Article 2. Scope

2 obligations

EU-DORA-2-03 Transparency

Inform Commission of exclusions under Article 2(5) Directive 2013/36/EU

Member States that exclude entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU from the sc

EU-DORA-2-04 Transparency

Publish exclusion information publicly

The Commission must make information about Member State exclusions under Article 2(4) publicly available on its website

Article 6. ICT risk management framework

1 obligation

EU-DORA-6-04 Transparency

Provide ICT risk information to competent authorities upon request

Financial entities must provide complete and updated information on ICT risk and on their ICT risk management framework

Article 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

3 obligations

EU-DORA-19-05 Transparency

Include significance and cross-border impact information in reports

Initial notifications and reports must include all information necessary for the competent authority to determine the si

EU-DORA-19-06 Transparency

Inform clients about major ICT incidents without undue delay

When a major ICT-related incident impacts the financial interests of clients, financial entities must inform clients abo

EU-DORA-19-07 Transparency

Inform clients about protection measures for cyber threats

In case of significant cyber threats, financial entities must inform potentially affected clients about appropriate prot

Article 20. Harmonisation of reporting content and templates

1 obligation

EU-DORA-20-05 Transparency

Provide justification for deviations from NIS2 Directive approaches

The ESAs must provide justification when deviating from the approaches taken in the context of Directive (EU) 2022/2555

Article 22. Supervisory feedback

1 obligation

EU-DORA-22-06 Transparency

Issue ICT threat warnings and produce statistics

The ESAs must issue warnings and produce high-level statistics to support ICT threat and vulnerability assessments.

Article 28. General principles

2 obligations

EU-DORA-28-10 Transparency

Make register available to competent authority upon request

Financial entities must make available to the competent authority, upon its request, the full register of information or

EU-DORA-28-11 Transparency

Inform competent authority of planned critical/important arrangements

Financial entities must inform the competent authority in a timely manner about any planned contractual arrangement on t

Article 30. Key contractual provisions

2 obligations

EU-DORA-30-03 Transparency

Specify service locations and data processing locations

Contracts must specify the locations (regions or countries) where contracted or subcontracted functions and ICT services

EU-DORA-30-18 Transparency

Provide inspection and audit scope details

For critical or important functions, contracts must include the obligation to provide details on the scope, procedures t

Article 31. Designation of critical ICT third-party service providers

6 obligations

EU-DORA-31-04 Transparency

Notify ICT third-party service provider of assessment outcome

The Lead Overseer must notify the ICT third-party service provider of the outcome of the assessment leading to the desig

EU-DORA-31-05 Transparency

Submit reasoned statement within 6 weeks

ICT third-party service providers may submit to the Lead Overseer a reasoned statement with any relevant information for

EU-DORA-31-07 Transparency

Notify ICT third-party service provider of critical designation

After designating an ICT third-party service provider as critical, the ESAs through the Joint Committee must notify the

EU-DORA-31-08 Transparency

Notify financial entities of critical designation

The ICT third-party service provider must notify the financial entities to which they provide services of their designat

EU-DORA-31-10 Transparency

Establish, publish and update yearly list of critical ICT third-party service providers

The ESAs, through the Joint Committee, must establish, publish and update yearly the list of critical ICT third-party se

EU-DORA-31-16 Transparency

Notify Lead Overseer of subsidiary management structure changes

Critical ICT third-party service providers from third countries must notify the Lead Overseer of any changes to the stru

Article 32. Structure of the Oversight Framework

1 obligation

EU-DORA-32-08 Transparency

Publish list of high-level representatives

The ESAs must publish on their website the list of high-level representatives from the current staff of the relevant com

Article 33. Tasks of the Lead Overseer

2 obligations

EU-DORA-33-16 Transparency

Communicate oversight plan yearly to critical ICT third-party service providers

The oversight plan must be communicated yearly to the critical ICT third-party service provider.

EU-DORA-33-17 Transparency

Communicate draft oversight plan prior to adoption

Prior to adoption of the oversight plan, the Lead Overseer must communicate the draft oversight plan to the critical ICT

Article 35. Powers of the Lead Overseer

3 obligations

EU-DORA-35-01 Transparency

Provide all relevant information and documentation to Lead Overseer

Critical ICT third-party service providers must provide all relevant information and documentation when requested by the

EU-DORA-35-06 Transparency

Provide impact information before recommendation issuance

ICT third-party service providers must provide, within 30 calendar days when given opportunity by the Lead Overseer, rel

EU-DORA-35-17 Transparency

Lead Overseer must publicly disclose penalty payments

The Lead Overseer must disclose to the public every periodic penalty payment that has been imposed, unless such disclosu

Article 37. Request for information

1 obligation

EU-DORA-37-01 Transparency

Provide information upon Lead Overseer request

Critical ICT third-party service providers must provide all information necessary for the Lead Overseer to carry out its

Article 38. General investigations

8 obligations

EU-DORA-38-02 Transparency

Provide records, data, procedures and materials for examination

Critical ICT third-party service providers must provide access to and allow examination of records, data, procedures and

EU-DORA-38-03 Transparency

Allow copying and extraction of materials

Critical ICT third-party service providers must allow the Lead Overseer to take or obtain certified copies of, or extrac

EU-DORA-38-04 Transparency

Respond to summons for explanations

Representatives of critical ICT third-party service providers must respond to summons for oral or written explanations o

EU-DORA-38-05 Transparency

Provide telephone and data traffic records upon request

Critical ICT third-party service providers must provide records of telephone and data traffic when requested by the Lead

EU-DORA-38-06 Transparency

Inform competent authorities before investigation start

The Lead Overseer must inform competent authorities of financial entities using the ICT services of the critical ICT thi

EU-DORA-38-07 Transparency

Communicate investigation information to JON

The Lead Overseer must communicate to the Joint Oversight Network (JON) all information transmitted to competent authori

EU-DORA-38-09 Transparency

Include penalty information in investigation authorization

The written authorization for investigations must indicate the periodic penalty payments provided for in Article 35(6) f

EU-DORA-38-10 Transparency

Include legal remedies and review rights in investigation decision

The Lead Overseer's investigation decision must specify the subject matter, purpose, penalty payments under Article 35(6

Article 39. Inspections

2 obligations

EU-DORA-39-04 Transparency

Inform competent authorities before inspections

The Lead Overseer must inform the competent authorities of financial entities using the ICT third-party service provider

EU-DORA-39-08 Transparency

Inform providers of consequences when opposing inspections

When officials find that a critical ICT third-party service provider opposes an inspection, the Lead Overseer must infor

Article 42. Follow-up by competent authorities

7 obligations

EU-DORA-42-01 Transparency

Notify Lead Overseer of recommendation compliance intention within 60 days

Critical ICT third-party service providers must notify the Lead Overseer of their intention to follow recommendations or

EU-DORA-42-02 Transparency

Transmit critical ICT provider responses to competent authorities

The Lead Overseer shall immediately transmit information received from critical ICT third-party service providers regard

EU-DORA-42-03 Transparency

Publicly disclose non-compliance by critical ICT providers

The Lead Overseer shall publicly disclose cases where a critical ICT third-party service provider fails to notify compli

EU-DORA-42-04 Transparency

Notify ICT provider of public disclosure

The Lead Overseer shall notify the ICT third-party service provider when making a public disclosure about their non-comp

EU-DORA-42-05 Transparency

Inform financial entities of identified risks in recommendations

Competent authorities shall inform the relevant financial entities of the risks identified in the recommendations addres

EU-DORA-42-07 Transparency

Notify financial entity of potential suspension decision

Where a competent authority deems that a financial entity fails to adequately address risks identified in recommendation

EU-DORA-42-12 Transparency

Notify Oversight Forum and JON of suspension decisions

Suspension decisions under paragraph 6 shall be notified to the members of the Oversight Forum referred to in Article 32

Article 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555

2 obligations

EU-DORA-47-03 Transparency

Consult and share information with single points of contact and CSIRTs

Competent authorities may consult and share information with the single points of contact and the CSIRTs designated or e

EU-DORA-47-07 Transparency

Establish information exchange mechanisms between authorities

Cooperation arrangements may establish mechanisms for the exchange of information between competent authorities under th

Article 48. Cooperation between authorities

1 obligation

EU-DORA-48-02 Transparency

Timely mutual information exchange on critical ICT third-party providers

Competent authorities and the Lead Overseer must mutually exchange all relevant information concerning critical ICT thir

Article 54. Publication of administrative penalties

4 obligations

EU-DORA-54-01 Transparency

Publish administrative penalties on official website

Competent authorities must publish on their official websites, without undue delay, any decision imposing an administrat

EU-DORA-54-02 Transparency

Include required information in penalty publication

When publishing administrative penalties, competent authorities must include information on the type and nature of the b

EU-DORA-54-06 Transparency

Add appeal information to published penalties

When publishing penalties that are under appeal, competent authorities must immediately add this information to their of

EU-DORA-54-07 Transparency

Publish judicial decisions annulling penalties

Competent authorities must publish any judicial decision that annuls a decision imposing an administrative penalty.

Article 61. Amendments to Regulation (EU) No 909/2014

1 obligation

EU-DORA-61-05 Transparency

Risk information provision to authorities

A CSD shall, upon request, provide competent and relevant authorities with information on any risk identified from key p