§ DORA · Article 33
DORA Article 33: Obligations, Deadlines & Penalties
At a glance
Article 33 of the DORA imposes 7 obligations on Lead Overseer, competent authorities, critical ICT third-party service provider. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 33
Obligation 1
The Lead Overseer shall conduct the oversight of the assigned critical ICT third-party service providers and serve as the primary point of contact for all matters related to the oversight.
Regulation (EU) 2022/2554, Article 33, Article 33
- Obligated entity
-
Lead Overseer
- Action required
-
conduct oversight
- Deadline
-
—
- Penalty
-
—
Obligation 2
The Lead Overseer shall assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities.
Regulation (EU) 2022/2554, Article 33, Article 33
- Obligated entity
-
Lead Overseer
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 3
The Lead Overseer shall adopt a clear, detailed and reasoned individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each critical ICT third-party service provider, in coordination with the Joint Oversight Network.
Regulation (EU) 2022/2554, Article 33, Article 33
- Obligated entity
-
Lead Overseer
- Action required
-
adopt
- Deadline
-
—
- Penalty
-
—
Obligation 4
The Lead Overseer shall communicate the adopted oversight plan yearly to the critical ICT third-party service provider.
Regulation (EU) 2022/2554, Article 33, Article 33
- Obligated entity
-
Lead Overseer
- Action required
-
communicate
- Deadline
-
yearly
- Penalty
-
—
Obligation 5
Prior to the adoption of the oversight plan, the Lead Overseer shall communicate the draft oversight plan to the critical ICT third-party service provider.
Regulation (EU) 2022/2554, Article 33, Article 33
- Obligated entity
-
Lead Overseer
- Action required
-
communicate
- Deadline
-
prior to adoption
- Penalty
-
—
Obligation 6
Upon receipt of the draft oversight plan, the critical ICT third-party service provider may submit a reasoned statement within 15 calendar days evidencing the expected impact on customers outside the scope of the Regulation and formulating solutions to mitigate risks.
Regulation (EU) 2022/2554, Article 33, Article 33
- Obligated entity
-
critical ICT third-party service provider
- Action required
-
submit
- Deadline
-
15 calendar days
- Penalty
-
—
Obligation 7
Competent authorities may take measures concerning critical ICT third-party service providers only in agreement with the Lead Overseer once the annual oversight plans have been adopted and notified.
Regulation (EU) 2022/2554, Article 33, Article 33
- Obligated entity
-
competent authorities
- Action required
-
take measures
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 33
Who must comply with Article 33 of the DORA?
+
Lead Overseer, competent authorities, critical ICT third-party service provider.
What does Article 33 of the DORA require?
+
conduct oversight assess adopt
What is the compliance deadline for DORA Article 33?
+
15 calendar days; prior to adoption; yearly