Art. 58 Review clause | DORA regulation |

1. By 17 January 2028, the Commission shall, after consulting the ESAsEuropean Supervisory Authority and the ESRB, as appropriate, carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal. The review shall include at least the following:
  1. the criteria for the designation of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; in accordance with Article 31(2);
  2. the voluntary nature of the notification of significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; referred to in Article 19;
  3. the regime referred to in Article 31(12) and the powers of the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; provided for in Article 35(1), point (d), point (iv), first indent, with a view to evaluating the effectiveness of those provisions with regard to ensuring effective oversight of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; established in a third country, and the necessity to establish a subsidiary means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU; in the Union.
    
    For the purposes of the first subparagraph of this point, the review shall include an analysis of the regime referred to in Article 31(12), including in terms of access for Union financial entitiesas defined in Article 2, points (a) to (t) to services from third countries and availability of such services on the Union market and it shall take into account further developments in the markets for the services covered by this Regulation, the practical experience of financial entitiesas defined in Article 2, points (a) to (t) and financial supervisors with regard to the application and, respectively, supervision of that regime, and any relevant regulatory and supervisory developments taking place at international level.
  4. the appropriateness of including in the scope of this Regulation financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 2(3), point (e), making use of automated sales systems, in light of future market developments on the use of such systems;
  5. the functioning and effectiveness of the JONJoint Oversight Network in supporting the consistency of the oversight and the efficiency of the exchange of information within the Oversight Framework.
1. In the context of the review of Directive (EU) 2015/2366, the Commission shall assess the need for increased cyber resilience of payment systems and payment-processing activities and the appropriateness of extending the scope of this Regulation to operators of payment systems and entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; involved in payment-processing activities. In light of this assessment, the Commission shall submit, as part of the review of Directive (EU) 2015/2366, a report to the European Parliament and the Council no later than 17 July 2023.
2. Based on that review report, and after consulting ESAsEuropean Supervisory Authority, ECB and the ESRB, the Commission may submit, where appropriate and as part of the legislative proposal that it may adopt pursuant to Article 108, second paragraph, of Directive (EU) 2015/2366, a proposal to ensure that all operators of payment systems and entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; involved in payment-processing activities are subject to an appropriate oversight, while taking into account existing oversight by the central bank.
1. By 17 January 2026, the Commission shall, after consulting the ESAsEuropean Supervisory Authority and the Committee of European Auditing Oversight Bodies, carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal, on the appropriateness of strengthened requirements for statutory auditors and audit firms as regards digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, by means of the inclusion of statutory auditors and audit firms into the scope of this Regulation or by means of amendments to Directive 2006/43/EC of the European Parliament and of the Council (³⁹)Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC (OJ L 157, 9.6.2006, p. 87)..