DORA oversight, and the whole regulation on one page¶
This is the finale of the article-by-article series. Chapter V, section II, Articles 31 onward, is the part of DORA that reaches past individual firms and up to the providers everyone depends on: the critical ICT third-party providers, supervised directly at EU level. Then, as promised at the start, DORA on one page.
Oversight: DORA looks up the supply chain¶
Article 31 lets the ESAs, through the Joint Committee, designate certain ICT third-party providers as critical. Once designated, a critical ICT third-party provider gets a Lead Overseer (the EBA, ESMA or EIOPA depending on sector) with real powers: request information, conduct investigations and inspections, issue recommendations. This is the structural insight in DORA. If half the financial sector runs on a handful of cloud and infrastructure providers, supervising each bank individually is not enough. You have to supervise the shared dependency.
For most entities, the oversight regime is not a direct obligation, it is context. But it matters, because your critical providers being under EU oversight changes the conversation you have with them about audit rights and resilience. You are no longer the only party asking.
DORA on one page¶
The whole regulation, as a map. Level 1 article, what it demands, and the Level 2 standard that makes it concrete.
| DORA area | Articles | Level 2 |
|---|---|---|
| Governance, management body | 5 | Cross-referenced in RTS 2024/1774 |
| ICT risk management framework | 6 | RTS 2024/1774 |
| ICT systems and identification | 7, 8 | RTS 2024/1774 Arts. 4 to 5 |
| Protection and prevention | 9 | RTS 2024/1774 Arts. 6, 7, 10 to 14 |
| Detection | 10 | RTS 2024/1774 Arts. 22 to 23 |
| Business continuity and backup | 11, 12 | RTS 2024/1774 Arts. 24 to 26 |
| Learning and communication | 13, 14 | ESA and ECB guidance |
| RTS mandate | 15 | RTS 2024/1774 |
| Simplified regime | 16 | RTS 2024/1774 Title III |
| Incident management and reporting | 17 to 23 | RTS 2024/1772, RTS 2025/301, ITS 2025/302 |
| Testing and TLPT | 24 to 27 | RTS 2025/1190, TIBER-EU |
| Third-party risk and contracts | 28 to 30 | RTS 2024/1773 |
| Register of information | 28(3) | ITS 2024/2956 |
| Oversight of critical providers | 31 onward | ESAs Joint Committee, Lead Overseers |
The one idea to take away¶
If this series has a single thread, it is that DORA is a chain and identification is its first link. The asset and function map from Article 8 decides your incident classification, your continuity scope, your TLPT scope, and your register. Every hard obligation downstream inherits the quality of that map. Firms that treated Article 8 as paperwork are the ones now struggling with everything after it.
The full, verified set of official texts and supervisory tools sits in the DORA resource library. That is where this series lives on after the posts.
Next, the series turns outward: how the muscle you built for DORA governance maps onto the EU AI Act, and where the two regulations, and GDPR, actually connect.