Digital Operational Resilience Act (DORA), Article 1, Subject matter.
1. This Regulation lays down the following uniform requirements concerning the security of network and information systems supporting the business processes of financial entities needed to achieve a high common level of digital operational resilience, as follows:
(a) requirements applicable to financial entities in relation to:
–Information and Communication Technology (ICT) risk management;
–reporting of major ICT-related incidents to the competent authorities;
–digital operational resilience testing;
–information and intelligence sharing in relation to cyber threats and vulnerabilities;
–measures for a sound management by financial entities of the ICT third-party risk;
(b) requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;
(c) the oversight framework for critical ICT third-party service providers when providing services to financial entities;
(d) rules on cooperation among competent authorities and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.
2. In relation to financial entities identified as operators of essential services pursuant to national rules transposing Article 5 of Directive (EU) 2016/1148, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 1(7) of that Directive.