§ DORA · Article 28

DORA Article 28: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 28 · All obligations · DORA
At a glance
Article 28 of the DORA imposes 18 obligations on financial entities, management body of financial entities. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 28

Obligation 1
Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
manage
Deadline
Penalty
Obligation 2
Financial entities with contractual arrangements for ICT services shall remain fully responsible for compliance with all obligations under this Regulation and applicable financial services law. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
remain responsible
Deadline
Penalty
Obligation 3
Financial entities shall implement management of ICT third-party risk in light of the principle of proportionality, taking into account the nature, scale, complexity, and importance of ICT-related dependencies and risks. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
implement
Deadline
Penalty
Obligation 4
Financial entities, other than those referred to in Article 16(1) and microenterprises, shall adopt and regularly review a strategy on ICT third-party risk as part of their ICT risk management framework. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Size threshold
not microenterprises and not entities in Article 16(1)
Action required
adopt
Deadline
Penalty
Exemptions
entities referred to in Article 16(1) and microenterprises
Obligation 5
The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Size threshold
not microenterprises and not entities in Article 16(1)
Action required
include
Deadline
Penalty
Exemptions
entities referred to in Article 16(1) and microenterprises
Obligation 6
The management body shall regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions based on an assessment of the overall risk profile. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
management body of financial entities
Size threshold
not microenterprises and not entities in Article 16(1)
Action required
review
Deadline
Penalty
Exemptions
entities referred to in Article 16(1) and microenterprises
Obligation 7
Financial entities shall maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers at entity, sub-consolidated, and consolidated levels. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
maintain
Deadline
Penalty
Obligation 8
Financial entities shall appropriately document contractual arrangements, distinguishing between those covering ICT services supporting critical or important functions and those that do not. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
document
Deadline
Penalty
Obligation 9
Financial entities shall report at least yearly to the competent authorities on the number of new arrangements, categories of providers, type of arrangements, and ICT services provided. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
report
Deadline
at least yearly
Penalty
Obligation 10
Financial entities shall make available to the competent authority, upon request, the full register of information or specified sections thereof along with necessary information for effective supervision. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
make available
Deadline
upon request
Penalty
Obligation 11
Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
inform
Deadline
timely manner
Penalty
Obligation 12
Financial entities shall inform the competent authority in a timely manner when a function has become critical or important. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
inform
Deadline
timely manner
Penalty
Obligation 13
Before entering into a contractual arrangement, financial entities shall assess whether the arrangement covers the use of ICT services supporting a critical or important function. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
assess
Deadline
before entering into contractual arrangement
Penalty
Obligation 14
Before entering into a contractual arrangement, financial entities shall assess if supervisory conditions for contracting are met. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
assess
Deadline
before entering into contractual arrangement
Penalty
Obligation 15
Before entering into a contractual arrangement, financial entities shall identify and assess all relevant risks, including the possibility of reinforcing ICT concentration risk. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
assess
Deadline
before entering into contractual arrangement
Penalty
Obligation 16
Before entering into a contractual arrangement, financial entities shall undertake all due diligence on prospective ICT third-party service providers and ensure their suitability. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
undertake due diligence
Deadline
before entering into contractual arrangement
Penalty
Obligation 17
Before entering into a contractual arrangement, financial entities shall identify and assess conflicts of interest that the arrangement may cause. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
assess
Deadline
before entering into contractual arrangement
Penalty
Obligation 18
Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. Regulation (EU) 2022/2554, Article 28, Article 28
Obligated entity
financial entities
Action required
ensure compliance
Deadline
Penalty
§ Frequently asked

Questions about Article 28

Who must comply with Article 28 of the DORA? +
financial entities, management body of financial entities.
What does Article 28 of the DORA require? +
manage remain responsible implement
What is the compliance deadline for DORA Article 28? +
at least yearly; before entering into contractual arrangement; timely manner; upon request
Need a cross-border briefing on DORA Article 28?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles