Article 31: Designation of critical ICT third-party service providers
Last updated: 1 authoritative sourceDORA Auditor Editorial Team
Article 31 establishes the criteria and process for designating critical ICT third-party service providers, based on systemic impact, importance of the financial entities relying on them, and substitutability, bringing them under the EU oversight framework.
Chapter V, Managing of ICT third-party risk · Pillar: ICT Third-Party Risk
Key points
- Defines criteria for critical-provider designation
- Designation by the European Supervisory Authorities
- Triggers the direct EU oversight framework
How this fits DORA
Article 31 sits within the ICT Third-Party Risk pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.
Read the official text
This is an editorial summary. Read the binding text of Article 31 in the consolidated regulation on EUR-Lex.