DORA — Digital Operational Resilience Act · vRegulation (EU) 2022/2554
DORA — Digital Operational Resilience Act
DORA — Digital Operational Resilience Act — 86% covered.
73 requirements · 59 enforced · 0 designed · 14 advisory · 0 deferred.
Source: Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector + accompanying RTS/ITS
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| ICT Risk Management Framework (Articles 5-15) | 25 | 25 | 0 | 0 | 0 | 100% |
| ICT-Related Incident Management & Reporting (Articles 17-23) | 13 | 11 | 0 | 2 | 0 | 88% |
| Digital Operational Resilience Testing (Articles 24-27) | 10 | 9 | 0 | 1 | 0 | 93% |
| ICT Third-Party Risk Management (Articles 28-44) | 25 | 14 | 0 | 11 | 0 | 67% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
dora.A5 |
Article 5 — Sound, comprehensive, well-documented ICT risk-management framework integrated into overall risk management | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.risk_assessment.v1, kye.evidence.decision_map.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/30-AUDIT-WORM-RETENTION.md |
dora.A5.2 |
Article 5(2) — Internal governance and control framework — proportionality, three lines of defence | enforced | audit_events: kye.authority.grant.v1, kye.authority.delegation.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A6 |
Article 6 — ICT risk-management framework — implements governance, defines roles, integrated with overall risk policy | enforced | audit_events: kye.authority.grant.v1, kye.authority.delegation.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A6.2.b |
Article 6(2)(b) — ICT risk-management framework includes systems, protocols, tools to minimise ICT risk impact | enforced | audit_events: kye.purpose.permission.v1, kye.compliance.attestation.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/25-EDGE-GOVERNANCE.md |
dora.A6.6 |
Article 6(6) — ICT risk-management framework reviewed at least once a year and upon major incidents | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.risk_assessment.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A6.8 |
Article 6(8) — Documentation of the ICT risk-management framework available to authorities upon request | enforced | audit_events: kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/30-AUDIT-WORM-RETENTION.md |
dora.A7 |
Article 7 — ICT systems, protocols, and tools — appropriate, reliable, resilient, well-documented | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md, constitution/51-NO-SPOF.md |
dora.A8 |
Article 8 — Identification — inventory of all ICT-supported business functions, information assets, and ICT assets including dependencies | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md, constitution/51-NO-SPOF.md |
dora.A8.4 |
Article 8(4) — Classification of information + ICT assets by criticality | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.risk_assessment.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md, constitution/51-NO-SPOF.md |
dora.A8.6 |
Article 8(6) — Risk assessment of all ICT-supported business functions ≥annually + upon major change | enforced | audit_events: kye.assurance.risk_assessment.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A9 |
Article 9 — Protection and prevention — appropriate security policies, procedures, protocols, tools | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.tool_call_pin.v1, kye.evidence.decision_map.v1engines: internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/25-EDGE-GOVERNANCE.md |
dora.A9.3 |
Article 9(3) — Use of state-of-the-art technologies + processes ensuring security and protection of ICT systems | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A9.4.c |
Article 9(4)(c) — Network and infrastructure management — segmentation, secured configuration | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
dora.A9.4.d |
Article 9(4)(d) — Identity and access management policies | enforced | audit_events: kye.authority.grant.v1, kye.purpose.permission.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
dora.A9.4.e |
Article 9(4)(e) — ICT change management including software / hardware / firmware / configuration | enforced | audit_events: kye.resilience.drift.detected.v1, kye.signal.drift.detected.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A10 |
Article 10 — Detection — mechanisms to promptly detect anomalous activities; logged + monitored | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.incident.opened.v1, kye.audit.event.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/35-STREAMING-LOGS.md |
dora.A10.2 |
Article 10(2) — Multiple layers of control, alert mechanisms, automatic triggering of response | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.drift.detected.v1, kye.signal.revocation.cascaded.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A11 |
Article 11 — Response and recovery — ICT business-continuity policy, response/recovery plans, tested annually | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.compliance.attestation.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/51-NO-SPOF.md |
dora.A11.2.a |
Article 11(2)(a) — Business-continuity objectives ≤ pre-defined RTO/RPO | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/51-NO-SPOF.md |
dora.A11.5 |
Article 11(5) — Annual testing of ICT business-continuity plans | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A12 |
Article 12 — Backup policies and restoration procedures — separated from production, tested, and time-bound | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.pack.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/51-NO-SPOF.md |
dora.A12.3 |
Article 12(3) — Geographical separation of backup sites + production | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/51-NO-SPOF.md |
dora.A13 |
Article 13 — Learning and evolving — post-incident review feeds back into the ICT risk-management framework | enforced | audit_events: kye.resilience.loop_iteration.v1, kye.resilience.improvement_record.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A14 |
Article 14 — Communication — incident-related comms procedure with employees, customers, peers, public | enforced | audit_events: kye.comms.dispatch.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
dora.A15 |
Article 15 — Further harmonisation of ICT risk-management tools, methods, processes, policies via RTS | enforced | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A17 |
Article 17 — ICT-related incident management process — detection, recording, classification, response | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A17.2 |
Article 17(2) — Recording of all ICT-related incidents + significant cyber threats | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.drift.detected.v1, kye.audit.event.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
dora.A17.3 |
Article 17(3) — Procedures for identification, tracking, logging, classification of incidents | enforced | audit_events: kye.signal.incident.opened.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A18 |
Article 18 — Classification of ICT-related incidents — based on impact, criticality of affected services, duration, geographic spread, data-loss | enforced | audit_events: kye.signal.incident.opened.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A18.2 |
Article 18(2) — Materiality thresholds for classifying incidents as major | enforced | audit_events: kye.signal.incident.opened.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A19 |
Article 19 — Reporting of major ICT-related incidents to competent authorities | enforced | audit_events: kye.signal.incident.opened.v1, kye.compliance.attestation.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
dora.A19.1 |
Article 19(1) — Initial notification within mandated time-windows (early notification ≤4h after classification) | enforced | audit_events: kye.signal.incident.opened.v1, kye.compliance.attestation.v1, kye.evidence.pack.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
dora.A19.4 |
Article 19(4) — Intermediate and final reports — structured updates within mandated intervals; complete root-cause analysis in final report | enforced | audit_events: kye.signal.incident.closed.v1, kye.resilience.improvement_record.v1, kye.evidence.pack.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A19.6 |
Article 19(6) — Notification to clients when affected by a major incident | enforced | audit_events: kye.comms.dispatch.v1, kye.signal.incident.opened.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
dora.A20 |
Article 20 — Harmonisation of reporting content + templates via RTS / ITS | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A21 |
Article 21 — Centralisation of reporting via the EBA + ESMA + EIOPA central hub | advisory | constitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A22 |
Article 22 — Reporting of significant cyber threats (voluntary basis) — competent authority + ESAs | advisory | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A23 |
Article 23 — Operational and security payment-related incidents reporting — coordinated with PSD2/PSD3 Article 96 | enforced | audit_events: kye.signal.incident.opened.v1, kye.payments.intent.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A24 |
Article 24 — Digital operational resilience testing program — risk-based, proportionate, covering vulnerability and scenario testing | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.risk_assessment.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A24.2 |
Article 24(2) — Test program covers vulnerability assessments + scans, open-source analyses, network security assessments, gap analyses, performance testing, penetration testing, source-code reviews | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A24.4 |
Article 24(4) — Tests conducted by independent parties (internal or external) | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |
dora.A25 |
Article 25 — Testing of ICT tools and systems — annually for critical, on independent test environment, all important systems | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A25.bis |
Article 25 — Vulnerability assessments and scans — performed regularly on important ICT systems | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A26 |
Article 26 — Threat-Led Penetration Testing (TLPT) — every 3 years for critical financial entities, TIBER-EU aligned | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A26.2 |
Article 26(2) — Identification of critical functions for TLPT scope | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A26.3 |
Article 26(3) — TLPT testing scenarios based on real-world threat intelligence | enforced | audit_events: kye.signal.drift.detected.v1, kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
dora.A26.8 |
Article 26(8) — Reporting of TLPT results to competent authority + summary findings | enforced | audit_events: kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A27 |
Article 27 — Requirements for testers — independent, sufficiently qualified, certified or with documented expertise | advisory | constitution_refs: constitution/10-PARTNER.md, constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |
dora.A28 |
Article 28 — ICT third-party risk as integral part of ICT risk management; principle of proportionality | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.compliance.attestation.v1, kye.assurance.risk_assessment.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/51-NO-SPOF.md |
dora.A28.2 |
Article 28(2) — Policy on use of ICT services supporting critical functions | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/51-NO-SPOF.md |
dora.A28.3 |
Article 28(3) — Register of information on all contractual arrangements with ICT third-party providers | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1engines: internal, internalconstitution_refs: constitution/51-NO-SPOF.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A28.4 |
Article 28(4) — Assessment before entering into contractual arrangement including ICT concentration risk | enforced | audit_events: kye.assurance.risk_assessment.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
dora.A28.5 |
Article 28(5) — Identification and assessment of conflicts of interest | enforced | audit_events: kye.compliance.attestation.v1, kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
dora.A29 |
Article 29 — Preliminary assessment of ICT concentration risk at entity level before entering into a contractual arrangement | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.risk_assessment.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
dora.A30 |
Article 30 — Key contractual provisions — description of services, locations, data-processing, sub-contracting, exit strategy, access rights | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.evidence.tool_call_pin.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
dora.A30.2.a |
Article 30(2)(a) — Description of all functions + ICT services provided | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
dora.A30.2.b |
Article 30(2)(b) — Locations of data processing + storage | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
dora.A30.2.f |
Article 30(2)(f) — Sub-contracting clauses | enforced | audit_events: kye.subprocessor.v1, kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
dora.A30.3 |
Article 30(3) — Exit strategies in case of failure / termination | enforced | audit_events: kye.compliance.attestation.v1, kye.spof.path_to_full.v1engines: internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
dora.A31 |
Article 31 — Designation of critical ICT third-party service providers (CTPPs) by the ESAs — direct EU-level oversight | advisory | constitution_refs: constitution/51-NO-SPOF.md |
dora.A32 |
Article 32 — Tasks of the Lead Overseer in respect of CTPPs | advisory | constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A33 |
Article 33 — Register of information on all contractual arrangements with ICT third-party providers — maintained, classified, reportable on demand | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/51-NO-SPOF.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
dora.A34 |
Article 34 — Coordination among competent authorities + Lead Overseer | advisory | constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A35 |
Article 35 — Powers of the Lead Overseer — request information, conduct general investigations, on-site inspections | enforced | audit_events: kye.evidence.pack.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A36 |
Article 36 — Exercise of Lead Overseer powers outside the Union | advisory | constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A37 |
Article 37 — Requests for information by Lead Overseer | enforced | audit_events: kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A38 |
Article 38 — General investigations conducted by Lead Overseer | advisory | audit_events: kye.evidence.pack.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A39 |
Article 39 — On-site inspections — Lead Overseer's powers | advisory | constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A40 |
Article 40 — Oversight framework for critical ICT third-party providers — Lead Overseer powers, joint examination team, recommendations | advisory | constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/21-DELEGATED-AUDITABILITY.md |
dora.A41 |
Article 41 — Follow-up by competent authorities on Lead Overseer recommendations | advisory | constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A42 |
Article 42 — Cooperation among ESAs + competent authorities on third-party-risk matters | advisory | constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
dora.A43 |
Article 43 — Oversight fees levied on CTPPs | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
dora.A44 |
Article 44 — International cooperation — third-country regulator coordination | advisory | constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |