Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 46 Competent authorities

Summary What does Article 46 of the DORA regulation say?

This article is the supervisory map of DORA, identifying which competent authority is responsible for enforcing compliance for each type of financial entity covered by the regulation.

Rather than creating new supervisory bodies, it deliberately anchors oversight within the existing sectoral frameworks — each entity type is supervised by whichever authority already holds responsibility for it under its own governing legislation.

It is worth noting that this article operates without prejudice to the separate Oversight Framework for critical ICT third-party service providers established under Chapter V, Section II, which has its own distinct oversight structure.

Important points:

  • Each category of financial entity covered by DORA is assigned to a specific competent authority already designated under its respective sectoral legislation — no new supervisory bodies are created.
  • Competent authorities are responsible for ensuring compliance with DORA in accordance with the powers granted to them by their existing legal frameworks.
  • For significant credit institutions, supervisory responsibility falls to the ECB rather than the national competent authority.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Without prejudice to the provisions on the Oversight Framework for critical ICT third-party service providers referred to in Chapter V, Section II, of this Regulation, compliance with this Regulation shall be ensured by the following competent authorities in accordance with the powers granted by the respective legal acts:

  1. for credit institutions and for institutions exempted pursuant to Directive 2013/36/EU, the competent authority designated in accordance with Article 4 of that Directive, and for credit institutions classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, the ECB in accordance with the powers and tasks conferred by that Regulation;

  2. for payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366, electronic money institutions, including those exempted pursuant to Directive 2009/110/EC, and account information service providers as referred to in Article 33(1) of Directive (EU) 2015/2366, the competent authority designated in accordance with Article 22 of Directive (EU) 2015/2366;

  3. for investment firms, the competent authority designated in accordance with Article 4 of Directive (EU) 2019/2034 of the European Parliament and of the Council(38);

  4. for crypto-asset service providers as authorised under the Regulation on markets in crypto-assets and issuers of asset-referenced tokens, the competent authority designated in accordance with the relevant provision of that Regulation;

  5. for central securities depositories, the competent authority designated in accordance with Article 11 of Regulation (EU) No 909/2014;

  6. for central counterparties, the competent authority designated in accordance with Article 22 of Regulation (EU) No 648/2012;

  7. for trading venues and data reporting service providers, the competent authority designated in accordance with Article 67 of Directive 2014/65/EU, and the competent authority as defined in Article 2(1), point (18), of Regulation (EU) No 600/2014;

  8. for trade repositories, the competent authority designated in accordance with Article 22 of Regulation (EU) No 648/2012;

  9. for managers of alternative investment funds, the competent authority designated in accordance with Article 44 of Directive 2011/61/EU;

  10. for management companies, the competent authority designated in accordance with Article 97 of Directive 2009/65/EC;

  11. for insurance and reinsurance undertakings, the competent authority designated in accordance with Article 30 of Directive 2009/138/EC;

  12. for insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, the competent authority designated in accordance with Article 12 of Directive (EU) 2016/97;

  13. for institutions for occupational retirement provision, the competent authority designated in accordance with Article 47 of Directive (EU) 2016/2341;

  14. for credit rating agencies, the competent authority designated in accordance with Article 21 of Regulation (EC) No 1060/2009;

  15. for administrators of critical benchmarks, the competent authority designated in accordance with Articles 40 and 41 of Regulation (EU) 2016/1011;

  16. for crowdfunding service providers, the competent authority designated in accordance with Article 29 of Regulation (EU) 2020/1503;

  17. for securitisation repositories, the competent authority designated in accordance with Articles 10 and 14(1) of Regulation (EU) 2017/2402.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod