My favourites

Chapter V – Managing of ICT third-party risk (Art. 28-44)

Art. 28 DORA - General principles arrow_right_alt

Art. 29 DORA - Preliminary assessment of ICT concentration risk at entity level arrow_right_alt

Art. 30 DORA - Key contractual provisions arrow_right_alt

Art. 31 DORA - Designation of critical ICT third-party service providers arrow_right_alt

Art. 32 DORA - Structure of the Oversight Framework arrow_right_alt

Art. 33 DORA - Tasks of the Lead Overseer arrow_right_alt

Art. 34 DORA - Operational coordination between Lead Overseers arrow_right_alt

Art. 35 DORA - Powers of the Lead Overseer arrow_right_alt

Art. 36 DORA - Exercise of the powers of the Lead Overseer outside the Union arrow_right_alt

Art. 37 DORA - Request for information arrow_right_alt

Art. 38 DORA - General investigations arrow_right_alt

Art. 39 DORA - Inspections arrow_right_alt

Art. 40 DORA - Ongoing oversight arrow_right_alt

Art. 41 DORA - Harmonisation of conditions enabling the conduct of the oversight activities arrow_right_alt

  1. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify:
    1. the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical under Article 31(11);
    2. the content, structure and format of the information to be submitted, disclosed or reported by the ICT third-party service providers pursuant to Article 35(1), including the template for providing information on subcontracting arrangements;
    3. the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements.
    4. the details of the competent authorities’ assessment of the measures taken by critical ICT third-party service providers based on the recommendations of the Lead Overseer pursuant to Article 42(3).
  2. The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024.

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 1 in accordance with the procedure laid down in Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Related
Close tabsclose
  • 99
  • 100
  • 101

Recital 99

Regulatory technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation. In their roles as bodies endowed with highly specialised expertise, the ESAs should develop draft regulatory technical standards which do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of ICT risk management, major ICT-related incident reporting, testing, as well as in relation to key requirements for a sound monitoring of ICT third-party risk. The Commission and the ESAs should ensure that those standards and requirements can be applied by all financial entities in a manner that is proportionate to their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. The Commission should be empowered to adopt those regulatory technical standards by means of delegated acts pursuant to Article 290 TFEU and in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Recital 100

To facilitate the comparability of reports on major ICT-related incidents and major operational or security payment-related incidents, as well as to ensure transparency regarding contractual arrangements for the use of ICT services provided by ICT third-party service providers, the ESAs should develop draft implementing technical standards establishing standardised templates, forms and procedures for financial entities to report a major ICT-related incident and a major operational or security payment-related incident, as well as standardised templates for the register of information. When developing those standards, the ESAs should take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations. The Commission should be empowered to adopt those implementing technical standards by means of implementing acts pursuant to Article 291 TFEU and in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Recital 101

Since further requirements have already been specified through delegated and implementing acts based on technical regulatory and implementing technical standards in Regulations (EC) No 1060/2009 (1), (EU) No 648/2012 (2), (EU) No 600/2014 (3) and (EU) No 909/2014 (4) of the European Parliament and of the Council, it is appropriate to mandate the ESAs, either individually or jointly through the Joint Committee, to submit regulatory and implementing technical standards to the Commission for adoption of delegated and implementing acts carrying over and updating existing ICT risk management rules.


(1) Regulation (EC) No 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies (OJ L 302, 17.11.2009, p. 1).
(2) Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).
(3) Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).
(4) Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1).

Art. 42 DORA - Follow-up by competent authorities arrow_right_alt

Art. 43 DORA - Oversight fees arrow_right_alt

Art. 44 DORA - International cooperation arrow_right_alt