§ DORA · Article 35

DORA Article 35: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 35 · All obligations · DORA
At a glance
Article 35 of the DORA imposes 16 obligations on ICT third-party service provider, Lead Overseer, critical ICT third-party service provider. At least one obligation carries an explicit compliance deadline. Non-compliance may result in administrative fines or other penalties.
§ Obligations

All obligations under Article 35

Obligation 1
The Lead Overseer shall request all relevant information and documentation from critical ICT third-party service providers in accordance with Article 37. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
request
Deadline
Penalty
Obligation 2
The Lead Overseer shall conduct general investigations and inspections of critical ICT third-party service providers in accordance with Articles 38 and 39. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
conduct
Deadline
Penalty
Obligation 3
The Lead Overseer shall request reports from critical ICT third-party service providers specifying actions taken or remedies implemented in relation to recommendations after oversight activities are completed. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
request
Deadline
Penalty
Obligation 4
The Lead Overseer shall issue recommendations to critical ICT third-party service providers on areas referred to in Article 33(3), including ICT security requirements, contract terms, and subcontracting risks. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
issue
Deadline
Penalty
Obligation 5
ICT third-party service providers shall transmit information regarding subcontracting to the Lead Overseer using the template referred to in Article 41(1), point (b), for the purpose of assessing risks under paragraph 1(d)(iv). Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
ICT third-party service provider
Sector scope
critical ICT third-party service providers
Action required
transmit
Deadline
Penalty
Obligation 6
The Lead Overseer shall ensure regular coordination within the JON and seek consistent approaches regarding the oversight of critical ICT third-party service providers. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
ensure
Deadline
Penalty
Obligation 7
The Lead Overseer shall take due account of the framework established by Directive (EU) 2022/2555 and consult relevant competent authorities to avoid duplication of measures. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
consult
Deadline
Penalty
Obligation 8
The Lead Overseer shall seek to minimise the risk of disruption to services provided by critical ICT third-party service providers to customers outside the scope of the Regulation. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
minimise
Deadline
Penalty
Obligation 9
The Lead Overseer shall consult the Oversight Forum before exercising the powers referred to in paragraph 1. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
consult
Deadline
Penalty
Obligation 10
The Lead Overseer shall give the ICT third-party service provider the opportunity to provide relevant information evidencing expected impact on non-scope customers and formulate risk mitigation solutions within 30 calendar days before issuing recommendations. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
give opportunity
Deadline
30 calendar days
Penalty
Obligation 11
The Lead Overseer shall inform the JON of the outcome of the exercise of the powers referred to in paragraph 1, points (a) and (b). Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
inform
Deadline
Penalty
Obligation 12
The Lead Overseer shall transmit reports referred to in paragraph 1, point (c), to the JON and to the competent authorities of the financial entities using the ICT services without undue delay. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
transmit
Deadline
without undue delay
Penalty
Obligation 13
Critical ICT third-party service providers shall cooperate in good faith with the Lead Overseer and assist it in the fulfilment of its tasks. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
critical ICT third-party service provider
Sector scope
critical ICT third-party service providers
Action required
cooperate
Deadline
Penalty
Obligation 14
The Lead Overseer shall adopt a decision imposing a periodic penalty payment on a critical ICT third-party service provider in the event of whole or partial non-compliance with measures required under paragraph 1, points (a), (b) and (c), after at least 30 calendar days from notification. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
impose
Deadline
after at least 30 calendar days from notification
Penalty
periodic penalty payment
Obligation 15
The periodic penalty payment shall be imposed on a daily basis until compliance is achieved and for no more than six months following the notification of the decision. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
impose
Deadline
until compliance is achieved, max 6 months
Penalty
periodic penalty payment
Obligation 16
The amount of the periodic penalty payment shall be up to 1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year, taking into account gravity, duration, intent, and cooperation. Regulation (EU) 2022/2554, Article 35, Article 35
Obligated entity
Lead Overseer
Sector scope
critical ICT third-party service providers
Action required
calculate
Deadline
Penalty
up to 1% of average daily worldwide turnover
§ Frequently asked

Questions about Article 35

Who must comply with Article 35 of the DORA? +
ICT third-party service provider, Lead Overseer, critical ICT third-party service provider.
What does Article 35 of the DORA require? +
request conduct issue
What is the compliance deadline for DORA Article 35? +
30 calendar days; after at least 30 calendar days from notification; until compliance is achieved, max 6 months; without undue delay
What are the penalties for non-compliance with DORA Article 35? +
periodic penalty payment; up to 1% of average daily worldwide turnover
Need a cross-border briefing on DORA Article 35?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles