paper-based methods to the use of digital solutions, as well as securities clearing and settlement, electronic and algorithmic trading, lending and funding operations, peer-to-peer finance, credit rating, claim management and back-office operations.

## (3)

The European Systemic Risk Board (ESRB) reaffirmed in a 2020 report addressing systemic cyber risk how the existing high level of interconnectedness across financial entities, financial markets and financial market infrastructures, and particularly the interdependencies of their ICT systems, could constitute a systemic [vulnerability](https://www.mica.wtf/definitions/definitions/dora/vulnerability) because localised cyber incidents could quickly spread from any of the approximately 22 000 Union financial entities to the entire financial system.

## (4)

In recent years, [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) has attracted the attention of international, Union and national policy makers, regulators and standard-setting bodies in an attempt to enhance digital resilience, set standards and coordinate regulatory or supervisory work. At international level, the Basel Committee on Banking Supervision, the Committee on Payments and Market Infrastructures, the Financial Stability Board, the Financial Stability Institute, as well as the G7 and G20 aim to provide competent authorities and market operators across various jurisdictions with tools to bolster the resilience of their financial systems.

## (5)

Despite Union and national targeted policy and legislative initiatives, [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) continues to pose a challenge to the operational resilience, performance and stability of the Union financial system. The reforms that followed the 2008 financial crisis primarily strengthened the financial resilience of the Union financial sector and aimed to safeguard the competitiveness and stability of the Union from economic, prudential and market conduct perspectives.

## (6)

In its Communication of 8 March 2018 entitled 'FinTech Action plan: For a more competitive and innovative European financial sector', the Commission highlighted the paramount importance of making the Union financial sector more resilient, including from an operational perspective to ensure its technological safety and good functioning.

## (7)

In April 2019, the European Supervisory Authority (European Banking Authority), (EBA) established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council, the European Supervisory Authority (European Insurance and Occupational Pensions Authority), ('EIOPA') established by Regulation (EU) No 1094/2010 of the European Parliament and of the Council and the European Supervisory Authority (European Securities and Markets Authority), ('ESMA') established by Regulation (EU) No 1095/2010 of the European Parliament and of the Council (known collectively as 'European Supervisory Authorities' or 'ESAs') jointly issued technical advice calling for a coherent approach to [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) in finance.

## (8)

The Union financial sector is regulated by a Single Rulebook and governed by a European system of financial supervision. Nonetheless, provisions tackling [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) and ICT security are not yet fully or consistently harmonised, despite [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) being vital for ensuring financial stability and market integrity in the digital age.

## (9)

Legislative disparities and uneven national regulatory or supervisory approaches with regard to [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) trigger obstacles to the functioning of the internal market in financial services, impeding the smooth exercise of the freedom of establishment and the provision of services for financial entities operating on a cross-border basis.

## (10)

To date, due to the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) related provisions being only partially addressed at Union level, there are gaps or overlaps in important areas, such as [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reporting and [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing, and inconsistencies as a result of emerging divergent national rules or cost-ineffective application of overlapping rules.

## (11)

As the Single Rulebook has not been accompanied by a comprehensive ICT or operational risk framework, further harmonisation of key [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) requirements for all financial entities is required. The development of ICT capabilities and overall resilience by financial entities, based on those key requirements, with a view to withstanding operational outages, would help preserve the stability and integrity of the Union financial markets.

## (12)

This Regulation aims to consolidate and upgrade [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various Union legal acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle, at the time of their adoption, all components of operational resilience.

## (13)

Financial entities should follow the same approach and the same principle-based rules when addressing [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of high reliance on ICT systems, platforms and infrastructures.

## (14)

A Regulation helps reduce regulatory complexity, fosters supervisory convergence and increases legal certainty, and also contributes to limiting compliance costs, especially for financial entities operating across borders, and to reducing competitive distortions.

## (15)

Directive (EU) 2016/1148 of the European Parliament and of the Council was the first horizontal cybersecurity framework enacted at Union level, applying also to three types of financial entities, namely [credit institutions](https://www.mica.wtf/definitions/definitions/dora/credit-institution), [trading venues](https://www.mica.wtf/definitions/definitions/dora/trading-venue) and [central counterparties](https://www.mica.wtf/definitions/definitions/dora/central-counterparty). However, since Directive (EU) 2016/1148 set out a mechanism of identification at national level of operators of essential services, only certain [credit institutions](https://www.mica.wtf/definitions/definitions/dora/credit-institution), [trading venues](https://www.mica.wtf/definitions/definitions/dora/trading-venue) and [central counterparties](https://www.mica.wtf/definitions/definitions/dora/central-counterparty) that were identified by the Member States, have been brought into its scope in practice.

## (16)

However, as this Regulation increases the level of harmonisation of the various digital resilience components, by introducing requirements on [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management and [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reporting that are more stringent in comparison to those laid down in the current Union financial services law, this higher level constitutes an increased harmonisation also in comparison with the requirements laid down in Directive (EU) 2022/2555. Consequently, this Regulation constitutes lex specialis with regard to Directive (EU) 2022/2555.

## (17)

In accordance with Article 4(2) of the Treaty on European Union and without prejudice to the judicial review by the Court of Justice, this Regulation should not affect the responsibility of Member States with regard to essential State functions concerning public security, defence and the safeguarding of national security.

## (18)

To enable cross-sector learning and to effectively draw on experiences of other sectors in dealing with [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat), the financial entities referred to in Directive (EU) 2022/2555 should remain part of the 'ecosystem' of that Directive (for example, Cooperation [Group](https://www.mica.wtf/definitions/definitions/dora/group) and computer security incident response teams (CSIRTs)). The ESAs and national competent authorities should be able to participate in the strategic policy discussions and the technical workings of the Cooperation [Group](https://www.mica.wtf/definitions/definitions/dora/group) under that Directive.

## (19)

Given the strong interlinkages between the digital resilience and the physical resilience of financial entities, a coherent approach with regard to the resilience of critical entities is necessary in this Regulation and Directive (EU) 2022/2557 of the European Parliament and the Council. Given that the physical resilience of financial entities is addressed in a comprehensive manner by the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management and reporting obligations covered by this Regulation, the obligations laid down in Chapters III and IV of Directive (EU) 2022/2557 should not apply to financial entities falling within the scope of that Directive.

## (20)

Cloud computing service providers are one category of digital infrastructure covered by Directive (EU) 2022/2555. The Union Oversight Framework ('Oversight Framework') established by this Regulation applies to all [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), including cloud computing service providers providing [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) to financial entities, and should be considered complementary to the supervision carried out pursuant to Directive (EU) 2022/2555.

## (21)

In order to maintain full control over [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk), financial entities need to have comprehensive capabilities to enable a strong and effective [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management, as well as specific mechanisms and policies for handling all [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) and for reporting [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident). Likewise, financial entities should have policies in place for the testing of ICT systems, controls and processes, as well as for managing [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk).

## (22)

[ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reporting thresholds and taxonomies vary significantly at national level. While common ground may be achieved through the relevant work undertaken by the European Union Agency for Cybersecurity (ENISA) established by Regulation (EU) 2019/881 of the European Parliament and of the Council and the Cooperation [Group](https://www.mica.wtf/definitions/definitions/dora/group) under Directive (EU) 2022/2555, divergent approaches on setting the thresholds and use of taxonomies still exist, or can emerge, for the remainder of financial entities.

## (23)

To reduce the administrative burden and potentially duplicative reporting obligations for certain financial entities, the requirement for the incident reporting pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council should cease to apply to payment service providers that fall within the scope of this Regulation. Consequently, [credit institutions](https://www.mica.wtf/definitions/definitions/dora/credit-institution), e-money institutions, [payment institutions](https://www.mica.wtf/definitions/definitions/dora/payment-institution) and [account information service providers](https://www.mica.wtf/definitions/definitions/dora/account-information-service-provider) should, from the date of application of this Regulation, report pursuant to this Regulation, all [operational or security payment-related incidents](https://www.mica.wtf/definitions/definitions/dora/operational-or-security-payment-related-incident).

## (24)

To enable competent authorities to fulfil supervisory roles by acquiring a complete overview of the nature, frequency, significance and impact of [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) and to enhance the exchange of information between relevant [public authorities](https://www.mica.wtf/definitions/definitions/dora/public-authority), including law enforcement authorities and resolution authorities, this Regulation should lay down a robust [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reporting regime whereby the relevant requirements address current gaps in financial services law, and remove existing overlaps and duplications.

## (25)

[Digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing requirements have been developed in certain financial subsectors setting out frameworks that are not always fully aligned. This leads to a potential duplication of costs for cross-border financial entities and makes the mutual recognition of the results of [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing complex which, in turn, can fragment the internal market.

## (26)

In addition, where no ICT testing is required, [vulnerabilities](https://www.mica.wtf/definitions/definitions/dora/vulnerability) remain undetected and result in exposing a financial entity to [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) and ultimately create a higher risk to the stability and integrity of the financial sector. Without Union intervention, [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing would continue to be inconsistent and would lack a system of mutual recognition of ICT testing results across different jurisdictions.

## (27)

Financial entities' reliance on the use of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) is partly driven by their need to adapt to an emerging competitive digital global economy, to boost their business efficiency and to meet consumer demand. The nature and extent of such reliance has been continuously evolving in recent years, driving cost reduction in financial intermediation, enabling business expansion and scalability in the deployment of financial activities.

## (28)

The extensive use of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) is evidenced by complex contractual arrangements, whereby financial entities often encounter difficulties in negotiating contractual terms that are tailored to the prudential standards or other regulatory requirements to which they are subject, or otherwise in enforcing specific rights, such as access or audit rights.

## (29)

Even though Union financial services law contains certain general rules on outsourcing, monitoring of the contractual dimension is not fully anchored into Union law. In the absence of clear and bespoke Union standards applying to the contractual arrangements concluded with [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), the external source of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) is not comprehensively addressed.

## (30)

A certain lack of homogeneity and convergence regarding the monitoring of [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk) and ICT third-party dependencies is evident today. Despite efforts to address outsourcing, such as EBA Guidelines on outsourcing of 2019 and ESMA Guidelines on outsourcing to cloud service providers of 2021 the broader issue of counteracting systemic risk which may be triggered by the financial sector's exposure to a limited number of [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) is not sufficiently addressed by Union law.

## (31)

Taking into account the potential systemic risk entailed by increased outsourcing practices and by the ICT third-party concentration, and mindful of the insufficiency of national mechanisms in providing financial supervisors with adequate tools to quantify, qualify and redress the consequences of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) occurring at [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), it is necessary to establish an appropriate Oversight Framework allowing for a continuous monitoring of the activities of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) that are [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) to financial entities.

## (32)

With [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) becoming more and more complex and sophisticated, good measures for the detection and prevention of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) depend to a great extent on the regular sharing between financial entities of threat and [vulnerability](https://www.mica.wtf/definitions/definitions/dora/vulnerability) intelligence. Information sharing contributes to creating increased awareness of [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat). In turn, this enhances the capacity of financial entities to prevent [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat) from becoming real [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) and enables financial entities to more effectively contain the impact of [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) and to recover faster.

## (33)

In addition, doubts about the type of information that can be shared with other market participants, or with non-supervisory authorities (such as ENISA, for analytical input, or Europol, for law enforcement purposes) lead to useful information being withheld. Therefore, the extent and quality of information sharing currently remains limited and fragmented, with relevant exchanges mostly being local (by way of national initiatives) and with no consistent Union-wide information-sharing arrangements tailored to the needs of an integrated financial system.

## (34)

Financial entities should be encouraged to exchange among themselves [cyber threat](https://www.mica.wtf/definitions/definitions/dora/cyber-threat) information and intelligence, and to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhancing their capabilities to adequately assess, monitor, defend against, and respond to [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat), by participating in information sharing arrangements.

## (35)

In order to maintain a high level of [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) for the whole financial sector, and at the same time to keep pace with technological developments, this Regulation should address risk stemming from all types of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services). To that end, the definition of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) in the context of this Regulation should be understood in a broad manner, encompassing digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis.

## (36)

Notwithstanding the broad coverage envisaged by this Regulation, the application of the [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) rules should take into account the significant differences between financial entities in terms of their size and overall risk profile. As a general principle, when distributing resources and capabilities for the implementation of the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework, financial entities should duly balance their ICT-related needs to their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.

## (37)

[Account information service providers](https://www.mica.wtf/definitions/definitions/dora/account-information-service-provider), referred to in Article 33(1) of Directive (EU) 2015/2366, are explicitly included in the scope of this Regulation, taking into account the specific nature of their activities and the risks arising therefrom. In addition, [electronic money institutions](https://www.mica.wtf/definitions/definitions/dora/electronic-money-institution) and [payment institutions](https://www.mica.wtf/definitions/definitions/dora/payment-institution) exempted pursuant to Article 9(1) of Directive 2009/110/EC of the European Parliament and of the Council and Article 32(1) of Directive (EU) 2015/2366 are included in the scope of this Regulation.

## (38)

As larger financial entities might enjoy wider resources and can swiftly deploy funds to develop governance structures and set up various corporate strategies, only financial entities that are not [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise) in the sense of this Regulation should be required to establish more complex governance arrangements. Such entities are better equipped in particular to set up dedicated management functions for supervising arrangements with [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) or for dealing with crisis management.

## (39)

Some financial entities benefit from exemptions or are subject to a very light regulatory framework under the relevant sector-specific Union law. Such financial entities include managers of alternative investment funds referred to in Article 3(2) of Directive 2011/61/EU of the European Parliament and of the Council, insurance and [reinsurance undertakings](https://www.mica.wtf/definitions/definitions/dora/reinsurance-undertaking) referred to in Article 4 of Directive 2009/138/EC of the European Parliament and of the Council, and institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total.

## (40)

Since the entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU are excluded from the scope of that Directive, Member States should consequently be able to choose to exempt from the application of this Regulation such entities located within their respective territories.

## (41)

Similarly, in order to align this Regulation to the scope of Directive 2014/65/EU of the European Parliament and of the Council, it is also appropriate to exclude from the scope of this Regulation natural and legal persons referred in Articles 2 and 3 of that Directive which are allowed to provide investment services without having to obtain an authorisation under Directive 2014/65/EU.

## (42)

Under sector-specific Union law, some financial entities are subject to lighter requirements or exemptions for reasons associated with their size or the services they provide. That category of financial entities includes [small and non-interconnected investment firms](https://www.mica.wtf/definitions/definitions/dora/small-and-non-interconnected-investment-firm), small institutions for occupational retirement provision which may be excluded from the scope of Directive (EU) 2016/2341 under the conditions laid down in Article 5 of that Directive by the Member State concerned and operate pension schemes which together do not have more than 100 members in total, as well as institutions exempted pursuant to Directive 2013/36/EU.

## (43)

Similarly, financial entities which qualify as [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise) or are subject to the simplified [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework under this Regulation should not be required to establish a role to monitor their arrangements concluded with [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) on the use of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services); or to designate a member of senior management to be responsible for overseeing the related risk exposure and relevant documentation.

## (44)

As only those financial entities identified for the purposes of the advanced digital resilience testing should be required to conduct threat-led penetration tests, the administrative processes and financial costs entailed in the performance of such tests should be borne by a small percentage of financial entities.

## (45)

To ensure full alignment and overall consistency between financial entities' business strategies, on the one hand, and the conduct of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management, on the other hand, the financial entities' [management bodies](https://www.mica.wtf/definitions/definitions/dora/management-body) should be required to maintain a pivotal and active role in steering and adapting the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework and the overall [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) strategy.

## (46)

Moreover, the principle of the [management body](https://www.mica.wtf/definitions/definitions/dora/management-body)'s full and ultimate responsibility for the management of the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) of the financial entity goes hand in hand with the need to secure a level of ICT-related investments and an overall budget for the financial entity that would enable the financial entity to achieve a high level of [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience).

## (47)

Inspired by relevant international, national and industry best practices, guidelines, recommendations and approaches to the management of cyber risk, this Regulation promotes a set of principles that facilitate the overall structure of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management. Consequently, as long as the main capabilities which financial entities put in place address the various functions in the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management (identification, protection and prevention, detection, response and recovery, learning and evolving and communication) set out in this Regulation, financial entities should remain free to use [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management models that are differently framed or categorised.

## (48)

To keep pace with an evolving [cyber threat](https://www.mica.wtf/definitions/definitions/dora/cyber-threat) landscape, financial entities should maintain updated ICT systems that are reliable and capable, not only for guaranteeing the processing of data required for their services, but also for ensuring sufficient technological resilience to allow them to deal adequately with additional processing needs due to stressed market conditions or other adverse situations.

## (49)

Efficient business continuity and recovery plans are necessary to allow financial entities to promptly and quickly resolve [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), in particular [cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack), by limiting damage and giving priority to the resumption of activities and recovery actions in accordance with their back-up policies.

## (50)

While this Regulation allows financial entities to determine their recovery time and recovery point objectives in a flexible manner and hence to set such objectives by fully taking into account the nature and the criticality of the relevant functions and any specific business needs, it should nevertheless require them to carry out an assessment of the potential overall impact on market efficiency when determining such objectives.

## (51)

The propagators of [cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack) tend to pursue financial gains directly at the source, thus exposing financial entities to significant consequences. To prevent ICT systems from losing integrity or becoming unavailable, and hence to avoid data breaches and damage to physical ICT infrastructure, the reporting of [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) by financial entities should be significantly improved and streamlined. [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reporting should be harmonised through the introduction of a requirement for all financial entities to report directly to their relevant competent authorities.

## (52)

The direct reporting should enable financial supervisors to have immediate access to information about [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident). Financial supervisors should in turn pass on details of [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) to public non-financial authorities (such as competent authorities and single points of contact under Directive (EU) 2022/2555, national data protection authorities, and to law enforcement authorities for [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) of a criminal nature) in order to enhance such authorities awareness of such incidents.

## (53)

While all financial entities should be required to carry out incident reporting, that requirement is not expected to affect all of them in the same manner. Indeed, relevant materiality thresholds, as well as reporting timelines, should be duly adjusted, in the context of delegated acts based on the regulatory technical standards to be developed by the ESAs, with a view to covering only [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident).

## (54)

This Regulation should require [credit institutions](https://www.mica.wtf/definitions/definitions/dora/credit-institution), [payment institutions](https://www.mica.wtf/definitions/definitions/dora/payment-institution), [account information service providers](https://www.mica.wtf/definitions/definitions/dora/account-information-service-provider) and [electronic money institutions](https://www.mica.wtf/definitions/definitions/dora/electronic-money-institution) to report all [operational or security payment-related incidents](https://www.mica.wtf/definitions/definitions/dora/operational-or-security-payment-related-incident) — previously reported under Directive (EU) 2015/2366 — irrespective of the ICT nature of the incident.

## (55)

The ESAs should be tasked with assessing the feasibility and conditions for a possible centralisation of [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reports at Union level. Such centralisation could consist of a single EU Hub for [major ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) reporting either directly receiving relevant reports and automatically notifying national competent authorities, or merely centralising relevant reports forwarded by the national competent authorities and thus fulfilling a coordination role.

## (56)

In order to achieve a high level of [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience), and in line with both the relevant international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testing) and with the frameworks applied in the Union, such as the TIBER-EU, financial entities should regularly test their ICT systems and staff having ICT-related responsibilities with regard to the effectiveness of their preventive, detection, response and recovery capabilities.

## (57)

Financial entities involved in cross-border activities and exercising the freedoms of establishment, or of provision of services within the Union, should comply with a single set of advanced testing requirements (i.e. TLPT) in their home Member State, which should include the ICT infrastructures in all jurisdictions where the cross-border financial [group](https://www.mica.wtf/definitions/definitions/dora/group) operates within the Union, thus allowing such cross-border financial [groups](https://www.mica.wtf/definitions/definitions/dora/group) to incur related ICT testing costs in one jurisdiction only.

## (58)

To draw on the expertise already acquired by certain competent authorities, in particular with regard to implementing the TIBER-EU framework, this Regulation should allow Member States to designate a single [public authority](https://www.mica.wtf/definitions/definitions/dora/public-authority) as responsible in the financial sector, at national level, for all TLPT matters, or competent authorities, to delegate, in the absence of such designation, the exercise of TLPT related tasks to another national financial competent authority.

## (59)

Since this Regulation does not require financial entities to cover all [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) in one single threat-led penetration test, financial entities should be free to determine which and how many [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) should be included in the scope of such a test.

## (60)

Pooled testing within the meaning of this Regulation — involving the participation of several financial entities in a TLPT and for which an [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) can directly enter into contractual arrangements with an external tester — should be allowed only where the quality or security of services delivered by the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) to customers that are entities falling outside the scope of this Regulation, or the confidentiality of the data related to such services, are reasonably expected to be adversely impacted.

## (61)

In order to take advantage of internal resources available at corporate level, this Regulation should allow the use of internal testers for the purposes of carrying out TLPT, provided there is supervisory approval, no conflicts of interest, and periodical alternation of the use of internal and external testers (every three tests), while also requiring the provider of the [threat intelligence](https://www.mica.wtf/definitions/definitions/dora/threat-intelligence) in the TLPT to always be external to the financial entity.

## (62)

To ensure a sound monitoring of [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk) in the financial sector, it is necessary to lay down a set of principle-based rules to guide financial entities' when monitoring risk arising in the context of functions outsourced to [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), particularly for [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function), as well as more generally in the context of all ICT third-party dependencies.

## (63)

To address the complexity of the various sources of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk), while taking into account the multitude and diversity of providers of technological solutions which enable a smooth provision of financial services, this Regulation should cover a wide range of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), including providers of cloud computing services, software, data analytics services and providers of data centre services.

## (64)

A financial entity should at all times remain fully responsible for complying with its obligations set out in this Regulation. Financial entities should apply a proportionate approach to the monitoring of risks emerging at the level of the [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), by duly considering the nature, scale, complexity and importance of their ICT-related dependencies, the criticality or importance of the services, processes or functions subject to the contractual arrangements and, ultimately, on the basis of a careful assessment of any potential impact on the continuity and quality of financial services at individual and at [group](https://www.mica.wtf/definitions/definitions/dora/group) level, as appropriate.

## (65)

The conduct of such monitoring should follow a strategic approach to [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk) formalised through the adoption by the financial entity's [management body](https://www.mica.wtf/definitions/definitions/dora/management-body) of a dedicated [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk) strategy, rooted in a continuous screening of all ICT third-party dependencies. To enhance supervisory awareness of ICT third-party dependencies, and with a view to further supporting the work in the context of the Oversight Framework established by this Regulation, all financial entities should be required to maintain a register of information with all contractual arrangements about the use of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) provided by [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider).

## (66)

A thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements, in particular by focusing on elements such as the criticality or importance of the services supported by the envisaged ICT contract, the necessary supervisory approvals or other conditions, the possible concentration risk entailed, as well as applying due diligence in the process of selection and assessment of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) and assessing potential conflicts of interest.

## (67)

To address the systemic impact of ICT third-party concentration risk, this Regulation promotes a balanced solution by means of taking a flexible and gradual approach to such concentration risk since the imposition of any rigid caps or strict limitations might hinder the conduct of business and restrain the contractual freedom. Financial entities should thoroughly assess their envisaged contractual arrangements to identify the likelihood of such risk emerging, including by means of in-depth analyses of subcontracting arrangements, in particular when concluded with [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) established in a third country.

## (68)

To evaluate and monitor on a regular basis the ability of an ICT third party service provider to securely provide services to a financial entity without adverse effects on a financial entity's [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience), several key contractual elements with [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) should be harmonised. Such harmonisation should cover minimum areas which are crucial for enabling a full monitoring by the financial entity of the risks that could emerge from the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider).

## (69)

When renegotiating contractual arrangements to seek alignment with the requirements of this Regulation, financial entities and [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) should ensure the coverage of the key contractual provisions as provided for in this Regulation.

## (70)

The definition of '[critical or important function](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function)' provided for in this Regulation encompasses the 'critical functions' as defined in Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council. Accordingly, functions deemed to be critical pursuant to Directive 2014/59/EU are included in the definition of critical functions within the meaning of this Regulation.

## (71)

Irrespective of the criticality or importance of the function supported by the [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services), contractual arrangements should, in particular, provide for a specification of the complete descriptions of functions and services, of the locations where such functions are provided and where data is to be processed, as well as an indication of service level descriptions. Other essential elements to enable a financial entity's monitoring of ICT third party risk are: contractual provisions specifying how the accessibility, availability, integrity, security and protection of personal data are ensured by the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider).

## (72)

In addition to such contractual provisions, and with a view to ensuring that financial entities remain in full control of all developments occurring at third-party level which may impair their ICT security, the contracts for the provision of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) should also provide for the following: the specification of the full service level descriptions, with precise quantitative and qualitative performance targets, to enable without undue delay appropriate corrective actions when the agreed service levels are not met; the relevant notice periods and reporting obligations of the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) in the event of developments with a potential material impact on the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider)'s ability to effectively provide their respective [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services); a requirement upon the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) to implement and test business contingency plans.

## (73)

Contracts for the provision of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) should also contain provisions enabling the rights of access, inspection and audit by the financial entity, or an appointed third party, and the right to take copies as crucial instruments in the financial entities' ongoing monitoring of the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider)'s performance, coupled with the service provider's full cooperation during inspections.

## (74)

Such contractual arrangements should also provide for dedicated exit strategies to enable, in particular, mandatory transition periods during which [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) should continue providing the relevant services with a view to reducing the risk of disruptions at the level of the financial entity, or to allow the latter effectively to switch to the use of other [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) or, alternatively, to change to in-house solutions, consistent with the complexity of the provided ICT service.

## (75)

Moreover, the voluntary use of standard contractual clauses developed by [public authorities](https://www.mica.wtf/definitions/definitions/dora/public-authority) or Union institutions, in particular the use of contractual clauses developed by the Commission for cloud computing services could provide further comfort to the financial entities and [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), by enhancing their level of legal certainty regarding the use of cloud computing services in the financial sector, in full alignment with the requirements and expectations set out by the Union financial services law.

## (76)

With a view to promoting convergence and efficiency in relation to supervisory approaches when addressing [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk) in the financial sector, as well as to strengthening the [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) of financial entities which rely on [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) for the provision of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) that support the supply of financial services, and thereby to contributing to the preservation of the Union's financial system stability and the integrity of the internal market for financial services, [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) should be subject to a Union Oversight Framework.

## (77)

The Oversight Framework should apply only to [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider). There should therefore be a designation mechanism to take into account the dimension and nature of the financial sector's reliance on such [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider). That mechanism should involve a set of quantitative and qualitative criteria to set the criticality parameters as a basis for inclusion in the Oversight Framework.

## (78)

Similarly, financial entities providing [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) to other financial entities, while belonging to the category of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) under this Regulation, should also be exempted from the Oversight Framework since they are already subject to supervisory mechanisms established by the relevant Union financial services law. Where applicable, competent authorities should take into account, in the context of their supervisory activities, the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) posed to financial entities by financial entities providing [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services).

## (79)

The digital transformation experienced in financial services has brought about an unprecedented level of use of, and reliance upon, [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services). Since it has become inconceivable to provide financial services without the use of cloud computing services, software solutions and data-related services, the Union financial ecosystem has become intrinsically co-dependent on certain [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) provided by ICT service suppliers.

## (80)

The Oversight Framework largely depends on the degree of collaboration between the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) and the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) delivering to financial entities services affecting the supply of financial services. Successful oversight is predicated, inter alia, upon the ability of the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) to effectively conduct monitoring missions and inspections to assess the rules, controls and processes used by the [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider).

## (81)

Against this background, the need of the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) to impose penalty payments to compel [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) to comply with the transparency and access-related obligations set out in this Regulation should not be jeopardised by difficulties raised by the enforcement of those penalty payments in relation to [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) established in third countries. In order to ensure the enforceability of such penalties, and to allow a swift roll out of procedures upholding the [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider)' rights of defence in the context of the designation mechanism and the issuance of recommendations, those [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), providing services to financial entities that affect the supply of financial services, should be required to maintain an adequate business presence in the Union.

## (82)

The requirement to set up a [subsidiary](https://www.mica.wtf/definitions/definitions/dora/subsidiary) in the Union should not prevent the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) from supplying [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) and related technical support from facilities and infrastructure located outside the Union. This Regulation does not impose a data localisation obligation as it does not require data storage or processing to be undertaken in the Union.

## (83)

[Critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) should be able to provide [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) from anywhere in the world, not necessarily or not only from premises located in the Union. Oversight activities should be first conducted on premises located in the Union and by interacting with entities located in the Union, including the [subsidiaries](https://www.mica.wtf/definitions/definitions/dora/subsidiary) established by [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) pursuant to this Regulation. However, such actions within the Union might be insufficient to allow the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) to fully and effectively perform its duties under this Regulation. The [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) should therefore also be able to exercise its relevant oversight powers in third countries. Exercising those powers in third countries should allow the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) to examine the facilities from which the [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) or the technical support services are actually provided or managed by the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), and should give the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) a comprehensive and operational understanding of the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management of the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider). The possibility for the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer), as a Union agency, to exercise powers outside the territory of the Union should be duly framed by relevant conditions, in particular the consent of the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) concerned. Similarly, the relevant authorities of the third country should be informed of, and not have objected to, the exercise on their own territory of the activities of the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer). However, in order to ensure efficient implementation, and without prejudice to the respective competences of the Union institutions and the Member States, such powers also need to be fully anchored in the conclusion of administrative cooperation arrangements with the relevant authorities of the third country concerned. This Regulation should therefore enable the ESAs to conclude administrative cooperation arrangements with the relevant authorities of third countries, which should not otherwise create legal obligations in respect of the Union and its Member States.

## (84)

To facilitate communication with the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) and to ensure adequate representation, [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) which are part of a [group](https://www.mica.wtf/definitions/definitions/dora/group) should designate one legal person as their coordination point.

## (85)

The Oversight Framework should be without prejudice to Member States' competence to conduct their own oversight or monitoring missions in respect to [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) which are not designated as critical under this Regulation, but which are regarded as important at national level.

## (86)

To leverage the multi-layered institutional architecture in the financial services area, the [Joint Committee](https://www.mica.wtf/definitions/definitions/dora/joint-committee) of the ESAs should continue to ensure overall cross-sectoral coordination in relation to all matters pertaining to [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk), in accordance with its tasks on cybersecurity. It should be supported by a new Subcommittee (the 'Oversight Forum') carrying out preparatory work both for the individual decisions addressed to [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), and for the issuing of collective recommendations, in particular in relation to benchmarking the oversight programmes for [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), and identifying best practices for addressing [ICT concentration risk](https://www.mica.wtf/definitions/definitions/dora/ict-concentration-risk) issues.

## (87)

To ensure that [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) are appropriately and effectively overseen on a Union level, this Regulation provides that any of the three ESAs could be designated as a [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer). The individual assignment of a [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) to one of the three ESAs should result from an assessment of the preponderance of financial entities operating in the financial sectors for which that ESA has responsibilities. This approach should lead to a balanced allocation of tasks and responsibilities between the three ESAs, in the context of exercising the oversight functions, and should make the best use of the human resources and technical expertise available in each of the three ESAs.

## (88)

[Lead Overseers](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) should be granted the necessary powers to conduct investigations, to carry out onsite and offsite inspections at the premises and locations of [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) and to obtain complete and updated information. Those powers should enable the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) to acquire real insight into the type, dimension and impact of the [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk) posed to financial entities and ultimately to the Union's financial system. Entrusting the ESAs with the lead oversight role is a prerequisite for understanding and addressing the systemic dimension of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) in finance. The impact of [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) on the Union financial sector and the potential issues caused by the [ICT concentration risk](https://www.mica.wtf/definitions/definitions/dora/ict-concentration-risk) entailed call for taking a collective approach at Union level. The simultaneous carrying out of multiple audits and access rights, performed separately by numerous competent authorities, with little or no coordination among them, would prevent financial supervisors from obtaining a complete and comprehensive overview of [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk) in the Union, while also creating redundancy, burden and complexity for [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) if they were subject to numerous monitoring and inspection requests.

## (89)

Due to the significant impact of being designated as critical, this Regulation should ensure that the rights of [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) are observed throughout the implementation of the Oversight Framework. Prior to being designated as critical, such providers should, for example, have the right to submit to the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) a reasoned statement containing any relevant information for the purposes of the assessment related to their designation. Since the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) should be empowered to submit recommendations on [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) matters and suitable remedies thereto, which include the power to oppose certain contractual arrangements ultimately affecting the stability of the financial entity or the financial system, [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) should also be given the opportunity to provide, prior to the finalisation of those recommendations, explanations regarding the expected impact of the solutions, envisaged in the recommendations, on customers that are entities falling outside the scope of this Regulation and to formulate solutions to mitigate risks. [Critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) disagreeing with the recommendations should submit a reasoned explanation of their intention not to endorse the recommendation. Where such reasoned explanation is not submitted or where it is considered to be insufficient, the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) should issue a public notice summarily describing the matter of non-compliance.

## (90)

Competent authorities should duly include the task of verifying substantive compliance with recommendations issued by the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) in their functions with regard to prudential supervision of financial entities. Competent authorities should be able to require financial entities to take additional measures to address the risks identified in the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer)'s recommendations, and should, in due course, issue notifications to that effect. Where the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) addresses recommendations to [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) that are supervised under Directive (EU) 2022/2555, the competent authorities should be able, on a voluntary basis and before adopting additional measures, to consult the competent authorities under that Directive in order to foster a coordinated approach to dealing with the [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) in question.

## (91)

The exercise of the oversight should be guided by three operational principles seeking to ensure: (a) close coordination among the ESAs in their [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) roles, through a joint oversight network (JON), (b) consistency with the framework established by Directive (EU) 2022/2555 (through a voluntary consultation of bodies under that Directive to avoid duplication of measures directed at [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider)), and (c) applying diligence to minimise the potential risk of disruption to services provided by the [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) to customers that are entities falling outside the scope of this Regulation.

## (92)

The Oversight Framework should not replace, or in any way or for any part substitute for, the requirement for financial entities to manage themselves the risks entailed by the use of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), including their obligation to maintain an ongoing monitoring of contractual arrangements concluded with [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider). Similarly, the Oversight Framework should not affect the full responsibility of financial entities for complying with, and discharging, all the legal obligations laid down in this Regulation and in the relevant financial services law.

## (93)

To avoid duplications and overlaps, competent authorities should refrain from taking individually any measures aiming to monitor the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider)'s risks and should, in that respect, rely on the relevant [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer)'s assessment. Any measures should in any case be coordinated and agreed in advance with the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) in the context of the exercise of tasks in the Oversight Framework.

## (94)

To promote convergence at international level as regards the use of best practices in the review and monitoring of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider)' digital risk-management, the ESAs should be encouraged to conclude cooperation arrangements with relevant supervisory and regulatory third-country authorities.

## (95)

To leverage the specific competences, technical skills and expertise of staff specialising in operational and [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) within the competent authorities, the three ESAs and, on a voluntary basis, the competent authorities under Directive (EU) 2022/2555, the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) should draw on national supervisory capabilities and knowledge and set up dedicated examination teams for each [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), pooling multidisciplinary teams in support of the preparation and execution of oversight activities, including general investigations and inspections of [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), as well as for any necessary follow-up thereto.

## (96)

Whereas costs resulting from oversight tasks would be fully funded from fees levied on [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), the ESAs are, however, likely to incur, before the start of the Oversight Framework, costs for the implementation of dedicated ICT systems supporting the upcoming oversight, since dedicated ICT systems would need to be developed and deployed beforehand. This Regulation therefore provides for a hybrid funding model, whereby the Oversight Framework would, as such, be fully fee-funded, while the development of the ESAs' ICT systems would be funded from Union and national competent authorities' contributions.

## (97)

Competent authorities should have all required supervisory, investigative and sanctioning powers to ensure the proper exercise of their duties under this Regulation. They should, in principle, publish notices of the administrative penalties they impose. Since financial entities and [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) can be established in different Member States and supervised by different competent authorities, the application of this Regulation should be facilitated by, on the one hand, close cooperation among relevant competent authorities, including the ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/2013, and, on the other hand, by consultation with the ESAs through the mutual exchange of information and the provision of assistance in the context of relevant supervisory activities.

## (98)

In order to further quantify and qualify the criteria for the designation of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) as critical and to harmonise oversight fees, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to supplement this Regulation by further specifying the systemic impact that a failure or operational outage of an [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) could have on the financial entities it provides [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) to, the number of global systemically important institutions (G-SIIs), or other systemically important institutions (O-SIIs), that rely on the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) in question, the number of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) active on a given market, the costs of migrating data and ICT workloads to other [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), as well as the amount of the oversight fees and the way in which they are to be paid. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States' experts, and their experts should systematically have access to meetings of Commission expert [groups](https://www.mica.wtf/definitions/definitions/dora/group) dealing with the preparation of delegated acts.

## (99)

Regulatory technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation. In their roles as bodies endowed with highly specialised expertise, the ESAs should develop draft regulatory technical standards which do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management, [major ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) reporting, testing, as well as in relation to key requirements for a sound monitoring of [ICT third-party risk](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-risk). The Commission and the ESAs should ensure that those standards and requirements can be applied by all financial entities in a manner that is proportionate to their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. The Commission should be empowered to adopt those regulatory technical standards by means of delegated acts pursuant to Article 290 TFEU and in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

## (100)

To facilitate the comparability of reports on [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) and [major operational or security payment-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-operational-or-security-payment-related-incident), as well as to ensure transparency regarding contractual arrangements for the use of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) provided by [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), the ESAs should develop draft implementing technical standards establishing standardised templates, forms and procedures for financial entities to report a [major ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) and a [major operational or security payment-related incident](https://www.mica.wtf/definitions/definitions/dora/major-operational-or-security-payment-related-incident), as well as standardised templates for the register of information. When developing those standards, the ESAs should take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations. The Commission should be empowered to adopt those implementing technical standards by means of implementing acts pursuant to Article 291 TFEU and in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

## (101)

Since further requirements have already been specified through delegated and implementing acts based on technical regulatory and implementing technical standards in Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 of the European Parliament and of the Council, it is appropriate to mandate the ESAs, either individually or jointly through the [Joint Committee](https://www.mica.wtf/definitions/definitions/dora/joint-committee), to submit regulatory and implementing technical standards to the Commission for adoption of delegated and implementing acts carrying over and updating existing [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management rules.

## (102)

Since this Regulation, together with Directive (EU) 2022/2556 of the European Parliament and of the Council, entails a consolidation of the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management provisions across multiple regulations and directives of the Union's financial services acquis, including Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, and Regulation (EU) 2016/1011 of the European Parliament and of the Council, in order to ensure full consistency, those Regulations should be amended to clarify that the applicable ICT risk-related provisions are laid down in this Regulation.

## (103)

Consequently, the scope of the relevant articles related to operational risk, upon which empowerments laid down in Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014, and (EU) 2016/1011 had mandated the adoption of delegated and implementing acts, should be narrowed down with a view to carry over into this Regulation all provisions covering the [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) aspects which today are part of those Regulations.

## (104)

The potential systemic cyber risk associated with the use of ICT infrastructures that enable the operation of payment systems and the provision of payment processing activities should be duly addressed at Union level through harmonised digital resilience rules. To that effect, the Commission should swiftly assess the need for reviewing the scope of this Regulation while aligning such review with the outcome of the comprehensive review envisaged under Directive (EU) 2015/2366. Numerous large-scale attacks over the past decade demonstrate how payment systems have become exposed to [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat). Placed at the core of the payment services chain and showing strong interconnections with the overall financial system, payment systems and payment processing activities acquired a critical significance for the functioning of the Union financial markets. [Cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack) on such systems can cause severe operational business disruptions with direct repercussions on key economic functions, such as the facilitation of payments, and indirect effects on related economic processes. Until a harmonised regime and the supervision of operators of payment systems and processing entities are put in place at Union level, Member States may, with a view to applying similar market practices, draw inspiration from the [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) requirements laid down by this Regulation, when applying rules to operators of payment systems and processing entities supervised under their own jurisdictions.

## (105)

Since the objective of this Regulation, namely to achieve a high level of [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) for regulated financial entities, cannot be sufficiently achieved by the Member States because it requires harmonisation of various different rules in Union and national law, but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

## (106)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on 10 May 2021,

HAVE ADOPTED THIS REGULATION:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.mica.wtf/dora/digital-operational-resilience-act/recitals.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.