1. Overview

DORA Ch. V Sec. II Art. 42 8.

8.   Upon receiving the reports referred to in Article 35(1), point (c), competent authorities, when taking a decision as referred to in paragraph 6 of this Article, shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provider, as well as the seriousness of the non-compliance, having regard to the following criteria:

• (a) the gravity and the duration of the non-compliance;
• (b) whether the non-compliance has revealed serious weaknesses in the critical ICT third-party service provider’s procedures, management systems, risk management and internal controls;
• (c) whether a financial crime was facilitated, occasioned or is otherwise attributable to the non-compliance;
• (d) whether the non-compliance has been intentional or negligent;
• (e) whether the suspension or termination of the contractual arrangements introduces a risk for continuity of the financial entity’s business operations notwithstanding the financial entity’s efforts to avoid disruption in the provision of its services;
• (f) where applicable, the opinion of the competent authorities designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service provider, requested on a voluntary basis in accordance with paragraph 5 of this Article.

Competent authorities shall grant financial entities the necessary period of time to enable them to adjust the contractual arrangements with critical ICT third-party service providers in order to avoid detrimental effects on their digital operational resilience and to allow them to deploy exit strategies and transition plans as referred to in Article 28.

1.1 References

1.2 Identified Requirements

1.3 Related Standards

2. Identified Requirements

3. Related Standards

• DORA -

  DORA