bmad-plus 0.4.4 → 0.5.0

package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md

@@ -0,0 +1,441 @@
+# DORA — Article-by-Article Reference
+
+All 64 articles of Regulation (EU) 2022/2554 (Digital Operational Resilience Act).
+Published: OJ L 333, 27 December 2022. Application date: 17 January 2025.
+
+---
+
+## Chapter I — General Provisions (Art. 1–4)
+
+### Art. 1 — Subject Matter
+Establishes uniform requirements for the security of network and information systems
+supporting business processes of financial entities, in particular:
+- ICT risk management (Chapter II)
+- ICT-related incident management, classification, and reporting (Chapter III)
+- Digital operational resilience testing (Chapter IV)
+- ICT third-party risk management (Chapter V)
+- Information-sharing arrangements (Chapter VI)
+
+**Key point:** DORA is a maximum harmonisation regulation — Member States cannot
+impose stricter sector-specific ICT security requirements on in-scope entities.
+
+### Art. 2 — Scope
+**Applies to:**
+Credit institutions; payment institutions; account information service providers;
+e-money institutions; investment firms; crypto-asset service providers (MiCA);
+central securities depositories; central counterparties; trading venues; trade
+repositories; managers of alternative investment funds; management companies;
+data reporting service providers; insurance and reinsurance undertakings;
+insurance intermediaries; institutions for occupational retirement provision;
+credit rating agencies; administrators of critical benchmarks; crowdfunding service
+providers; securitisation repositories.
+
+**Excludes (Art. 2(3)–(4)):**
+Certain small and medium-sized entities (with caveats); Postal Savings Banks;
+credit unions; some small mutual institutions.
+
+### Art. 3 — Definitions
+Key defined terms:
+- **ICT risk** (Art. 3(2)): Any reasonably identifiable circumstance in relation to the
+  use of NIS that, if materialised, may compromise the security of NIS, tools, or
+  processes, or of the conduct of operations and processes, or of the provision of services
+- **ICT-related incident** (Art. 3(8)): An unplanned event, or a series thereof, that has
+  an adverse and significant impact on the security of NIS
+- **Major ICT-related incident** (Art. 3(10)): An ICT-related incident that has a high
+  adverse impact on in-scope entities
+- **Cyber threat** (Art. 3(12)): A potential circumstance, event or action that could
+  damage, disrupt or adversely impact NIS, dependent users, or related services
+- **Critical or important function** (Art. 3(22)): A function the disruption of which would
+  materially impair the financial performance, soundness, or continuity of service
+- **ICT third-party service provider** (Art. 3(19)): An undertaking providing digital and
+  data services to financial entities
+- **Critical ICT third-party service provider** (Art. 3(23)): An ICT TPSP designated
+  under Art. 31
+
+### Art. 4 — Proportionality
+Financial entities apply the rules in a manner proportionate to their:
+- Size and overall risk profile
+- Nature, scale and complexity of their services, activities and operations
+
+Micro-enterprises and certain entities may apply the simplified ICT risk management
+framework under Art. 16.
+
+---
+
+## Chapter II — ICT Risk Management (Art. 5–16)
+
+### Art. 5 — Governance and Organisation
+**(1)** Management body bears ultimate responsibility for managing ICT risk.
+**(2)** Management body must:
+- (a) Define ICT risk appetite
+- (b) Approve and oversee ICT security policies
+- (c) Approve the ICT risk management framework
+- (d) Approve an adequate ICT budget
+- (e) Ensure adequate ICT staffing and training
+- (f) Approve and oversee major ICT projects
+- (g) Ensure a crisis communication plan
+- (h) Ensure adequate internal audit of ICT risk
+**(4)** Senior management must implement the management body's decisions.
+**(5)** At least one board member must report to the management body on ICT risk.
+
+### Art. 6 — ICT Risk Management Framework
+**(1)** Financial entities must maintain a robust and well-documented ICT RMF.
+**(2)** The framework must include strategies, policies, procedures, IT protocols and tools.
+**(3)** Must minimize impact of ICT risk by deploying appropriate mechanisms.
+**(4)** Must document and periodically review the ICT risk management function.
+**(5)** Must review the ICT RMF after major incidents and at least annually.
+
+### Art. 7 — ICT Systems, Protocols and Tools
+Financial entities must use ICT systems, protocols, and tools that are:
+- **(a)** Appropriate to the magnitude of operations supporting critical functions
+- **(b)** Reliable and capable of handling stress and peak loads
+- **(c)** Technologically resilient (handle additional information processing needs)
+- **(d)** Up to date with respect to security standards (patched, maintained)
+
+### Art. 8 — Identification
+**(1)** Identify and classify ICT supported functions, their ICT assets, and information assets.
+**(2)** Identify all sources of ICT risk.
+**(4)** Maintain an updated ICT asset inventory; map interdependencies; identify
+single points of failure.
+
+### Art. 9 — Protection and Prevention
+**(2)** Implement appropriate controls:
+- (a) Information security policies, procedures, and access controls
+- (b) Network segmentation, as appropriate
+- (c) Encryption and cryptography policies
+- (d) ICT policies addressing third-party access
+- (e) Change management procedures
+**(4)** Implement:
+- (a) Document management policies
+- (b) ICT change management policies
+- (c) Patch and software update policies
+- (d) ICT project management policies
+
+### Art. 10 — Detection
+**(1)** Financial entities must have appropriate mechanisms to detect anomalous activities
+including ICT network problems and ICT-related incidents.
+**(2)** Multiple layers of control; thresholds and criteria for generating alerts.
+
+### Art. 11 — Response and Recovery
+**(1)** Implement an ICT business continuity policy addressing:
+- (a) Activation and coordination triggers
+- (b) Recovery priorities
+- (c) Interim operating procedures
+- (d) Assessment and decision procedures
+**(2)** Conduct a business impact analysis (BIA) for critical functions; set RTO and RPO.
+**(4)** As part of ICT business continuity policy: implement response and recovery plans.
+**(6)** Test business continuity plans at least annually (including scenarios relevant
+to the entity's risk profile).
+
+### Art. 12 — Backup Policies and Procedures
+**(1)** Maintain backup policies specifying:
+- Frequency of backups
+- Type and location of backups
+- Scope (which systems and data are covered)
+**(2)** Restoration systems, maintained separately from the primary system, can be
+activated without undue delay and interference.
+**(3)** Test restorability of backup systems; restore time must align with RTO.
+**(4)** ICT backup systems may be located in third-party cloud infrastructure.
+
+### Art. 13 — Learning and Evolving
+**(1)** Gather, analyse, and document findings from major ICT incidents and post-incident reviews.
+**(2)** Monitor cyber threat intelligence from relevant sources.
+**(3)** Integrate threat intelligence findings into risk assessment.
+**(6)** Provide all staff with ICT security awareness training; specialist ICT
+resilience training for relevant roles; training for board members on ICT risk.
+
+### Art. 14 — Communication
+**(1)** Implement crisis communication plans for major ICT incidents or cyber threats.
+**(2)** Define internal escalation procedures; external communication to clients,
+financial sector counterparts, and public authorities.
+
+### Art. 15 — Further Harmonisation of ICT Risk Management Tools, Methods and Processes
+ESAs to develop RTS on detailed elements of ICT RMF (→ CDR (EU) 2024/1774).
+
+### Art. 16 — Simplified ICT Risk Management Framework
+Small and less complex entities may apply simplified framework per CDR (EU) 2024/1774,
+Chapter II. Simplified framework covers:
+- **(a)** Key elements of ICT risk management
+- **(b)** Simplified test requirements
+- **(c)** Simplified reporting
+
+---
+
+## Chapter III — ICT-Related Incident Management, Classification, and Reporting (Art. 17–23)
+
+### Art. 17 — ICT-Related Incident Management Process
+**(1)** Establish documented incident management process with roles, criteria,
+escalation paths.
+**(3)** Report major incidents to senior management; board must be informed.
+**(4)** Communicate with clients affected by major incidents without undue delay.
+
+### Art. 18 — Classification of ICT-Related Incidents and Cyber Threats
+**(1)** Classify incidents based on: clients affected; reputational impact; duration
+and geographic spread; data losses; service criticality; economic impact.
+**(3)** ESAs to develop RTS on classification → CDR (EU) 2024/1772.
+
+### Art. 19 — Reporting of Major ICT-Related Incidents and Voluntary Notification
+**(1)** Report major incidents to competent authority in three stages:
+- Initial: within 4 hours of classification as major
+- Intermediate: within 72 hours
+- Final: within 1 month of initial notification
+**(2)** Entities may voluntarily notify significant cyber threats.
+**(5)** Home state authority coordinates with host state authorities.
+
+### Art. 20 — Harmonisation of Reporting Content, Timelines and Templates
+ESAs to develop RTS on content/timelines (→ CDR (EU) 2025/301) and ITS on templates
+(→ CIR (EU) 2025/302).
+
+### Art. 21 — Centralisation of Reporting
+ESAs to assess feasibility of single EU reporting hub. Authorities share incident
+information with relevant bodies.
+
+### Art. 22 — Supervisory Feedback
+Competent authorities may provide feedback after incident reports: indicative
+impact assessment, relevant threat intelligence, preventive measures.
+
+### Art. 23 — Specific Rules on Reporting of Payment-Related Major Incidents
+Applies to credit institutions, payment institutions, and e-money institutions.
+Payment-specific reporting integrated with DORA templates. Supersedes pre-DORA
+PSD2 Art. 96 reporting for incidents meeting DORA major thresholds.
+
+---
+
+## Chapter IV — Digital Operational Resilience Testing (Art. 24–27)
+
+### Art. 24 — General Requirements for Digital Operational Resilience Testing
+**(1)** All financial entities must conduct a testing programme for critical ICT
+systems at least annually.
+**(4)** Tests conducted by independent internal or external parties.
+
+### Art. 25 — Testing of ICT Tools and Systems
+Basic testing types: vulnerability assessments and scans; network security
+assessments; source code reviews; performance tests; end-to-end tests;
+scenario-based compatibility tests.
+
+### Art. 26 — Advanced Testing of ICT Tools, Systems and Processes Based on TLPT
+**(1)** TLPT at least once every 3 years.
+**(2)** Live production systems in scope.
+**(3)** Scope covers critical or important functions.
+**(4)** Threat intelligence required to develop scenarios.
+**(5)** Mutual recognition of TLPT results across EU jurisdictions.
+**(6)** External testers; no conflict of interest.
+**(7)** Competent authority may mandate TLPT on specific systems.
+**(8)** Applicability criteria (size, risk, systemic importance) — set in CDR
+(EU) 2025/1190.
+**(11)** ESAs to develop RTS → CDR (EU) 2025/1190.
+
+### Art. 27 — Requirements for Testers Carrying Out TLPT
+**(1)** Testers must demonstrate methodology capability and technical expertise.
+**(2)** Must hold relevant professional certifications.
+**(3)** No conflicts of interest with the tested entity.
+**(4)** Competent authority maintains list of qualified testers.
+**(9)** ESAs to develop RTS → CDR (EU) 2025/1190.
+
+---
+
+## Chapter V — ICT Third-Party Risk Management (Art. 28–44)
+
+### Section I — Key Principles (Art. 28–30)
+
+### Art. 28 — General Principles for Managing ICT Third-Party Risk
+**(1)** Adopt, review, and update an ICT third-party risk policy.
+**(2)** All ICT service arrangements recorded in the Register of Information.
+**(3)** Submit RoI at least annually to competent authority.
+**(4)** Pre-contractual due diligence for critical/important function arrangements.
+**(5)** Ongoing monitoring of TPSP performance and risk.
+**(6)** Assess ICT concentration risk — single TPSP for multiple critical functions.
+**(7)** Exit strategy for each critical arrangement.
+**(9)** ITS on RoI templates → CIR (EU) 2024/2956.
+**(10)** RTS on third-party risk policy → CDR (EU) 2024/1773.
+
+### Art. 29 — Preliminary Assessment of ICT Concentration Risk at Entity Level
+**(1)** Assess entity-level concentration when entering new arrangements.
+**(2)** Assess risk that entire ICT services become unavailable.
+**(3)** Assess prior to entering arrangements for critical functions.
+
+### Art. 30 — Key Contractual Provisions
+**(2)** Mandatory provisions for critical/important function contracts:
+(a) service description; (b) data locations; (c) data protection; (d) availability/
+security; (e) audit and access rights; (f) termination rights; (g) reporting;
+(h) data portability; (i) sub-contracting.
+**(3)** Lighter provisions for non-critical arrangements.
+**(5)** RTS on detailed provisions → CDR (EU) 2024/1773, CDR (EU) 2025/532.
+
+### Section II — Oversight Framework for Critical ICT TPSPs (Art. 31–44)
+
+### Art. 31 — Designation of Critical ICT Third-Party Service Providers
+ESAs designate critical ICT TPSPs based on CDR (EU) 2024/1502 criteria.
+Non-EU CTPPs must designate EU legal representative (Art. 31(11)).
+
+### Art. 32 — Structure of the Oversight Framework
+Lead Overseer (EBA/ESMA/EIOPA) per CTPSP. Joint Oversight Network (JON).
+JETs per CDR (EU) 2025/420.
+
+### Art. 33 — Information Requests
+Lead Overseer may require CTPPs to provide all relevant information and documentation.
+
+### Art. 34 — General Investigations
+Lead Overseer may conduct general investigations including interviews and document reviews.
+
+### Art. 35 — Inspections
+Lead Overseer may conduct on-site inspections; CTPPs must cooperate.
+
+### Art. 36 — Oversight Recommendations
+Lead Overseer issues recommendations on significant findings; CTPSP has 6 weeks to respond.
+
+### Art. 37 — Follow-Up of Oversight Recommendations
+If CTPSP fails to implement recommendations: escalated follow-up; public disclosure
+of non-compliance possible.
+
+### Art. 38 — Oversight Fees
+Annual oversight fees for CTPPs per CDR (EU) 2024/1505.
+
+### Art. 39 — Rights of Defence
+CTPPs have right to be heard before formal findings are issued; access to documents.
+
+### Art. 40 — Cooperation Between Competent Authorities
+Competent authorities of financial entities that use a CTPSP exchange relevant
+information with the Lead Overseer — including supervisory findings, complaints,
+and material changes reported by the financial entity concerning the CTPSP.
+Financial entities must cooperate with their own competent authority in providing
+information about their CTPSP arrangements; the authority in turn shares that
+information with the Lead Overseer.
+
+> **Note on entity obligations:** Art. 40 primarily governs inter-authority
+> information flows. Financial entities' direct cooperation obligation with the
+> Lead Overseer arises from Art. 28(3) (RoI submission) and the Lead Overseer's
+> powers under Art. 33–35, not Art. 40 itself.
+
+### Art. 41 — Cooperation Between Competent Authorities and Lead Overseers
+Exchange of information; coordination mechanisms; JON information sharing.
+RTS on harmonisation → CDR (EU) 2025/295.
+
+### Art. 42 — Liability of Financial Entities
+Designation of a CTPSP does not affect the financial entity's own responsibility
+for DORA compliance. Entities cannot outsource their regulatory obligations to
+a CTPSP.
+
+### Art. 43 — Oversight Fees
+Lead Overseer collects fees; methodology per CDR (EU) 2024/1505.
+
+### Art. 44 — International Cooperation
+ESAs may conclude administrative arrangements with third-country regulatory
+authorities on information exchange for oversight of CTPPs with a global footprint.
+
+---
+
+## Chapter VI — Information-Sharing Arrangements (Art. 45)
+
+### Art. 45 — Information-Sharing Arrangements on Cyber Threat Information and Intelligence
+**(1)** Financial entities may voluntarily participate in cyber threat intelligence
+sharing arrangements with other financial entities.
+**(1)** Must protect confidential information; must comply with competition rules.
+**(3)** ESAs may develop guidelines on information sharing.
+
+Participation in information sharing arrangements does not reduce DORA obligations
+but may assist in threat intelligence requirements under Art. 13(2)–(3).
+
+---
+
+## Chapter VII — Competent Authorities (Art. 46–56)
+
+### Art. 46 — Competent Authorities
+Each Member State designates competent authorities for each financial entity type.
+Multiple authorities may be designated (e.g., ECB for SSM banks + national NCA).
+
+### Art. 47 — Cooperation with Structures Established by NIS 2 Directive
+Competent authorities under DORA cooperate with bodies established under NIS2.
+This includes information sharing with national CSIRTs and ENISA.
+
+### Art. 48 — Cooperation Between Competent Authorities
+Mutual assistance; supervisory convergence across Member States.
+
+### Art. 49 — Cross-Sectoral Exercises
+Competent authorities may participate in cross-sectoral crisis simulations with
+other regulatory bodies and public authorities.
+
+### Art. 50 — Administrative Penalties and Remedial Measures
+Competent authorities must have supervisory powers including:
+- Issuance of orders to cease non-compliant conduct
+- Imposition of administrative penalties
+- Suspension of ICT service arrangements that pose systemic risk
+
+### Art. 51 — Exercise of the Power to Impose Administrative Penalties
+Member States must determine effective, proportionate, and dissuasive penalties.
+Penalties can apply to both the legal entity and natural persons in management.
+
+### Art. 52 — Criminal Penalties
+Member States may provide for criminal penalties for DORA violations.
+
+### Art. 53 — Notification and Publication
+Competent authorities publish information on penalties and measures imposed
+(naming and shaming regime).
+
+### Art. 54 — EBA Lead for Banking
+EBA acts as lead for banking-sector CTPPs; coordinates with ESMA and EIOPA.
+
+### Art. 55 — ESMA Lead for Capital Markets
+ESMA acts as lead for capital markets CTPPs.
+
+### Art. 56 — EIOPA Lead for Insurance and Pensions
+EIOPA acts as lead for insurance, reinsurance, and pension fund CTPPs.
+
+---
+
+## Chapter VIII — Delegated Acts (Art. 57)
+
+### Art. 57 — Exercise of the Delegation
+Empowers the Commission to adopt delegated regulations (the RTS/ITS listed in
+the rts-its-guide.md reference file). Delegation runs for 5 years from
+17 January 2025, renewable.
+
+---
+
+## Chapter IX — Transitional and Final Provisions (Art. 58–64)
+
+### Art. 58 — Transitional Provisions for Competent Authorities
+Procedures for handling pending supervisory cases at the time of DORA application.
+
+### Art. 59 — Amendments to MiCA (Regulation (EU) 2023/1114)
+DORA imposes ICT risk obligations on CASPs as defined in MiCA; Art. 59 makes
+consequential amendments to align MiCA with DORA.
+
+### Art. 60 — Amendments to EMIR (Regulation (EU) 648/2012)
+Consequential amendments for CCPs and trade repositories.
+
+### Art. 61 — Amendments to MiFIR (Regulation (EU) 600/2014)
+Consequential amendments for trading venues and data reporting service providers.
+
+### Art. 62 — Amendments to AIFMD (Directive 2011/61/EU)
+Consequential amendments for AIFMs.
+
+### Art. 63 — Entry into Force
+DORA entered into force on 16 January 2023 (20 days after OJ publication on
+27 December 2022).
+
+### Art. 64 — Application
+DORA **applies from 17 January 2025** — 24 months after entry into force.
+
+---
+
+## Key DORA Cross-References
+
+| Topic | Primary Article | Key RTS/ITS |
+|-------|---------------|-------------|
+| Board responsibility for ICT risk | Art. 5 | CDR 2024/1774 |
+| ICT risk management framework | Art. 6 | CDR 2024/1774 |
+| ICT asset register | Art. 8(4) | CDR 2024/1774 |
+| Incident classification | Art. 18 | CDR 2024/1772 |
+| Major incident reporting timelines | Art. 19 | CDR 2025/301 |
+| Incident reporting templates | Art. 20 | CIR 2025/302 |
+| TLPT requirements | Art. 26 | CDR 2025/1190 |
+| TLPT tester qualifications | Art. 27 | CDR 2025/1190 |
+| ICT third-party risk policy | Art. 28(1) | CDR 2024/1773 |
+| Register of Information | Art. 28(3)+(9) | CIR 2024/2956 |
+| Concentration risk | Art. 28(6)+29 | CDR 2024/1773 |
+| Contractual provisions | Art. 30(2) | CDR 2024/1773, CDR 2025/532 |
+| Critical TPSP designation | Art. 31 | CDR 2024/1502 |
+| CTPSP oversight fees | Art. 43 | CDR 2024/1505 |
+| Oversight harmonisation | Art. 41 | CDR 2025/295 |
+| Joint Examination Teams | Art. 32 | CDR 2025/420 |