DORA glossary and articles

compliance

the act of obeying a law or rule, especially one that controls a particular industry or type of work.

classification of information assets

allows financial entities to prioritize their resources and efforts by categorizing and understanding the value, sensitivity, and criticality of their information and technology. This classification enables the application of appropriate security measures based on the risk profiles of different assets.

cloud services

means services provided using cloud computing, that is, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

community cloud

means cloud infrastructure available for the exclusive use by a specific community of institutions or payment institutions, including several institutions of a single group.

control team

means the team composed of staff of the tested financial entity and staff of its third-party service providers, as needed, who knows about, and manages the threat led penetration test (TLTP).

critical ICT third-party service provider

means an ICT third-party service provider designated in accordance with Article 29 and subject to the Oversight Framework.

critical or important function

means any function that is considered critical or important as set out in Section 4 of EBA guidelines.
where a defect or failure in its performance would materially impair:

their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations;
their financial performance; or
the soundness or continuity of their banking and payment services and activities;
when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function;
when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority.

cyber

relating to, within, or through the medium of the interconnected information infrastructure of interactions among persons, processes, data, and information systems.

cyber event

any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring.

cyber incident

a cyber event that:

jeopardises the cyber security of an information system or the information the system processes, stores or transmits; or
violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not.

cyber resilience

the ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.

cyber risk

the combination of the probability of cyber incidents occurring and their impact.

cyber security

preservation of confidentiality, integrity and availability of information and/or information systems through the cyber medium. In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.

cyber threat

means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons.

cyber-attack

means a malicious ICT-related incident by means of an attempt to destroy, expose, alter, disable, steal or gain unauthorised access to or make unauthorised use of an asset perpetrated by any threat actor.

defence-in-depth

means an ICT-related strategy integrating people, processes and technology to establish a variety of barriers across multiple layers and dimensions of the financial entity.

digital operational resilience

means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.

function

means any processes, services or activities.

home Member State

means the Member State in which a financial entity is established as defined in applicable sectoral legislation.

hybrid cloud

means cloud infrastructure that is composed of two or more distinct cloud infrastructures.

ICT asset

means a software or hardware asset in the network and information systems used by the financial entity.

ICT concentration risk

means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the ability of a financial entity, and ultimately of the Union’s financial system as a whole, to deliver critical functions, or to suffer other type of adverse effects, including large losses.

ICT intra-group service provider

means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control.

ICT risk

means any reasonably identifiable circumstance in relation to the use of network and information systems, - including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non-malicious event - which, if materialised, may compromise the security of the network and information systems, of any technology-dependant tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects.

ICT services

means digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services.

ICT sub-contractor established in a third country

means an ICT sub-contractor that is a legal person established in a third-country, has not set up business/presence in the Union and has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third country.

ICT third-party risk

means ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by further sub-contractors of the latter.

ICT third-party service provider

means an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centres, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council.

ICT third-party service provider established in a third country

means an ICT third-party service provider that is a legal person established in a third-country, has not set up business/presence in the Union, and has entered into a contractual arrangement with a financial entity for the provision of ICT services.

ICT-related incident

mmeans an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity.

information asset

means a collection of information, either tangible or intangible, that is worth protecting.

information security policy

is a crucial component as it sets out the overall objectives, principles, and guidelines for protecting the availability, authenticity, integrity and confidentiality of information. It outlines the entity's commitment to safeguarding its data and ICT assets, ensuring compliance with relevant laws and regulations.

legacy ICT system

means an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades and fixes, due to technological or commercial reasons, or is no longer supported by its supplier or an ICT third-party service provider, but that is still in use and supports the functions of the financial entity.

major ICT-related incident

means an ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity.

major operational or security payment-related incident

means an operational or security payment-related incident that has a high adverse impact on the confidentiality, integrity or availability of data, or the continuity of payment-related services provided.

management body

means a management body as defined in point 36 of Article 4(1) of Directive 2014/65/EU, point 7 of Article 3(1) of Directive 2013/36/EU, point s of Article 2(1) of Directive 2009/65/EC, point 45 of Article 2(1) of Regulation (EU) No 909/2014, point 20 of Article 3(1) of Regulation (EU) 2016/1011 of the European Parliament and of the Council or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national legislation (which should cater for the situation of the smallest entities).

microenterprise

means a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC. The Annex says: “Within the SME category, a microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million.”

medium-sized enterprise

means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million.

network and information system

means network and information system as defined in point (1) of Article 4 of Directive (EU) No 2016/1148

an electronic communications network within the meaning of point (a) of Article 2 of Directive 2002/21/EC;
any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or
digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;

operational or security payment-related incident

means a single event or a series of linked events unplanned by the financial entities referred to in points (a) to (c) of Article 2(1), ICT-related or not, that has an adverse impact on the confidentiality, integrity or availability of data, or the continuity of payment-related services provided.

outsourcing

means an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself.

private cloud

means cloud infrastructure available for the exclusive use by a single institution or payment institution.

public cloud

means cloud infrastructure available for open use by the general public.

risk management

the framework, involving the identification, assessment, mitigation, and monitoring of ICT risk. It ensures that potential risks are identified, analysed, and managed proactively to minimize their impact on operations.

security of network and information systems

means security of network and information systems as defined in point (2) of Article 4 of Directive (EU) No 2016/1148.
the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

sensitive information

means information that can readily be leveraged to carry out attacks against the ICT systems of the financial entity, intellectual property, confidential business data and/or personal data that can directly or indirectly harm the company and its ecosystem would it fall in the hands of malicious actors.

service provider

means a third-party entity that is undertaking an outsourced process, service or activity, or parts thereof, under an outsourcing arrangement.

significant cyber threat

means a cyber threat whose technical characteristics indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident.

small enterprise

means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million.

sub-outsourcing

means a situation where the service provider under an outsourcing arrangement further transfers an outsourced function to another service provider."

threat intelligence

means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and which brings relevant and sufficient understanding for mitigating the impact of an ICT-related incident or cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations.

threat led penetration testing - TLTP

means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the entity’s critical live production systems.

vulnerability

means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited by a threat.

Additional resources