§ DORA · Article 31
DORA Article 31: Obligations, Deadlines & Penalties
At a glance
Article 31 of the DORA imposes 16 obligations on Competent authorities, Critical ICT third-party service provider (part of a group), Critical ICT third-party service provider (third country) and 9 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 31
Obligation 1
The ESAs, through the Joint Committee and upon recommendation from the Oversight Forum, shall designate ICT third-party service providers that are critical for financial entities based on specified criteria.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 2
The ESAs shall appoint as Lead Overseer for each critical ICT third-party service provider the ESA responsible for the financial entities having the largest share of total assets using the services of that provider.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
appoint
- Deadline
-
—
- Penalty
-
—
Obligation 3
Critical ICT third-party service providers which are part of a group shall designate one legal person as a coordination point to ensure adequate representation and communication with the Lead Overseer.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
Critical ICT third-party service provider (part of a group)
- Sector scope
- ICT services
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 4
The Lead Overseer shall notify the ICT third-party service provider of the outcome of the assessment leading to the designation.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
Lead Overseer
- Sector scope
- Financial sector
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 5
Within 6 weeks from the date of notification of the assessment outcome, the ICT third-party service provider may submit to the Lead Overseer a reasoned statement with any relevant information for the purposes of the assessment.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
ICT third-party service provider
- Sector scope
- ICT services
- Action required
-
submit
- Deadline
-
6 weeks from the date of the notification
- Penalty
-
—
Obligation 6
The Lead Overseer shall consider the reasoned statement submitted by the ICT third-party service provider and may request additional information to be submitted within 30 calendar days of the receipt of such statement.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
Lead Overseer
- Sector scope
- Financial sector
- Action required
-
consider
- Deadline
-
—
- Penalty
-
—
Obligation 7
After designating an ICT third-party service provider as critical, the ESAs, through the Joint Committee, shall notify the ICT third-party service provider of such designation and the starting date as from which they will effectively be subject to oversight activities.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 8
The ICT third-party service provider shall notify the financial entities to which they provide services of their designation as critical.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
ICT third-party service provider
- Sector scope
- ICT services
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 9
The Commission is empowered to adopt a delegated act to supplement this Regulation by specifying further the criteria for designation by 17 July 2024.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
European Commission
- Sector scope
- Financial sector
- Action required
-
adopt
- Deadline
-
17 July 2024
- Penalty
-
—
Obligation 10
The ESAs, through the Joint Committee, shall establish, publish and update yearly the list of critical ICT third-party service providers at Union level.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
ESAs (European Supervisory Authorities)
- Sector scope
- Financial sector
- Action required
-
establish
- Deadline
-
yearly
- Penalty
-
—
Obligation 11
Competent authorities shall, on a yearly and aggregated basis, transmit the reports referred to in Article 28(3) to the Oversight Forum.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
Competent authorities
- Sector scope
- Financial sector
- Action required
-
transmit
- Deadline
-
yearly
- Penalty
-
—
Obligation 12
The Oversight Forum shall assess the ICT third-party dependencies of financial entities based on the information received from the competent authorities.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
Oversight Forum
- Sector scope
- Financial sector
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 13
ICT third-party service providers not included in the list of critical providers may request to be designated as critical by submitting a reasoned application to EBA, ESMA or EIOPA.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
ICT third-party service provider
- Sector scope
- ICT services
- Action required
-
submit
- Deadline
-
—
- Penalty
-
—
Obligation 14
EBA, ESMA or EIOPA, through the Joint Committee, shall decide whether to designate an ICT third-party service provider as critical and notify the provider of the decision within 6 months of receipt of the application.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
ESAs (EBA, ESMA, EIOPA)
- Sector scope
- Financial sector
- Action required
-
decide
- Deadline
-
6 months of receipt of the application
- Penalty
-
—
Obligation 15
Financial entities shall only make use of the services of an ICT third-party service provider established in a third country and designated as critical if the latter has established a subsidiary in the Union within 12 months following the designation.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
Financial entities
- Sector scope
- Financial sector
- Action required
-
restrict use
- Deadline
-
—
- Penalty
-
—
Obligation 16
The critical ICT third-party service provider referred to in paragraph 12 shall notify the Lead Overseer of any changes to the structure of the management of the subsidiary established in the Union.
Regulation (EU) 2022/2554, Article 31, Article 31
- Obligated entity
-
Critical ICT third-party service provider (third country)
- Sector scope
- ICT services
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 31
Who must comply with Article 31 of the DORA?
+
Competent authorities, Critical ICT third-party service provider (part of a group), Critical ICT third-party service provider (third country), EIOPA), ESAs (EBA, ESAs (European Supervisory Authorities), ESMA, European Commission, Financial entities, ICT third-party service provider, Lead Overseer, Oversight Forum.
What does Article 31 of the DORA require?
+
designate appoint notify
What is the compliance deadline for DORA Article 31?
+
17 July 2024; 6 months of receipt of the application; 6 weeks from the date of the notification; yearly