Question ID: DORA037 - 2992
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Article: Article 11
Status: Rejected
Date of submission: 14 Feb 2024
Question
Financial entities shall keep readily accessible records of activities before and during disruption events when their ICT business continuity plans and ICT response and recovery plans are activated. Is the phrase "when their ICT business continuity plans and ICT response and recovery plans are activated" is to be understood as a condition? When does "before" start? We understand this requirement as follows: Every financial entity must keep constant records. This is because an incident must be expected at all times. How long is the period for which records must be kept retrospectively from the event?
EIOPA answer
This question has been rejected because it seeks confirmation of a requirement already clearly set out in the regulation.
(This requirement flows directly from the explicit phrasing of the provision, i.e. records of activities must be kept before and during disruption events.)