Skip to content

DORA oversight, and the whole regulation on one page

This is the finale of the article-by-article series. Chapter V, section II, Articles 31 onward, is the part of DORA that reaches past individual firms and up to the providers everyone depends on: the critical ICT third-party providers, supervised directly at EU level. Then, as promised at the start, DORA on one page.

Oversight: DORA looks up the supply chain

Article 31 lets the ESAs, through the Joint Committee, designate certain ICT third-party providers as critical. Once designated, a critical ICT third-party provider gets a Lead Overseer (the EBA, ESMA or EIOPA depending on sector) with real powers: request information, conduct investigations and inspections, issue recommendations. This is the structural insight in DORA. If half the financial sector runs on a handful of cloud and infrastructure providers, supervising each bank individually is not enough. You have to supervise the shared dependency.

For most entities, the oversight regime is not a direct obligation, it is context. But it matters, because your critical providers being under EU oversight changes the conversation you have with them about audit rights and resilience. You are no longer the only party asking.

DORA on one page

The whole regulation, as a map. Level 1 article, what it demands, and the Level 2 standard that makes it concrete.

DORA area Articles Level 2
Governance, management body 5 Cross-referenced in RTS 2024/1774
ICT risk management framework 6 RTS 2024/1774
ICT systems and identification 7, 8 RTS 2024/1774 Arts. 4 to 5
Protection and prevention 9 RTS 2024/1774 Arts. 6, 7, 10 to 14
Detection 10 RTS 2024/1774 Arts. 22 to 23
Business continuity and backup 11, 12 RTS 2024/1774 Arts. 24 to 26
Learning and communication 13, 14 ESA and ECB guidance
RTS mandate 15 RTS 2024/1774
Simplified regime 16 RTS 2024/1774 Title III
Incident management and reporting 17 to 23 RTS 2024/1772, RTS 2025/301, ITS 2025/302
Testing and TLPT 24 to 27 RTS 2025/1190, TIBER-EU
Third-party risk and contracts 28 to 30 RTS 2024/1773
Register of information 28(3) ITS 2024/2956
Oversight of critical providers 31 onward ESAs Joint Committee, Lead Overseers

The one idea to take away

If this series has a single thread, it is that DORA is a chain and identification is its first link. The asset and function map from Article 8 decides your incident classification, your continuity scope, your TLPT scope, and your register. Every hard obligation downstream inherits the quality of that map. Firms that treated Article 8 as paperwork are the ones now struggling with everything after it.

The full, verified set of official texts and supervisory tools sits in the DORA resource library. That is where this series lives on after the posts.

Next, the series turns outward: how the muscle you built for DORA governance maps onto the EU AI Act, and where the two regulations, and GDPR, actually connect.