Obligations in scope
Article 35 — Lead Overseer
The Lead Overseer shall request all relevant information and documentation from critical ICT third-party service providers in accordance with Article 37. Action required: request.
Article 35 — Lead Overseer
The Lead Overseer shall conduct general investigations and inspections of critical ICT third-party service providers in accordance with Articles 38 and 39. Action required: conduct.
Article 35 — Lead Overseer
The Lead Overseer shall request reports from critical ICT third-party service providers specifying actions taken or remedies implemented in relation to recommendations after oversight activities are completed. Action required: request.
Article 35 — Lead Overseer
The Lead Overseer shall issue recommendations to critical ICT third-party service providers on areas referred to in Article 33(3), including ICT security requirements, contract terms, and subcontracting risks. Action required: issue.
Article 35 — ICT third-party service provider
ICT third-party service providers shall transmit information regarding subcontracting to the Lead Overseer using the template referred to in Article 41(1), point (b), for the purpose of assessing risks under paragraph 1(d)(iv). Action required: transmit.
Article 35 — Lead Overseer
The Lead Overseer shall ensure regular coordination within the JON and seek consistent approaches regarding the oversight of critical ICT third-party service providers. Action required: ensure.
Article 35 — Lead Overseer
The Lead Overseer shall take due account of the framework established by Directive (EU) 2022/2555 and consult relevant competent authorities to avoid duplication of measures. Action required: consult.
Practical steps
What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.
- Art 35 — request (Lead Overseer)
- Art 35 — conduct (Lead Overseer)
- Art 35 — issue (Lead Overseer)
- Art 35 — transmit (ICT third-party service provider)
- Art 35 — ensure (Lead Overseer)
- Art 35 — consult (Lead Overseer)
- Art 35 — minimise (Lead Overseer)
Obligation reference table
| Article | Obligated entity | Deadline | Penalty |
|---|---|---|---|
| Art 35 | Lead Overseer | — | — |
| Art 35 | Lead Overseer | — | — |
| Art 35 | Lead Overseer | — | — |
| Art 35 | Lead Overseer | — | — |
| Art 35 | ICT third-party service provider | — | — |
| Art 35 | Lead Overseer | — | — |
| Art 35 | Lead Overseer | — | — |
| Art 35 | Lead Overseer | — | — |
| Art 35 | Lead Overseer | — | — |
| Art 35 | Lead Overseer | 30 calendar days | — |
Penalty exposure
None of the 16 obligations on this page carry an explicit penalty figure in the DORA text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to DORA's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.
Cross-regulatory conflicts
DORA interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:
- DORA Art 11 ↔ GDPR Art 17 (medium) — [entity affected: Financial entities] DORA requires maintaining records and backups for business continuity and audit trails, which may conflict with GDPR's right to erasure if personal data is retained in backups longer than necessary for the original purpose.
- DORA Art 18 ↔ Data Act Art 18 (high) — [entity affected: Financial entities acting as data holders] DORA requires classification and reporting of ICT incidents based on specific criteria, while the Data Act requires anonymization or pseudonymization of data before sharing with public bodies, potentially conflicting if incident data contains personal data that must be preserved for forensic analysis under DORA.
- DORA Art 10 ↔ ePrivacy Directive Art 5 (high) — [entity affected: Financial entities providing electronic communications services] DORA requires monitoring of user activity and ICT anomalies, which may conflict with ePrivacy's strict prohibition on interception or surveillance of communications without user consent.
- DORA Art 12 ↔ ePrivacy Directive Art 6 (high) — [entity affected: Financial entities providing electronic communications services] DORA mandates backup and retention of data for business continuity, while ePrivacy requires traffic data to be erased or anonymized once no longer needed for transmission, creating tension over retention periods.
- DORA Art 18 ↔ GDPR Art 33 (high) — [entity affected: Financial entities] DORA requires reporting of major ICT incidents to competent authorities based on specific criteria, while GDPR requires notification of personal data breaches to supervisory authorities within 72 hours; differing timelines and definitions may create conflicting reporting priorities.
- DORA Art 19 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to define reporting timelines, potentially creating contradictory compliance schedules.
Related Fontvera pages
- dora article 9 financial entities
- dora obligations central securities depositories
- dora obligations financial services
- dora obligations ict services
Check your full compliance exposure with the 5-minute Fontvera diagnostic →