deenx-default

DORA - Relevant Articles

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act - DORA). The Regulation is directly applicable in all EU Member States. Below, only those articles are reproduced in their official English wording that are particularly relevant to the assessment of open-source software risks in the financial sector.

The selection focuses on articles concerning ICT risk management, the identification of dependencies, testing obligations (including the explicitly required open-source analyses in Art. 25(1)), the management of ICT third-party risk and the sanctions regime. Each section is thematically organised and accompanied by a brief contextual explanation.

Governance und Organisation (Art. 5) #

Art. 5 establishes the responsibility of the management body for the entire ICT risk management framework. Senior management must not merely delegate ICT risks but must itself understand, approve and oversee them. This expressly includes the digital operational resilience strategy, budget allocation and the oversight of ICT third-party service providers.

Art. 5 Abs. 2 #

2. The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1). For the purposes of the first subparagraph, the management body shall: (a) bear the ultimate responsibility for managing the financial entity's ICT risk; (b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data; (c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions; (d) bear the overall responsibility for setting and approving the digital operational resilience strategy as referred to in Article 6(8), including the determination of the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in Article 6(8), point (b); (e) approve, oversee and periodically review the implementation of the financial entity's ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial entity's overall business continuity policy and response and recovery plan; (f) approve and periodically review the financial entity's ICT internal audit plans, ICT audits and material modifications to them; (g) allocate and periodically review the appropriate budget to fulfil the financial entity's digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 13(6), and ICT skills for all staff; (h) approve and periodically review the financial entity's policy on arrangements regarding the use of ICT services provided by ICT third-party service providers; (i) put in place, at corporate level, reporting channels enabling it to be duly informed of the following: (i) arrangements concluded with ICT third-party service providers on the use of ICT services, (ii) any relevant planned material changes regarding the ICT third-party service providers, (iii) the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.

Art. 5 Abs. 4 #

4. Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.

IKT-Risikomanagementrahmen (Art. 6) #

The ICT risk management framework forms the structural foundation for all further DORA obligations. It must encompass strategies, procedures and tools that protect all ICT assets, including open-source software components.

Art. 6 Abs. 2 #

2. The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.

Identifizierung (Art. 8) #

Art. 8 mandates a complete inventory of all ICT assets and their dependencies. For open-source components this means: every dependency must be recorded, its configuration documented and its connections to other assets traced. Regular risk assessments, particularly for legacy systems, are mandatory.

Art. 8 Abs. 4 #

4. Financial entities shall identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets.

Art. 8 Abs. 5 #

5. Financial entities shall identify and document all processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that provide services that support critical or important functions.

Art. 8 Abs. 6 #

6. For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs.

Art. 8 Abs. 7 #

7. Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems.

Schutz und Prävention (Art. 9) #

Art. 9(4) requires documented policies for change management and patch management. For open-source components this means: every update to a dependency must be recorded, tested and approved in a controlled manner. Documented patch policies are expressly prescribed.

Art. 9 Abs. 4 #

4. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall: [...] (e) implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters, that are based on a risk assessment approach and are an integral part of the financial entity's overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner; (f) have appropriate and comprehensive documented policies for patches and updates. For the purposes of the first subparagraph, point (e), the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place.

Erkennung (Art. 10) #

The detection obligation goes beyond mere CVE scanning: financial entities must promptly detect anomalous activities and material single points of failure. Detection mechanisms must be regularly tested, which creates the link to the testing obligations in Art. 25.

Art. 10 Abs. 1 #

1. Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure. All detection mechanisms referred to in the first subparagraph shall be regularly tested in accordance with Article 25.

Lernprozesse und Weiterentwicklung (Art. 13) #

Art. 13 requires active capabilities for gathering and assessing vulnerability information. For the open-source supply chain this means: not just scanning, but analysing the results, assessing impacts and learning from them. The annual reporting obligation to the management body ensures that findings reach leadership level.

Art. 13 Abs. 1 #

1. Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience.

Art. 13 Abs. 5 #

5. Senior ICT staff shall report at least yearly to the management body on the findings referred to in paragraph 3 and put forward recommendations.

Kommunikation (Art. 14) #

The communication obligation includes responsible disclosure of vulnerabilities to clients and the public. This corresponds to the responsible-disclosure process in the open-source world.

Art. 14 Abs. 1 #

1. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropriate.

Meldung IKT-bezogener Vorfälle (Art. 19) #

Art. 19 obliges financial entities to report major ICT-related incidents to the competent authority - with initial notification, intermediate report and final report within fixed time limits.

Art. 19 Abs. 1 #

1. Financial entities shall report major ICT-related incidents to the relevant competent authority as referred to in Article 46 in accordance with paragraph 4 of this Article. For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authority. The initial notification and reports referred to in paragraph 4 shall include all information necessary for the competent authority to determine the significance of the major ICT-related incident and assess possible cross-border impacts.

---

Art. 19 Abs. 4 #

4. Financial entities shall, within the time limits to be laid down in accordance with Article 20, first paragraph, point (a), point (ii), submit the following to the relevant competent authority: (a) an initial notification; (b) an intermediate report after the initial notification referred to in point (a), as soon as the status of the original incident has changed significantly or the handling of the major ICT-related incident has changed based on new information available, followed, as appropriate, by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority; (c) a final report, when the root cause analysis has been completed, regardless of whether mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates.

Testen der digitalen operationalen Resilienz (Art. 24, 25) #

Art. 24 and 25 form the core of DORA's testing obligations. Art. 25(1) explicitly names open source analyses as one of the prescribed testing methods. This is the most explicit legal requirement for a systematic assessment of open-source components in all EU regulation.

Art. 24 Abs. 6 #

6. Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions.

---

Art. 25 Abs. 1 #

1. The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.

Art. 25 Abs. 2 #

2. Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.

IKT-Drittparteienrisiko (Art. 28) #

Art. 28 comprehensively regulates the management of risks arising from ICT third-party service providers. For open-source dependencies this is particularly relevant: every open-source component can be considered an ICT third-party risk. The articles require due diligence in selection, ongoing monitoring, exit strategies and documented information registers.

Art. 28 Abs. 1 #

1. Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework as referred to in Article 6(1), and in accordance with the following principles: (a) financial entities that have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with, and the discharge of, all obligations under this Regulation and applicable financial services law; (b) financial entities' management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account: (i) the nature, scale, complexity and importance of ICT-related dependencies, (ii) the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level.

Art. 28 Abs. 2 #

2. As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.

Art. 28 Abs. 3 #

3. As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not. Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided. Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity. Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.

Art. 28 Abs. 4 #

4. Before entering into a contractual arrangement on the use of ICT services, financial entities shall: (a) assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function; (b) assess if supervisory conditions for contracting are met; (c) identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk as referred to in Article 29; (d) undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable; (e) identify and assess conflicts of interest that the contractual arrangement may cause.

Art. 28 Abs. 5 #

5. Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.

Art. 28 Abs. 7 #

7. Financial entities shall ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances: (a) significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms; (b) circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider; (c) ICT third-party service provider's evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; (d) where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement.

Art. 28 Abs. 8 #

8. For ICT services supporting critical or important functions, financial entities shall put in place exit strategies. The exit strategies shall take into account risks that may emerge at the level of ICT third-party service providers, in particular a possible failure on their part, a deterioration of the quality of the ICT services provided, any business disruption due to inappropriate or failed provision of ICT services or any material risk arising in relation to the appropriate and continuous deployment of the respective ICT service, or the termination of contractual arrangements with ICT third-party service providers under any of the circumstances listed in paragraph 7. Financial entities shall ensure that they are able to exit contractual arrangements without: (a) disruption to their business activities, (b) limiting compliance with regulatory requirements, (c) detriment to the continuity and quality of services provided to clients. Exit plans shall be comprehensive, documented and, in accordance with the criteria set out in Article 4(2), shall be sufficiently tested and reviewed periodically. Financial entities shall identify alternative solutions and develop transition plans enabling them to remove the contracted ICT services and the relevant data from the ICT third-party service provider and to securely and integrally transfer them to alternative providers or reincorporate them in-house. Financial entities shall have appropriate contingency measures in place to maintain business continuity in the event of the circumstances referred to in the first subparagraph.

Befugnisse der federführenden Überwachungsbehörde (Art. 35) #

The oversight authority can impose periodic penalty payments of up to 1% of average daily worldwide turnover for non-compliance. Imposed penalty payments are generally made public.

Art. 35 Abs. 8 #

8. The amount of the periodic penalty payment, calculated from the date stipulated in the decision imposing the periodic penalty payment, shall be up to 1 % of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year. When determining the amount of the penalty payment, the Lead Overseer shall take into account the following criteria regarding non-compliance with the measures referred to in paragraph 6: (a) the gravity and the duration of non-compliance; (b) whether non-compliance has been committed intentionally or negligently; (c) the level of cooperation of the ICT third-party service provider with the Lead Overseer.

Art. 35 Abs. 10 #

10. The Lead Overseer shall disclose to the public every periodic penalty payment that has been imposed, unless such disclosure would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.

Verwaltungsrechtliche Sanktionen und Abhilfemaßnahmen (Art. 50) #

Art. 50 defines the sanctions toolkit of the authorities. Measures range from cease-and-desist orders to pecuniary measures to public statements. Personal liability of members of the management body is also provided for.

Art. 50 Abs. 3 #

3. Without prejudice to the right of Member States to impose criminal penalties in accordance with Article 52, Member States shall lay down rules establishing appropriate administrative penalties and remedial measures for breaches of this Regulation and shall ensure their effective implementation. Those penalties and measures shall be effective, proportionate and dissuasive.

Art. 50 Abs. 4 #

4. Member States shall confer on competent authorities the power to apply at least the following administrative penalties or remedial measures for breaches of this Regulation: (a) issue an order requiring the natural or legal person to cease conduct that is in breach of this Regulation and to desist from a repetition of that conduct; (b) require the temporary or permanent cessation of any practice or conduct that the competent authority considers to be contrary to the provisions of this Regulation and prevent repetition of that practice or conduct; (c) adopt any type of measure, including of pecuniary nature, to ensure that financial entities continue to comply with legal requirements; (d) require, insofar as permitted by national law, existing data traffic records held by a telecommunication operator, where there is a reasonable suspicion of a breach of this Regulation and where such records may be relevant to an investigation into breaches of this Regulation; and (e) issue public notices, including public statements indicating the identity of the natural or legal person and the nature of the breach.

Art. 50 Abs. 5 #

5. Where paragraph 2, point (c), and paragraph 4 apply to legal persons, Member States shall confer on competent authorities the power to apply the administrative penalties and remedial measures, subject to the conditions provided for in national law, to members of the management body, and to other individuals who under national law are responsible for the breach.

Öffentliche Bekanntmachung verwaltungsrechtlicher Sanktionen (Art. 54) #

Sanction decisions are published on the official websites of the authorities, including the identity of the persons responsible. Publication remains for up to five years.

Art. 54 Abs. 1 #

1. Competent authorities shall publish on their official websites, without undue delay, any decision imposing an administrative penalty against which there is no appeal after the addressee of the penalty has been notified of that decision.

Art. 54 Abs. 2 #

2. The publication referred to in paragraph 1 shall include information on the type and nature of the breach, the identity of the persons responsible and the penalties imposed.

Art. 54 Abs. 6 #

6. Competent authorities shall ensure that any publication referred to in paragraphs 1 to 4 shall remain on their official website only for the period which is necessary to bring forth this Article. This period shall not exceed five years after its publication.

Full Text of the Regulation #

The full text of Regulation (EU) 2022/2554 is published in the Official Journal of the European Union (OJ L 333, 27.12.2022) and can be accessed via EUR-Lex:

DORA Factsheet