§ DORA · Article 33

DORA Article 33: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 33 · All obligations · DORA
At a glance
Article 33 of the DORA imposes 7 obligations on Lead Overseer, competent authorities, critical ICT third-party service provider. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 33

Obligation 1
The Lead Overseer shall conduct the oversight of the assigned critical ICT third-party service providers and serve as the primary point of contact for all matters related to the oversight. Regulation (EU) 2022/2554, Article 33, Article 33
Obligated entity
Lead Overseer
Action required
conduct oversight
Deadline
Penalty
Obligation 2
The Lead Overseer shall assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities. Regulation (EU) 2022/2554, Article 33, Article 33
Obligated entity
Lead Overseer
Action required
assess
Deadline
Penalty
Obligation 3
The Lead Overseer shall adopt a clear, detailed and reasoned individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each critical ICT third-party service provider, in coordination with the Joint Oversight Network. Regulation (EU) 2022/2554, Article 33, Article 33
Obligated entity
Lead Overseer
Action required
adopt
Deadline
Penalty
Obligation 4
The Lead Overseer shall communicate the adopted oversight plan yearly to the critical ICT third-party service provider. Regulation (EU) 2022/2554, Article 33, Article 33
Obligated entity
Lead Overseer
Action required
communicate
Deadline
yearly
Penalty
Obligation 5
Prior to the adoption of the oversight plan, the Lead Overseer shall communicate the draft oversight plan to the critical ICT third-party service provider. Regulation (EU) 2022/2554, Article 33, Article 33
Obligated entity
Lead Overseer
Action required
communicate
Deadline
prior to adoption
Penalty
Obligation 6
Upon receipt of the draft oversight plan, the critical ICT third-party service provider may submit a reasoned statement within 15 calendar days evidencing the expected impact on customers outside the scope of the Regulation and formulating solutions to mitigate risks. Regulation (EU) 2022/2554, Article 33, Article 33
Obligated entity
critical ICT third-party service provider
Action required
submit
Deadline
15 calendar days
Penalty
Obligation 7
Competent authorities may take measures concerning critical ICT third-party service providers only in agreement with the Lead Overseer once the annual oversight plans have been adopted and notified. Regulation (EU) 2022/2554, Article 33, Article 33
Obligated entity
competent authorities
Action required
take measures
Deadline
Penalty
§ Frequently asked

Questions about Article 33

Who must comply with Article 33 of the DORA? +
Lead Overseer, competent authorities, critical ICT third-party service provider.
What does Article 33 of the DORA require? +
conduct oversight assess adopt
What is the compliance deadline for DORA Article 33? +
15 calendar days; prior to adoption; yearly
Need a cross-border briefing on DORA Article 33?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles