How many DORA obligations apply to ICT services?

5 obligations in the Fontvera corpus map to ICT services under DORA. The breakdown above lists the most concrete 5 of them.

Does DORA conflict with any other EU regulation for ICT services?

Yes — at least 6 explicit conflicts in the corpus, including DORA Art 11 vs GDPR Art 17.

§ DORA BRIEFING

DORA Obligations for ICT services

5 obligations from DORA mapped to ICT services. Articles, deadlines, and penalties — extracted verbatim from the Regulation.

Summary

DORA sets 5 obligations that apply to ICT services. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphrased.

Use the obligation table and breakdown to scope a compliance programme. The cross-regulatory conflicts section surfaces places where this regulation pulls against neighbouring EU frameworks for the same sector.

Who this applies to

Companies operating in ICT services that fall within DORA's scope.

Compliance deadline

Mixed timelines — see obligations below.

§ Detail

In depth

Obligations in scope

Article 31 — Critical ICT third-party service provider (part of a group)

Critical ICT third-party service providers which are part of a group shall designate one legal person as a coordination point to ensure adequate representation and communication with the Lead Overseer. Action required: designate.

Article 31 — ICT third-party service provider

Within 6 weeks from the date of notification of the assessment outcome, the ICT third-party service provider may submit to the Lead Overseer a reasoned statement with any relevant information for the purposes of the assessment. Action required: submit. Deadline: 6 weeks from the date of the notification.

Article 31 — ICT third-party service provider

The ICT third-party service provider shall notify the financial entities to which they provide services of their designation as critical. Action required: notify.

Article 31 — ICT third-party service provider

ICT third-party service providers not included in the list of critical providers may request to be designated as critical by submitting a reasoned application to EBA, ESMA or EIOPA. Action required: submit.

Article 31 — Critical ICT third-party service provider (third country)

The critical ICT third-party service provider referred to in paragraph 12 shall notify the Lead Overseer of any changes to the structure of the management of the subsidiary established in the Union. Action required: notify.

Practical steps

What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.

Art 31 — designate (Critical ICT third-party service provider (part of a group))
Art 31 — submit (ICT third-party service provider)
Art 31 — notify (ICT third-party service provider)

Obligation reference table

Article	Obligated entity	Deadline	Penalty
Art 31	Critical ICT third-party service provider (part of a group)	—	—
Art 31	ICT third-party service provider	6 weeks from the date of the notification	—
Art 31	ICT third-party service provider	—	—
Art 31	ICT third-party service provider	—	—
Art 31	Critical ICT third-party service provider (third country)	—	—

Penalty exposure

None of the 5 obligations on this page carry an explicit penalty figure in the DORA text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to DORA's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.

Cross-regulatory conflicts

DORA interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:

DORA Art 11 ↔ GDPR Art 17 (medium) — [entity affected: Financial entities] DORA requires maintaining records and backups for business continuity and audit trails, which may conflict with GDPR's right to erasure if personal data is retained in backups longer than necessary for the original purpose.
DORA Art 18 ↔ Data Act Art 18 (high) — [entity affected: Financial entities acting as data holders] DORA requires classification and reporting of ICT incidents based on specific criteria, while the Data Act requires anonymization or pseudonymization of data before sharing with public bodies, potentially conflicting if incident data contains personal data that must be preserved for forensic analysis under DORA.
DORA Art 10 ↔ ePrivacy Directive Art 5 (high) — [entity affected: Financial entities providing electronic communications services] DORA requires monitoring of user activity and ICT anomalies, which may conflict with ePrivacy's strict prohibition on interception or surveillance of communications without user consent.
DORA Art 12 ↔ ePrivacy Directive Art 6 (high) — [entity affected: Financial entities providing electronic communications services] DORA mandates backup and retention of data for business continuity, while ePrivacy requires traffic data to be erased or anonymized once no longer needed for transmission, creating tension over retention periods.
DORA Art 18 ↔ GDPR Art 33 (high) — [entity affected: Financial entities] DORA requires reporting of major ICT incidents to competent authorities based on specific criteria, while GDPR requires notification of personal data breaches to supervisory authorities within 72 hours; differing timelines and definitions may create conflicting reporting priorities.
DORA Art 19 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to define reporting timelines, potentially creating contradictory compliance schedules.