Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 58 Review clause

Summary What does Article 58 of the DORA regulation say?

This is a review and evaluation article, placing obligations squarely on the Commission to assess how well key elements of the regulation are working in practice.

It sets out multiple review mandates across different timelines, covering areas such as the designation criteria for critical ICT third-party service providers, the voluntary nature of significant cyber threat notifications, the oversight of third-country providers, and whether certain entities — such as those using automated sales systems or payment system operators — should be brought within the regulation's scope.

It also tasks the Commission with reviewing whether statutory auditors and audit firms should face strengthened digital operational resilience requirements.

The article connects directly to several substantive articles of the regulation, notably Articles 19, 31, and 35, by placing those provisions under future scrutiny.

Important points:

  • The Commission is required to carry out a review and submit a report to the European Parliament and the Council by 17 January 2028, covering designation criteria for critical ICT third-party service providers, voluntary cyber threat notification, third-country oversight effectiveness, and the functioning of the JON.
  • The Commission is required to submit a separate report by 17 January 2026 on whether statutory auditors and audit firms should be subject to strengthened digital operational resilience requirements, either through inclusion in this regulation or amendments to Directive 2006/43/EC.
  • The Commission is required to assess the cyber resilience of payment systems and the appropriateness of extending this regulation's scope to payment system operators, with a report due no later than 17 July 2023 as part of the review of Directive (EU) 2015/2366.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. By 17 January 2028, the Commission shall, after consulting the ESAs and the ESRB, as appropriate, carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal. The review shall include at least the following:

      1. the criteria for the designation of critical ICT third-party service providers in accordance with Article 31(2);

      2. the voluntary nature of the notification of significant cyber threats referred to in Article 19;

      3. the regime referred to in Article 31(12) and the powers of the Lead Overseer provided for in Article 35(1), point (d), point (iv), first indent, with a view to evaluating the effectiveness of those provisions with regard to ensuring effective oversight of critical ICT third-party service providers established in a third country, and the necessity to establish a subsidiary in the Union.

        For the purposes of the first subparagraph of this point, the review shall include an analysis of the regime referred to in Article 31(12), including in terms of access for Union financial entities to services from third countries and availability of such services on the Union market and it shall take into account further developments in the markets for the services covered by this Regulation, the practical experience of financial entities and financial supervisors with regard to the application and, respectively, supervision of that regime, and any relevant regulatory and supervisory developments taking place at international level.

      4. the appropriateness of including in the scope of this Regulation financial entities referred to in Article 2(3), point (e), making use of automated sales systems, in light of future market developments on the use of such systems;

      5. the functioning and effectiveness of the JON in supporting the consistency of the oversight and the efficiency of the exchange of information within the Oversight Framework.

    1. In the context of the review of Directive (EU) 2015/2366, the Commission shall assess the need for increased cyber resilience of payment systems and payment-processing activities and the appropriateness of extending the scope of this Regulation to operators of payment systems and entities involved in payment-processing activities. In light of this assessment, the Commission shall submit, as part of the review of Directive (EU) 2015/2366, a report to the European Parliament and the Council no later than 17 July 2023.

    2. Based on that review report, and after consulting ESAs, ECB and the ESRB, the Commission may submit, where appropriate and as part of the legislative proposal that it may adopt pursuant to Article 108, second paragraph, of Directive (EU) 2015/2366, a proposal to ensure that all operators of payment systems and entities involved in payment-processing activities are subject to an appropriate oversight, while taking into account existing oversight by the central bank.

    1. By 17 January 2026, the Commission shall, after consulting the ESAs and the Committee of European Auditing Oversight Bodies, carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal, on the appropriateness of strengthened requirements for statutory auditors and audit firms as regards digital operational resilience, by means of the inclusion of statutory auditors and audit firms into the scope of this Regulation or by means of amendments to Directive 2006/43/EC of the European Parliament and of the Council(39).

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod