§ DORA · Article 29

DORA Article 29: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 29 · All obligations · DORA
At a glance
Article 29 of the DORA imposes 6 obligations on financial entities.
§ Obligations

All obligations under Article 29

Obligation 1
Financial entities shall take into account whether the envisaged conclusion of a contractual arrangement for ICT services supporting critical or important functions would lead to contracting a non-substitutable provider or having multiple arrangements with the same or closely connected providers. Regulation (EU) 2022/2554, Article 29, Article 29
Obligated entity
financial entities
Sector scope
financial sector
Action required
assess
Deadline
Penalty
Obligation 2
Financial entities shall weigh the benefits and costs of alternative solutions, such as using different ICT third-party service providers, taking into account if and how envisaged solutions match business needs and objectives in their digital resilience strategy. Regulation (EU) 2022/2554, Article 29, Article 29
Obligated entity
financial entities
Sector scope
financial sector
Action required
assess
Deadline
Penalty
Obligation 3
Where contractual arrangements include the possibility of subcontracting ICT services supporting critical or important functions, financial entities shall weigh benefits and risks arising from such subcontracting, particularly if the subcontractor is established in a third country. Regulation (EU) 2022/2554, Article 29, Article 29
Obligated entity
financial entities
Sector scope
financial sector
Action required
assess
Deadline
Penalty
Obligation 4
Financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy and any constraints regarding the urgent recovery of the financial entity’s data. Regulation (EU) 2022/2554, Article 29, Article 29
Obligated entity
financial entities
Sector scope
financial sector
Action required
assess
Deadline
Penalty
Obligation 5
Where contractual arrangements are concluded with an ICT third-party service provider established in a third country, financial entities shall consider compliance with Union data protection rules and the effective enforcement of the law in that third country. Regulation (EU) 2022/2554, Article 29, Article 29
Obligated entity
financial entities
Sector scope
financial sector
Action required
assess
Deadline
Penalty
Obligation 6
Where contractual arrangements provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor contracted functions and the competent authority's ability to supervise. Regulation (EU) 2022/2554, Article 29, Article 29
Obligated entity
financial entities
Sector scope
financial sector
Action required
assess
Deadline
Penalty
§ Frequently asked

Questions about Article 29

Who must comply with Article 29 of the DORA? +
financial entities.
What does Article 29 of the DORA require? +
assess
Need a cross-border briefing on DORA Article 29?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles