← Frameworks / Financial Regulation

EU Digital Operational Resilience Act (2022/2554)

EU regulation establishing uniform requirements for ICT risk management, incident reporting, digital operational resilience testing, and ICT third-party risk management across financial entities. Covers banks, insurers, investment firms, crypto-asset service providers, and critical ICT third-party providers. Requires threat-led penetration testing (TLPT) and comprehensive ICT third-party oversight.

Clauses: 68

Avg Coverage: 66.3%

Publisher: European Union Version: 2022/2554

EU DORA → SP 800-53 SP 800-53 → EU DORA Coverage Analysis

Clause	Title	SP 800-53 Controls
Art.5(1)	Governance and organisation — management body responsibility	AC-01 CA-01 PL-01 PL-09 PM-01 PM-02
Art.5(2)	Governance and organisation — management body approval of digital operational resilience strategy	CA-06 PL-09
Art.5(4)	Governance and organisation — ICT risk management training for management body	AT-01 AT-02 AT-03 AT-06 PL-04 PS-01 PS-02 PS-03 PS-06 PS-08 PS-09
Art.6(1)	ICT risk management framework — establishment and maintenance	AC-01 CA-01 CA-06 PL-01 PL-02 PL-06 PL-09 PL-10 PL-11 RA-01 RA-07 SA-02
Art.6(2)	ICT risk management framework — risk assessment and documentation	PL-02 PL-05 PT-06 RA-01 RA-03 RA-07 RA-09
Art.6(4)	ICT risk management framework — review and audit	CA-02 CA-05 CA-07 CA-09 PL-03 RA-04
Art.6(5)	ICT risk management framework — formal reporting to management body	AU-01 PL-05 RA-03 RA-04 RA-07
Art.6(8)	ICT risk management framework — documentation and review availability	AU-01 PT-01
Art.7(1)	ICT systems, protocols and tools — reliability and capacity	CM-01 CM-02 CM-06 CM-07 MA-01 MA-02 MA-03 MA-06 MA-07 SA-01 SA-03 SA-08 SI-01 SI-13
Art.7(2)	ICT systems, protocols and tools — keep systems up to date	SI-02
Art.8(1)	Identification — ICT asset identification and classification	AC-15 AC-16 CM-08 CM-12 CM-13 MP-03 RA-02 SA-05 SI-12
Art.8(4)	Identification — ICT asset register and classification	AC-16 CM-08 CM-12 RA-02 RA-09 SA-05
Art.8(5)	Identification — ICT risk assessment on legacy systems	SA-03 SA-10 SA-22
Art.9(1)	Protection and prevention — ICT security policies	CM-01 CM-02 CM-06 CM-07 MA-01 PE-01 PE-02 PE-03 SA-01 SA-08 SC-01 SI-01
Art.9(2)	Protection and prevention — ICT system resilience and availability	SC-05 SC-06 SC-14 SC-24 SI-13
Art.9(3)	Protection and prevention — data integrity, confidentiality, and availability safeguards	IA-05 IA-07 RA-05 SC-08 SC-12 SC-13 SC-16 SC-17 SC-23 SC-28
Art.9(4)(a)	Protection and prevention — network security management	AC-04 AC-17 AC-18 AC-19 CA-03 MA-04 MP-01 MP-04 MP-05 SC-01 SC-02 SC-03 SC-07 SC-08 SC-15 SC-20 SC-21 SC-22 SC-46 SC-47
Art.9(4)(b)	Protection and prevention — data leakage, malware, and media protection	MP-01 MP-02 MP-04 MP-05 MP-06 MP-08 SC-04 SI-03 SI-07 SI-08
Art.9(4)(c)	Protection and prevention — access control and authentication	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-08 AC-10 AC-11 AC-12 AC-14 AC-17 AC-19 CM-05 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 MA-04 PS-04 PS-05 SC-10
Art.9(4)(d)	Protection and prevention — strong authentication and identity management	AC-02 AC-05 AC-06 IA-01 IA-02 IA-04 IA-05 IA-08 IA-12
Art.9(4)(e)	Protection and prevention — change management and software security	CM-03 CM-04 CM-05 CM-14 MA-03 SA-06 SA-07 SA-10 SA-11 SC-18 SI-02 SI-07 SI-10 SI-11
Art.10(1)	Detection — anomalous activities and ICT-related incidents	AC-09 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 CA-07 SI-04 SI-05 SI-06 SI-16 SI-20
Art.10(2)	Detection — multiple layers of control and alert thresholds	AU-02 AU-05 AU-06 CA-07 SI-04 SI-06
Art.11(1)	Response and recovery — ICT business continuity policy	CP-01 CP-02 CP-10 CP-12 CP-13
Art.11(2)	Response and recovery — recovery time and point objectives	CP-10 RA-09
Art.11(3)	Response and recovery — impact analysis of ICT disruption scenarios	CP-01 CP-02 CP-07 CP-08 RA-09
Art.11(4)	Response and recovery — ICT response and recovery plans	CP-02 CP-10 SC-24
Art.11(6)	Response and recovery — testing of ICT business continuity plans	CP-03 CP-04 CP-05
Art.11(7)	Response and recovery — crisis communication plans	CP-04 IR-06 IR-07
Art.12(1)	Backup policies and recovery — backup policy development	CP-01 CP-02 CP-09
Art.12(2)	Backup policies and recovery — restoration and recovery from backups	CP-06 CP-07 CP-08 CP-09 SC-24
Art.12(3)	Backup policies and recovery — backup data integrity and confidentiality	CP-09 SI-12
Art.12(5)	Backup policies and recovery — geographically separated backup site	CP-06 CP-07 CP-09
Art.13(1)	Learning and evolving — gathering information on vulnerabilities and cyber threats	PM-16 RA-05 SI-05 SI-21
Art.13(6)	Learning and evolving — ICT security awareness and training programmes	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 CP-03 IR-02
Art.14	Communication — policies for internal and external communication on ICT-related incidents	IR-06 IR-07
Art.15	Simplified ICT risk management framework — proportionality for smaller entities
Art.16	Further harmonisation of ICT risk management tools, methods, processes, and policies
Art.17(1)	ICT-related incident management process — establishment	IR-01 IR-04 IR-08 IR-09
Art.17(2)	ICT-related incident management process — indicators and procedures	IR-01 IR-03 IR-09
Art.17(3)	ICT-related incident management process — response procedures	IR-01 IR-04 IR-09
Art.17(3)(c)	ICT-related incident management process — incident monitoring	IR-05
Art.17(3)(d)	ICT-related incident management process — training and communication	IR-02 IR-07
Art.18(1)	Classification of ICT-related incidents — classification criteria	IR-04 IR-05
Art.18(2)	Classification of ICT-related incidents — major incident determination	IR-04
Art.19(1)	Reporting of major ICT-related incidents — notification to competent authority	IR-06 SR-08
Art.19(4)	Reporting of major ICT-related incidents — incident report content and timelines	AU-11 IR-06
Art.20(1)	Harmonisation of reporting content and templates	IR-06
Art.22(1)	Supervisory feedback on incident reports	IR-07
Art.24(1)	Digital operational resilience testing — programme establishment	CA-01 CA-02 CA-04 CA-07 CA-08 IR-03
Art.24(2)	Digital operational resilience testing — proportionality and risk-based approach	CA-02 PL-10 PL-11
Art.25(1)	Testing of ICT tools and systems — scope and methods	CA-02 CA-04 CA-08 CM-04 RA-05 RA-06 SA-11
Art.25(2)	Testing of ICT tools and systems — developer testing	SA-11 SA-20
Art.26	Advanced testing — threat-led penetration testing (TLPT)	CA-08 RA-06
Art.27	Requirements for TLPT testers — qualifications and independence
Art.28(1)(a)	ICT third-party risk management — general principles and responsibility	AC-20 SA-04 SA-09 SR-01
Art.28(2)	ICT third-party risk management — proportionate risk management strategy	SA-09 SR-01 SR-03
Art.28(4)	ICT third-party risk management — register of ICT third-party arrangements	CM-08 CM-12 SR-01 SR-02
Art.28(5)	ICT third-party risk management — due diligence and risk assessment before contracting	AC-20 MA-05 PS-07 SA-09 SA-21 SR-02 SR-04 SR-05 SR-07 SR-11
Art.28(6)	ICT third-party risk management — monitoring and audit rights	SR-06 SR-10
Art.28(7)	ICT third-party risk management — incident notification by providers	SR-08
Art.28(8)	ICT third-party risk management — exit strategies	SR-12
Art.29(1)	ICT concentration risk — preliminary assessment	RA-09 SR-03
Art.30(2)	Key contractual provisions — minimum requirements for ICT service contracts	SA-04 SA-09 SR-03
Art.30(2)(a)	Key contractual provisions — service descriptions and SLAs	PS-07 SR-04 SR-05 SR-07 SR-11
Art.30(2)(g)	Key contractual provisions — termination and data return	SR-12
Art.30(3)	Key contractual provisions — critical or important functions	RA-09 SA-04 SA-09 SR-06
Art.45(1)	Information-sharing arrangements — voluntary sharing of cyber threat intelligence	AT-05 PM-15 PM-16