Art. 47 Cooperation with structures and authorities established by Directive (EU) 2022/2555 | DORA regulation | DORA

This article is a bridging provision that connects DORA to the broader EU cybersecurity framework established under Directive (EU) 2022/2555 (NIS2).

It sets out how the ESAs and competent authorities under DORA may engage with the NIS2 Cooperation Group, share information with CSIRTs and single points of contact, and establish coordination arrangements with NIS2 competent authorities.

The article is particularly relevant where an entity falls under both frameworks simultaneously, specifically where an essential or important entity under NIS2 has also been designated as a critical ICT third-party service provider under Article 31 of this Regulation.

Important points:

ESAs and competent authorities may participate in the NIS2 Cooperation Group for matters relating to their supervisory activities under DORA.
Competent authorities may consult CSIRTs and single points of contact, and may request technical advice from NIS2 authorities where appropriate.
Competent authorities may establish cooperation arrangements covering joint supervisory coordination, investigations, on-site inspections, and information exchange for entities that are subject to both DORA and NIS2.

1. To foster cooperation and enable supervisory exchanges between the competent authorities designated under this Regulation and the Cooperation Group established by Article 14 of Directive (EU) 2022/2555, the ESAs and the competent authorities may participate in the activities of the Cooperation Group for matters that concern their supervisory activities in relation to financial entities. The ESAs and the competent authorities may request to be invited to participate in the activities of the Cooperation Group for matters in relation to essential or important entities subject to Directive (EU) 2022/2555 that have also been designated as critical ICT third-party service providers pursuant to Article 31 of this Regulation.
1. Where appropriate, competent authorities may consult and share information with the single points of contact and the CSIRTs designated or established in accordance with Directive (EU) 2022/2555.
1. Where appropriate, competent authorities may request any relevant technical advice and assistance from the competent authorities designated or established in accordance with Directive (EU) 2022/2555 and establish cooperation arrangements to allow effective and fast-response coordination mechanisms to be set up.
1. The arrangements referred to in paragraph 3 of this Article may, inter alia, specify the procedures for the coordination of supervisory and oversight activities in relation to essential or important entities subject to Directive (EU) 2022/2555 that have been designated as critical ICT third-party service providers pursuant to Article 31 of this Regulation, including for the conduct, in accordance with national law, of investigations and on-site inspections, as well as for mechanisms for the exchange of information between the competent authorities under this Regulation and the competent authorities designated or established in accordance with that Directive which includes access to information requested by the latter authorities.