§ DORA · Article 42

DORA Article 42: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 42 · All obligations · DORA
At a glance
Article 42 of the DORA imposes 11 obligations on Competent authorities, Lead Overseer, critical ICT third-party service provider and 1 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 42

Obligation 1
Critical ICT third-party service providers shall notify the Lead Overseer of their intention to follow recommendations or provide a reasoned explanation for not following them. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
critical ICT third-party service provider
Action required
notify
Deadline
60 calendar days of the receipt of the recommendations
Penalty
Obligation 2
The Lead Overseer shall immediately transmit information regarding the critical ICT third-party service provider's response to recommendations to the competent authorities of the financial entities concerned. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
Lead Overseer
Action required
transmit
Deadline
immediately
Penalty
Obligation 3
The Lead Overseer shall publicly disclose where a critical ICT third-party service provider fails to notify or provides an insufficient explanation, disclosing identity and nature of non-compliance. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
Lead Overseer
Action required
disclose
Deadline
Penalty
Exemptions
unless such publication would cause disproportionate damage or jeopardise financial markets/system stability
Obligation 4
The Lead Overseer shall notify the ICT third-party service provider of the public disclosure of its non-compliance. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
Lead Overseer
Action required
notify
Deadline
Penalty
Obligation 5
Competent authorities shall inform relevant financial entities of the risks identified in recommendations addressed to critical ICT third-party service providers. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
Competent authorities
Action required
inform
Deadline
Penalty
Obligation 6
Financial entities shall take into account the risks identified in recommendations when managing ICT third-party risk. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
financial entities
Action required
take into account
Deadline
Penalty
Obligation 7
Competent authorities shall notify the financial entity of the possibility of a decision being taken if it fails to address specific risks identified in recommendations. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
Competent authorities
Action required
notify
Deadline
Penalty
Obligation 8
Competent authorities shall grant financial entities the necessary period of time to adjust contractual arrangements and deploy exit strategies to avoid detrimental effects on digital operational resilience. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
Competent authorities
Action required
grant
Deadline
Penalty
Obligation 9
The decision referred to in paragraph 6 shall be notified to the members of the Oversight Forum and to the JON. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
Competent authorities
Action required
notify
Deadline
Penalty
Obligation 10
Critical ICT third-party service providers affected by decisions shall fully cooperate with the financial entities impacted, particularly regarding suspension or termination of contractual arrangements. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
critical ICT third-party service provider
Action required
cooperate
Deadline
Penalty
Obligation 11
Competent authorities shall regularly inform the Lead Overseer on approaches and measures taken in supervisory tasks and on contractual arrangements where providers have not endorsed recommendations. Regulation (EU) 2022/2554, Article 42, Article 42
Obligated entity
Competent authorities
Action required
inform
Deadline
regularly
Penalty
§ Frequently asked

Questions about Article 42

Who must comply with Article 42 of the DORA? +
Competent authorities, Lead Overseer, critical ICT third-party service provider, financial entities.
What does Article 42 of the DORA require? +
notify transmit disclose
What is the compliance deadline for DORA Article 42? +
60 calendar days of the receipt of the recommendations; immediately; regularly
Need a cross-border briefing on DORA Article 42?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles