Article 3 Digital Operational Resilience Act (DORA), Definitions
Article 3 of the Digital Operational Resilience Act (DORA) establishes a comprehensive framework for enhancing digital resilience within the financial sector by defining crucial terms and concepts related to ICT risk management, cybersecurity, and operational continuity. Understanding these definitions is essential for ensuring that financial entities can maintain robust systems and practices to protect their operations against various ICT-related risks and threats.
Definitions and Key Concepts Under DORA
-
Digital Operational Resilience: The capability of a financial entity to build, maintain, and review its operational integrity from a technological standpoint. This involves ensuring, either directly or through ICT third-party providers, that all necessary ICT-related capabilities are in place to secure network and information systems, thereby supporting the uninterrupted provision and quality of financial services.
-
Network and Information System: Defined as per point (1) of Article 4 of Directive (EU) No 2016/1148.
-
Security of Network and Information Systems: Refers to the security measures for network and information systems as detailed in point (2) of Article 4 of Directive (EU) No 2016/1148.
-
ICT Risk: Any identifiable situation related to the use of network and information systems that could compromise their security. This includes malfunctions, capacity issues, failures, disruptions, impairments, misuse, loss, or other events that might affect the integrity, availability, or confidentiality of data, software, or ICT services and infrastructure.
-
Information Asset: A collection of information, whether tangible or intangible, that is valuable and requires protection.
-
ICT-Related Incident: An unexpected event affecting network and information systems, whether due to malicious activities or not, which impacts the security, availability, confidentiality, or authenticity of the information processed, stored, or transmitted by these systems, or affects the financial services provided.
-
Major ICT-Related Incident: An ICT-related incident with a potentially significant adverse impact on the network and information systems supporting critical functions of the financial entity.
-
Cyber Threat: Defined as per point (8) of Article 2 of Regulation (EU) 2019/881.
-
Cyber-Attack: A malicious ICT-related incident aimed at destroying, exposing, altering, disabling, stealing, or gaining unauthorized access to assets, perpetrated by any threat actor.
-
Threat Intelligence: Information that has been analyzed and contextualized to assist in decision-making and mitigate the impact of ICT-related incidents or cyber threats. This includes technical details of attacks, the perpetrators, their methods, and motivations.
- Defence-in-Depth: An ICT strategy incorporating people, processes, and technology to establish multiple layers of security barriers to protect the entity.
- Vulnerability: A weakness or flaw in an asset, system, process, or control that can be exploited by a threat.
- Threat-Led Penetration Testing: A framework simulating the tactics, techniques, and procedures of real-life threat actors to perform a controlled, intelligence-driven test of an entity’s critical live production systems.
- ICT Third-Party Risk: Risks associated with the use of ICT services provided by third-party service providers or their subcontractors.
- ICT Third-Party Service Provider: An entity that offers digital and data services, such as cloud computing, software, data analytics, and data centers, excluding hardware providers and electronic communication service providers as defined in Directive (EU) 2018/1972.
- ICT Services: Digital and data services provided through ICT systems, including data provision, entry, storage, processing, reporting, monitoring, and decision support.
- Critical or Important Function: A function whose failure or discontinuation would significantly impact a financial entity's compliance, financial performance, or the continuity of its services and activities.
- Critical ICT Third-Party Service Provider: An ICT third-party service provider designated as critical according to Article 29 and subject to the Oversight Framework specified in Articles 30 to 37.
- ICT Third-Party Service Provider Established in a Third Country: An ICT third-party service provider based outside the EU, without a presence in the Union, and contracted to provide ICT services.
- ICT Sub-Contractor Established in a Third Country: An ICT subcontractor based outside the EU, without a presence in the Union, and contracted by either an ICT third-party service provider or another ICT third-party service provider established outside the EU.
- ICT Concentration Risk: The risk associated with dependency on one or more critical ICT third-party service providers, which could jeopardize the financial entity's ability to deliver critical functions or result in other adverse effects, including significant losses.
- Management Body: The individuals or bodies responsible for effectively running the entity or holding key functions, as defined in various EU directives and regulations.
- Credit Institution: Defined as per point (1) of Article 4(1) of Regulation (EU) No 575/2013.
- Investment Firm: Defined as per point (1) of Article 4(1) of Directive 2014/65/EU.
- Payment Institution: Defined as per point (d) of Article 1(1) of Directive (EU) 2015/2366.
- Electronic Money Institution: Defined as per point (1) of Article 2 of Directive 2009/110/EC.
- Central Counterparty: Defined as per point (1) of Article 2 of Regulation (EU) No 648/2012.
- Trade Repository: Defined as per point (2) of Article 2 of Regulation (EU) No 648/2012.
- Central Securities Depository: Defined as per point (1) of Article 2(1) of Regulation (EU) 909/2014.
- Trading Venue: Defined as per point (24) of Article 4(1) of Directive 2014/65/EU.
- Manager of Alternative Investment Funds: Defined as per point (b) of Article 4(1) of Directive 2011/61/EU.
- Management Company: Defined as per point (b) of Article 2(1) of Directive 2009/65/EC.
- Data Reporting Service Provider: Defined as per point (63) of Article (4)(1) of Directive 2014/65/EU.
- Insurance Undertaking: Defined as per point (1) of Article 13 of Directive 2009/138/EC.
- Reinsurance Undertaking: Defined as per point (4) of Article 13 of Directive 2009/138/EC.
- Insurance Intermediary: Defined as per point (3) of Article 2 of Directive (EU) 2016/97.
- Ancillary Insurance Intermediary: Defined as per point (4) of Article 2 of Directive (EU) 2016/97.
- Reinsurance Intermediary: Defined as per point (5) of Article 2 of Directive (EU) 2016/97.
- Institution for Occupational Retirement Pensions: Defined as per point (6) of Article 1 of Directive 2016/2341.
- Credit Rating Agency: Defined as per point (2) of Article 3(1) of Regulation (EU) 2019/2175.
- Statutory Auditor: Defined as per Article 2(1) of Directive 2014/56/EU.
- Audit Firm: Defined as per point (1) of Article 2 of Regulation (EU) No 537/2014.
- Crypto-Asset Service Provider: Defined as per Article 1(2) of Regulation (EU) 2020/1003.
- Issuer of Crypto-Assets: Defined as per Article 1(3) of Regulation (EU) 2020/1003.
- Issuer of Asset-Referenced Tokens: Defined as per Article 1(4) of Regulation (EU) 2020/1003.
- Issuer of Significant Asset-Referenced Tokens: Defined as per Article 1(5) of Regulation (EU) 2020/1003.
- Administrator of Critical Benchmarks: Defined as per Article 3(1) of Regulation (EU) 2016/1011.
- Crowdfunding Service Provider: Defined as per point (1) of Article 4(1) of Regulation (EU) 2020/1503.
- Securitisation Repository: Defined as per point (3) of Article 2 of Regulation (EU) 2017/2402.
- Digital Service Provider: Defined as per Article 2(1) of Directive (EU) 2015/1535.
These definitions are integral for understanding and implementing DORA's requirements, which aim to enhance the digital resilience of the financial sector through comprehensive risk management and operational continuity measures.