Skip to main content
DORA Auditor

Article 31: Designation of critical ICT third-party service providers

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

Article 31 establishes the criteria and process for designating critical ICT third-party service providers, based on systemic impact, importance of the financial entities relying on them, and substitutability, bringing them under the EU oversight framework.

Chapter V, Managing of ICT third-party risk · Pillar: ICT Third-Party Risk

Key points

  • Defines criteria for critical-provider designation
  • Designation by the European Supervisory Authorities
  • Triggers the direct EU oversight framework

How this fits DORA

Article 31 sits within the ICT Third-Party Risk pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.

Read the official text

This is an editorial summary. Read the binding text of Article 31 in the consolidated regulation on EUR-Lex.

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex