§ DORA · Article 29
DORA Article 29: Obligations, Deadlines & Penalties
At a glance
Article 29 of the DORA imposes 6 obligations on financial entities.
§ Obligations
All obligations under Article 29
Obligation 1
Financial entities shall take into account whether the envisaged conclusion of a contractual arrangement for ICT services supporting critical or important functions would lead to contracting a non-substitutable provider or having multiple arrangements with the same or closely connected providers.
Regulation (EU) 2022/2554, Article 29, Article 29
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 2
Financial entities shall weigh the benefits and costs of alternative solutions, such as using different ICT third-party service providers, taking into account if and how envisaged solutions match business needs and objectives in their digital resilience strategy.
Regulation (EU) 2022/2554, Article 29, Article 29
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 3
Where contractual arrangements include the possibility of subcontracting ICT services supporting critical or important functions, financial entities shall weigh benefits and risks arising from such subcontracting, particularly if the subcontractor is established in a third country.
Regulation (EU) 2022/2554, Article 29, Article 29
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 4
Financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy and any constraints regarding the urgent recovery of the financial entity’s data.
Regulation (EU) 2022/2554, Article 29, Article 29
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 5
Where contractual arrangements are concluded with an ICT third-party service provider established in a third country, financial entities shall consider compliance with Union data protection rules and the effective enforcement of the law in that third country.
Regulation (EU) 2022/2554, Article 29, Article 29
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 6
Where contractual arrangements provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor contracted functions and the competent authority's ability to supervise.
Regulation (EU) 2022/2554, Article 29, Article 29
- Obligated entity
-
financial entities
- Sector scope
- financial sector
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 29
Who must comply with Article 29 of the DORA?
+
financial entities.
What does Article 29 of the DORA require?
+
assess