§ DORA · Article 31

DORA Article 31: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 31 · All obligations · DORA
At a glance
Article 31 of the DORA imposes 16 obligations on Competent authorities, Critical ICT third-party service provider (part of a group), Critical ICT third-party service provider (third country) and 9 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 31

Obligation 1
The ESAs, through the Joint Committee and upon recommendation from the Oversight Forum, shall designate ICT third-party service providers that are critical for financial entities based on specified criteria. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
ESAs (European Supervisory Authorities)
Sector scope
Financial sector
Action required
designate
Deadline
Penalty
Obligation 2
The ESAs shall appoint as Lead Overseer for each critical ICT third-party service provider the ESA responsible for the financial entities having the largest share of total assets using the services of that provider. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
ESAs (European Supervisory Authorities)
Sector scope
Financial sector
Action required
appoint
Deadline
Penalty
Obligation 3
Critical ICT third-party service providers which are part of a group shall designate one legal person as a coordination point to ensure adequate representation and communication with the Lead Overseer. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
Critical ICT third-party service provider (part of a group)
Sector scope
ICT services
Action required
designate
Deadline
Penalty
Obligation 4
The Lead Overseer shall notify the ICT third-party service provider of the outcome of the assessment leading to the designation. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
Lead Overseer
Sector scope
Financial sector
Action required
notify
Deadline
Penalty
Obligation 5
Within 6 weeks from the date of notification of the assessment outcome, the ICT third-party service provider may submit to the Lead Overseer a reasoned statement with any relevant information for the purposes of the assessment. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
ICT third-party service provider
Sector scope
ICT services
Action required
submit
Deadline
6 weeks from the date of the notification
Penalty
Obligation 6
The Lead Overseer shall consider the reasoned statement submitted by the ICT third-party service provider and may request additional information to be submitted within 30 calendar days of the receipt of such statement. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
Lead Overseer
Sector scope
Financial sector
Action required
consider
Deadline
Penalty
Obligation 7
After designating an ICT third-party service provider as critical, the ESAs, through the Joint Committee, shall notify the ICT third-party service provider of such designation and the starting date as from which they will effectively be subject to oversight activities. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
ESAs (European Supervisory Authorities)
Sector scope
Financial sector
Action required
notify
Deadline
Penalty
Obligation 8
The ICT third-party service provider shall notify the financial entities to which they provide services of their designation as critical. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
ICT third-party service provider
Sector scope
ICT services
Action required
notify
Deadline
Penalty
Obligation 9
The Commission is empowered to adopt a delegated act to supplement this Regulation by specifying further the criteria for designation by 17 July 2024. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
European Commission
Sector scope
Financial sector
Action required
adopt
Deadline
17 July 2024
Penalty
Obligation 10
The ESAs, through the Joint Committee, shall establish, publish and update yearly the list of critical ICT third-party service providers at Union level. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
ESAs (European Supervisory Authorities)
Sector scope
Financial sector
Action required
establish
Deadline
yearly
Penalty
Obligation 11
Competent authorities shall, on a yearly and aggregated basis, transmit the reports referred to in Article 28(3) to the Oversight Forum. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
Competent authorities
Sector scope
Financial sector
Action required
transmit
Deadline
yearly
Penalty
Obligation 12
The Oversight Forum shall assess the ICT third-party dependencies of financial entities based on the information received from the competent authorities. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
Oversight Forum
Sector scope
Financial sector
Action required
assess
Deadline
Penalty
Obligation 13
ICT third-party service providers not included in the list of critical providers may request to be designated as critical by submitting a reasoned application to EBA, ESMA or EIOPA. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
ICT third-party service provider
Sector scope
ICT services
Action required
submit
Deadline
Penalty
Obligation 14
EBA, ESMA or EIOPA, through the Joint Committee, shall decide whether to designate an ICT third-party service provider as critical and notify the provider of the decision within 6 months of receipt of the application. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
ESAs (EBA, ESMA, EIOPA)
Sector scope
Financial sector
Action required
decide
Deadline
6 months of receipt of the application
Penalty
Obligation 15
Financial entities shall only make use of the services of an ICT third-party service provider established in a third country and designated as critical if the latter has established a subsidiary in the Union within 12 months following the designation. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
Financial entities
Sector scope
Financial sector
Action required
restrict use
Deadline
Penalty
Obligation 16
The critical ICT third-party service provider referred to in paragraph 12 shall notify the Lead Overseer of any changes to the structure of the management of the subsidiary established in the Union. Regulation (EU) 2022/2554, Article 31, Article 31
Obligated entity
Critical ICT third-party service provider (third country)
Sector scope
ICT services
Action required
notify
Deadline
Penalty
§ Frequently asked

Questions about Article 31

Who must comply with Article 31 of the DORA? +
Competent authorities, Critical ICT third-party service provider (part of a group), Critical ICT third-party service provider (third country), EIOPA), ESAs (EBA, ESAs (European Supervisory Authorities), ESMA, European Commission, Financial entities, ICT third-party service provider, Lead Overseer, Oversight Forum.
What does Article 31 of the DORA require? +
designate appoint notify
What is the compliance deadline for DORA Article 31? +
17 July 2024; 6 months of receipt of the application; 6 weeks from the date of the notification; yearly
Need a cross-border briefing on DORA Article 31?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles