§ DORA · Article 42
DORA Article 42: Obligations, Deadlines & Penalties
At a glance
Article 42 of the DORA imposes 11 obligations on Competent authorities, Lead Overseer, critical ICT third-party service provider and 1 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 42
Obligation 1
Critical ICT third-party service providers shall notify the Lead Overseer of their intention to follow recommendations or provide a reasoned explanation for not following them.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
critical ICT third-party service provider
- Action required
-
notify
- Deadline
-
60 calendar days of the receipt of the recommendations
- Penalty
-
—
Obligation 2
The Lead Overseer shall immediately transmit information regarding the critical ICT third-party service provider's response to recommendations to the competent authorities of the financial entities concerned.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
Lead Overseer
- Action required
-
transmit
- Deadline
-
immediately
- Penalty
-
—
Obligation 3
The Lead Overseer shall publicly disclose where a critical ICT third-party service provider fails to notify or provides an insufficient explanation, disclosing identity and nature of non-compliance.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
Lead Overseer
- Action required
-
disclose
- Deadline
-
—
- Penalty
-
—
- Exemptions
- unless such publication would cause disproportionate damage or jeopardise financial markets/system stability
Obligation 4
The Lead Overseer shall notify the ICT third-party service provider of the public disclosure of its non-compliance.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
Lead Overseer
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 5
Competent authorities shall inform relevant financial entities of the risks identified in recommendations addressed to critical ICT third-party service providers.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
Competent authorities
- Action required
-
inform
- Deadline
-
—
- Penalty
-
—
Obligation 6
Financial entities shall take into account the risks identified in recommendations when managing ICT third-party risk.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
financial entities
- Action required
-
take into account
- Deadline
-
—
- Penalty
-
—
Obligation 7
Competent authorities shall notify the financial entity of the possibility of a decision being taken if it fails to address specific risks identified in recommendations.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
Competent authorities
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 8
Competent authorities shall grant financial entities the necessary period of time to adjust contractual arrangements and deploy exit strategies to avoid detrimental effects on digital operational resilience.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
Competent authorities
- Action required
-
grant
- Deadline
-
—
- Penalty
-
—
Obligation 9
The decision referred to in paragraph 6 shall be notified to the members of the Oversight Forum and to the JON.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
Competent authorities
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 10
Critical ICT third-party service providers affected by decisions shall fully cooperate with the financial entities impacted, particularly regarding suspension or termination of contractual arrangements.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
critical ICT third-party service provider
- Action required
-
cooperate
- Deadline
-
—
- Penalty
-
—
Obligation 11
Competent authorities shall regularly inform the Lead Overseer on approaches and measures taken in supervisory tasks and on contractual arrangements where providers have not endorsed recommendations.
Regulation (EU) 2022/2554, Article 42, Article 42
- Obligated entity
-
Competent authorities
- Action required
-
inform
- Deadline
-
regularly
- Penalty
-
—
§ Frequently asked
Questions about Article 42
Who must comply with Article 42 of the DORA?
+
Competent authorities, Lead Overseer, critical ICT third-party service provider, financial entities.
What does Article 42 of the DORA require?
+
notify transmit disclose
What is the compliance deadline for DORA Article 42?
+
60 calendar days of the receipt of the recommendations; immediately; regularly