CELEX:32024R3190R(03)

This is a corrigendum to the Digital Operational Resilience Act (DORA), published on 20 April 2026. It corrects technical errors in the original 2024 regulation, specifically addressing inconsistencies in the definitions of critical ICT third-party service providers and clarifying the scope of subcontracting notification requirements. The corrections also align the timeline for the European Supervisory Authorities to develop certain regulatory technical standards with the original legislative intent.

All financial entities subject to DORA, including banks, investment firms, payment institutions, and insurance companies, are affected. Additionally, ICT third-party service providers designated as critical under the oversight framework must review the corrected definitions to ensure their classification and reporting obligations remain accurate.

Compliance teams should immediately review the corrigendum against their existing DORA implementation plans. Focus on updating internal registers of contractual arrangements with ICT providers, particularly where subcontracting clauses are involved. Verify that your firm’s incident reporting and threat-led penetration testing procedures reflect the corrected language. Finally, ensure your regulatory reporting timelines align with the clarified deadlines for technical standards, as any misalignment could lead to non-compliance.