§ DORA · Article 28
DORA Article 28: Obligations, Deadlines & Penalties
At a glance
Article 28 of the DORA imposes 18 obligations on financial entities, management body of financial entities. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 28
Obligation 1
Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
manage
- Deadline
-
—
- Penalty
-
—
Obligation 2
Financial entities with contractual arrangements for ICT services shall remain fully responsible for compliance with all obligations under this Regulation and applicable financial services law.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
remain responsible
- Deadline
-
—
- Penalty
-
—
Obligation 3
Financial entities shall implement management of ICT third-party risk in light of the principle of proportionality, taking into account the nature, scale, complexity, and importance of ICT-related dependencies and risks.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 4
Financial entities, other than those referred to in Article 16(1) and microenterprises, shall adopt and regularly review a strategy on ICT third-party risk as part of their ICT risk management framework.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Size threshold
- not microenterprises and not entities in Article 16(1)
- Action required
-
adopt
- Deadline
-
—
- Penalty
-
—
- Exemptions
- entities referred to in Article 16(1) and microenterprises
Obligation 5
The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Size threshold
- not microenterprises and not entities in Article 16(1)
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
- Exemptions
- entities referred to in Article 16(1) and microenterprises
Obligation 6
The management body shall regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions based on an assessment of the overall risk profile.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
management body of financial entities
- Size threshold
- not microenterprises and not entities in Article 16(1)
- Action required
-
review
- Deadline
-
—
- Penalty
-
—
- Exemptions
- entities referred to in Article 16(1) and microenterprises
Obligation 7
Financial entities shall maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers at entity, sub-consolidated, and consolidated levels.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
Obligation 8
Financial entities shall appropriately document contractual arrangements, distinguishing between those covering ICT services supporting critical or important functions and those that do not.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 9
Financial entities shall report at least yearly to the competent authorities on the number of new arrangements, categories of providers, type of arrangements, and ICT services provided.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
report
- Deadline
-
at least yearly
- Penalty
-
—
Obligation 10
Financial entities shall make available to the competent authority, upon request, the full register of information or specified sections thereof along with necessary information for effective supervision.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
make available
- Deadline
-
upon request
- Penalty
-
—
Obligation 11
Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
inform
- Deadline
-
timely manner
- Penalty
-
—
Obligation 12
Financial entities shall inform the competent authority in a timely manner when a function has become critical or important.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
inform
- Deadline
-
timely manner
- Penalty
-
—
Obligation 13
Before entering into a contractual arrangement, financial entities shall assess whether the arrangement covers the use of ICT services supporting a critical or important function.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
assess
- Deadline
-
before entering into contractual arrangement
- Penalty
-
—
Obligation 14
Before entering into a contractual arrangement, financial entities shall assess if supervisory conditions for contracting are met.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
assess
- Deadline
-
before entering into contractual arrangement
- Penalty
-
—
Obligation 15
Before entering into a contractual arrangement, financial entities shall identify and assess all relevant risks, including the possibility of reinforcing ICT concentration risk.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
assess
- Deadline
-
before entering into contractual arrangement
- Penalty
-
—
Obligation 16
Before entering into a contractual arrangement, financial entities shall undertake all due diligence on prospective ICT third-party service providers and ensure their suitability.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
undertake due diligence
- Deadline
-
before entering into contractual arrangement
- Penalty
-
—
Obligation 17
Before entering into a contractual arrangement, financial entities shall identify and assess conflicts of interest that the arrangement may cause.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
assess
- Deadline
-
before entering into contractual arrangement
- Penalty
-
—
Obligation 18
Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards.
Regulation (EU) 2022/2554, Article 28, Article 28
- Obligated entity
-
financial entities
- Action required
-
ensure compliance
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 28
Who must comply with Article 28 of the DORA?
+
financial entities, management body of financial entities.
What does Article 28 of the DORA require?
+
manage remain responsible implement
What is the compliance deadline for DORA Article 28?
+
at least yearly; before entering into contractual arrangement; timely manner; upon request