2026-04-17·20 min read·

DORA Art.40–44: Oversight Measures, NCA Follow-Up, Third-Country CTPP Requirements, Supervisory Fees, and the Register of Information (2026)

Post #413 in the sota.io EU Cyber Compliance Series

DORA Art.36–39 covered how the Lead Overseer conducts investigations and inspections. Articles 40–44 answer what happens after those investigations conclude — and introduce obligations that reach far beyond CTPPs to every financial entity operating in the EU.

Art.40 and Art.41 together form the DORA enforcement chain: the Lead Overseer issues binding recommendations to CTPPs (Art.40), and if CTPPs fail to comply, NCAs take action against the financial entities that depend on them (Art.41). Art.42 addresses a structural gap — what if the critical ICT provider is headquartered outside the EU? Art.43 introduces the supervisory fee mechanism that makes CTPP designation financially significant beyond compliance burden. And Art.44 — arguably the most operationally impactful article in Chapter V — requires every financial entity to maintain a comprehensive register of all ICT third-party contractual arrangements.

This guide covers:

Art.40: Oversight measures — binding Lead Overseer recommendations to CTPPs
Art.41: NCA follow-up — the enforcement chain to financial entities
Art.42: Third-country CTPP requirements — the EU subsidiary mandate
Art.43: Supervisory fees — cost implications of CTPP designation
Art.44: Register of information — the universal financial entity obligation
Python DORAOversightTracker, DORARegisterOfInformation, and DORASupervisoryFeeCalculator implementations
DORA × NIS2 × GDPR cross-mapping for the enforcement and register obligations
30-item compliance checklist

Art.40: Oversight Measures — What the Lead Overseer Can Require

Art.40 defines the primary enforcement instrument available to the Lead Overseer after an investigation or inspection reveals compliance gaps: the oversight measure (sometimes referred to in ESA guidance as a "recommendation").

Categories of Oversight Measures

The Lead Overseer may issue oversight measures requiring CTPPs to:

Category	Examples	Typical Remediation Timeline
Technical measures	Implement MFA for privileged access, upgrade TLS version, patch specific CVEs	30–90 days
Operational measures	Establish incident response runbooks, implement change freeze protocols, improve DR testing frequency	60–180 days
Governance measures	Revise board-level ICT risk reporting, appoint dedicated DORA compliance officer, update risk appetite statements	90–180 days
Contractual measures	Renegotiate SLAs with sub-outsourcing providers, update exit provisions, implement audit rights	60–120 days
Systemic risk measures	Reduce concentration of financial entities in single availability zone, establish multi-region failover	180–365 days

Oversight measures are binding. A CTPP that receives an Art.40 measure must acknowledge receipt, confirm understanding, and submit an implementation plan within 20 working days. The implementation plan must specify:

Responsible party for each remediation action
Milestone dates for intermediate and final completion
Measurement criteria demonstrating completion
Escalation protocol if milestones slip

Lead Overseer Review Process

After receiving the implementation plan, the Lead Overseer:

Reviews for adequacy (is the proposed timeline reasonable? are the measures proportionate to the identified risk?)
May request revision if the plan is insufficient
Agrees a final implementation timeline with the CTPP
Schedules follow-up assessment at agreed completion date

The follow-up assessment is typically conducted as a targeted re-inspection or desk-based review — the Lead Overseer does not routinely conduct a full new investigation for each Art.40 measure. However, if the remediation reveals broader systemic gaps, a new general investigation under Art.36 may follow.

Partial vs. Full Compliance

A CTPP may partially implement an Art.40 measure within the agreed timeline. Partial compliance is not treated as non-compliance per se, but the Lead Overseer assesses:

Whether the unimplemented portion represents residual high-risk
Whether the partial completion reflects genuine technical constraints or deliberate delay
Whether revised milestones for the remaining items are credible

Repeated partial implementation — particularly where remediation timelines slip across multiple oversight cycles — contributes to a higher composite risk score in the Art.38 ongoing oversight model and increases the probability of unannounced inspection.

Escalation to Non-Compliance

If a CTPP fails to implement an Art.40 oversight measure within the agreed timeline without justified cause:

The Lead Overseer issues a formal non-compliance notice specifying the unimplemented measure and new final deadline
If the CTPP fails to meet the final deadline, the Lead Overseer notifies NCAs under Art.41 (see below)
The Lead Overseer may impose Art.43 supervisory fees at the enhanced rate
For systemic-risk failures, the Lead Overseer may request NCA action under Art.35 (power to delegate enforcement to NCAs against financial entities)

from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional


class MeasureStatus(Enum):
    ISSUED = "issued"
    PLAN_RECEIVED = "plan_received"
    IN_REMEDIATION = "in_remediation"
    PARTIALLY_COMPLETE = "partially_complete"
    COMPLETE = "complete"
    NON_COMPLIANT = "non_compliant"
    ESCALATED = "escalated"


class MeasureCategory(Enum):
    TECHNICAL = "technical"
    OPERATIONAL = "operational"
    GOVERNANCE = "governance"
    CONTRACTUAL = "contractual"
    SYSTEMIC_RISK = "systemic_risk"


@dataclass
class OversightMeasure:
    measure_id: str
    ctpp_name: str
    category: MeasureCategory
    description: str
    issue_date: date
    plan_deadline: date  # 20 working days from issue
    remediation_deadline: date
    status: MeasureStatus = MeasureStatus.ISSUED
    implementation_plan_received: Optional[date] = None
    completion_date: Optional[date] = None
    risk_residual: str = "high"  # high/medium/low after partial completion

    def is_plan_overdue(self) -> bool:
        return date.today() > self.plan_deadline and self.status == MeasureStatus.ISSUED

    def is_remediation_overdue(self) -> bool:
        return (
            date.today() > self.remediation_deadline
            and self.status not in (MeasureStatus.COMPLETE, MeasureStatus.ESCALATED)
        )

    def days_remaining(self) -> int:
        return (self.remediation_deadline - date.today()).days

    def escalate(self) -> "OversightMeasure":
        self.status = MeasureStatus.ESCALATED
        return self

    def compliance_summary(self) -> dict:
        return {
            "measure_id": self.measure_id,
            "ctpp": self.ctpp_name,
            "category": self.category.value,
            "status": self.status.value,
            "plan_overdue": self.is_plan_overdue(),
            "remediation_overdue": self.is_remediation_overdue(),
            "days_remaining": self.days_remaining(),
            "requires_escalation": self.status == MeasureStatus.ESCALATED,
        }


@dataclass
class DORAOversightTracker:
    measures: list[OversightMeasure] = field(default_factory=list)

    def add_measure(self, measure: OversightMeasure) -> None:
        self.measures.append(measure)

    def overdue_plans(self) -> list[OversightMeasure]:
        return [m for m in self.measures if m.is_plan_overdue()]

    def overdue_remediations(self) -> list[OversightMeasure]:
        return [m for m in self.measures if m.is_remediation_overdue()]

    def escalation_candidates(self) -> list[OversightMeasure]:
        return [
            m for m in self.measures
            if m.is_remediation_overdue() and m.status != MeasureStatus.ESCALATED
        ]

    def compliance_dashboard(self) -> dict:
        total = len(self.measures)
        by_status = {}
        for m in self.measures:
            key = m.status.value
            by_status[key] = by_status.get(key, 0) + 1
        return {
            "total_measures": total,
            "by_status": by_status,
            "overdue_plans": len(self.overdue_plans()),
            "overdue_remediations": len(self.overdue_remediations()),
            "escalation_candidates": len(self.escalation_candidates()),
            "compliance_rate": (
                by_status.get("complete", 0) / total if total > 0 else 0.0
            ),
        }

Art.41: NCA Follow-Up — The Enforcement Chain Reaches Financial Entities

Art.41 closes the enforcement loop that Art.40 opens. When the Lead Overseer completes an oversight cycle — whether through successful remediation or escalation — it produces an oversight report that is transmitted to the relevant NCAs. Art.41 then requires those NCAs to act.

The Art.41 Report Package

After each oversight cycle, the Lead Overseer sends each relevant NCA:

Summary of oversight findings — identified risks, issued Art.40 measures, and remediation status
CTPP compliance status — which measures are complete, partial, or non-compliant
Recommended NCA actions — specific steps NCAs should consider against supervised entities using the CTPP
Residual risk assessment — the Lead Overseer's view of remaining ICT concentration risk for financial entities that rely on the CTPP

What NCAs Must Do

On receipt of an Art.41 report, NCAs are obligated to assess the financial entities they supervise that use the CTPP in question. The NCA's toolkit includes:

NCA Action	Trigger	Typical Timeline
Require ICT risk assessment update	Any non-trivial finding in Art.41 report	30–60 days
Require concentration risk review	CTPP fails Art.40 systemic-risk measure	60–90 days
Require contractual renegotiation	CTPP has unresolved contractual compliance gaps	90–180 days
Require use limitation	Severe non-compliance, ongoing systemic risk	Immediate to 6 months
Prohibit onboarding	CTPP fails Art.42 EU subsidiary requirement	Immediate
Require exit planning	CTPP under sustained non-compliance	90–365 days

The Art.41 enforcement chain is why financial entities cannot treat CTPP oversight as someone else's problem. Even if your organisation is not itself a CTPP, the oversight framework directly determines what your regulators may require of you.

Financial Entity Obligations in the Art.41 Context

Financial entities should proactively:

Monitor publicly available CTPP oversight status — the Lead Overseer publishes summaries of oversight activity (Art.33(5))
Maintain contractual rights to receive compliance notifications from their CTPP — standard Art.30 requirements
Include Art.41 NCA triggers in their ICT risk governance framework — board or senior management should receive alerts when a critical provider enters non-compliance proceedings
Pre-prepare exit scenarios for critical CTPPs that have received repeated Art.40 measures — Art.25 and Art.28 business continuity requirements intersect here

The lead time between Lead Overseer escalation and NCA action against a financial entity can be as short as 30 days. Financial entities that have not pre-positioned their contingency plans are exposed.

Art.42: Third-Country CTPPs — The EU Subsidiary Requirement

Art.42 addresses a structural gap: what happens when an ICT provider headquartered outside the EU meets the criteria for CTPP designation? Without a legal presence in the EU, the Lead Overseer cannot exercise its Art.33–40 powers effectively — cross-border enforcement is complex, and ESA supervisory authority requires EU jurisdictional hooks.

The Designation Trigger

When the ESAs determine that an ICT third-party provider established in a third country would be designated as critical under Art.31(2), the provider is notified and given 12 months to establish a subsidiary in the European Union.

The 12-month clock starts from the date of formal notification by the ESA JOC. The notification specifies:

The criteria met under Art.31(2) that triggered the designation assessment
The required actions (EU subsidiary establishment)
The 12-month compliance deadline
The consequences of non-compliance

Subsidiary Requirements

The Art.42 EU subsidiary must:

Requirement	Detail
Legal form	Any EU corporate form — SA, GmbH, SAS, Ltd (if remaining EU-relevant post-Brexit for specific regimes)
Jurisdiction	Any EU member state — provider can choose
Activities	Must be the legal entity through which ICT services are delivered to EU financial entities
Governance	Sufficient local management and control to allow Lead Overseer examination
Resource	Must not be a shell — adequate operational staff and systems

The subsidiary does not need to host all ICT infrastructure in the EU (DORA is jurisdiction-agnostic on infrastructure location), but the contractual delivery of services to EU financial entities must flow through the EU subsidiary.

Consequences of Non-Compliance

If a third-country CTPP fails to establish an EU subsidiary within 12 months:

The Lead Overseer notifies all relevant NCAs
NCAs may prohibit supervised financial entities from entering new contractual arrangements with the provider
NCAs may require supervised financial entities to terminate existing arrangements within a specified period
Financial entities that maintain non-compliant CTPP relationships after NCA prohibition are themselves in breach of DORA

The prohibition is not automatic — NCAs exercise discretion based on the availability of alternative providers and the systemic disruption that termination would cause. However, financial entities cannot rely on NCA forbearance: the explicit prohibition power creates direct regulatory exposure for continued use of non-compliant third-country CTPPs.

from dataclasses import dataclass
from datetime import date
from enum import Enum
from typing import Optional


class SubsidiaryStatus(Enum):
    NOT_REQUIRED = "not_required"
    REQUIRED_PENDING = "required_pending"
    ESTABLISHED = "established"
    OVERDUE = "overdue"
    NCA_PROHIBITION_ACTIVE = "nca_prohibition_active"


@dataclass
class DORAThirdCountryAssessment:
    provider_name: str
    headquarters_country: str
    is_eu_established: bool
    designated_critical: bool
    notification_date: Optional[date] = None
    subsidiary_deadline: Optional[date] = None
    subsidiary_status: SubsidiaryStatus = SubsidiaryStatus.NOT_REQUIRED
    eu_subsidiary_entity: Optional[str] = None
    eu_subsidiary_country: Optional[str] = None

    def __post_init__(self) -> None:
        if self.designated_critical and not self.is_eu_established:
            if self.subsidiary_status == SubsidiaryStatus.NOT_REQUIRED:
                self.subsidiary_status = SubsidiaryStatus.REQUIRED_PENDING

    def is_subsidiary_overdue(self) -> bool:
        if self.subsidiary_deadline is None:
            return False
        return (
            date.today() > self.subsidiary_deadline
            and self.subsidiary_status == SubsidiaryStatus.REQUIRED_PENDING
        )

    def days_until_deadline(self) -> Optional[int]:
        if self.subsidiary_deadline is None:
            return None
        return (self.subsidiary_deadline - date.today()).days

    def nca_prohibition_risk(self) -> str:
        if self.is_subsidiary_overdue():
            return "HIGH — NCA prohibition authority triggered"
        if self.subsidiary_status == SubsidiaryStatus.REQUIRED_PENDING:
            days = self.days_until_deadline()
            if days is not None and days < 90:
                return f"MEDIUM — {days} days to deadline, contingency planning required"
        return "LOW"

    def compliance_summary(self) -> dict:
        return {
            "provider": self.provider_name,
            "hq_country": self.headquarters_country,
            "eu_established": self.is_eu_established,
            "critical": self.designated_critical,
            "subsidiary_status": self.subsidiary_status.value,
            "days_to_deadline": self.days_until_deadline(),
            "overdue": self.is_subsidiary_overdue(),
            "nca_prohibition_risk": self.nca_prohibition_risk(),
        }

Art.43: Supervisory Fees — The Cost of Being Critical

Art.43 introduces supervisory fees payable by designated CTPPs to the Lead Overseer. These fees cover the operational costs of the oversight framework: investigative teams, JET deployment, ongoing monitoring systems, and NCA coordination.

Fee Calculation Methodology

The ESA joint committee is responsible for establishing the fee methodology. The framework includes:

Base fee components:

Fixed annual fee per CTPP (covers baseline oversight infrastructure)
Variable component based on total annual revenue from EU financial entity clients
Activity-based component reflecting the volume of oversight work in the preceding year (inspections conducted, Art.40 measures issued, follow-up reviews)

Typical fee ranges (indicative based on ESA guidance):

Revenue Band (EU clients)	Estimated Annual Fee
< €500M	€50,000 – €150,000
€500M – €2B	€150,000 – €500,000
€2B – €10B	€500,000 – €1.5M
> €10B	€1.5M – €5M+

These ranges are illustrative — the ESA JOC sets definitive fee schedules. However, CTPPs should budget for oversight fees as a material compliance cost at the point of designation.

Fee Payment and Non-Payment

Supervisory fees are invoiced annually by the Lead Overseer. Key provisions:

Payment deadline: 30 days from invoice receipt
Late payment: Compound interest at the ECB reference rate plus 3.5% from day 31
Non-payment escalation: After 60 days non-payment, the Lead Overseer may issue a public notice identifying the CTPP as having outstanding fee obligations
Enhanced fee rate: Repeated non-payment or failure to comply with Art.40 measures can trigger an enhanced fee rate in subsequent years

The public notice mechanism is significant for cloud providers whose reputation with financial entity clients is central to their business model. A publicly identified payment defaulter faces potential client attrition independent of the underlying compliance issue.

from dataclasses import dataclass
from datetime import date, timedelta


@dataclass
class DORASupervisoryFeeCalculator:
    provider_name: str
    eu_client_revenue_eur: float  # Annual revenue from EU financial entity clients
    art40_measures_issued_prior_year: int
    inspections_conducted_prior_year: int
    fixed_annual_fee: float = 75_000.0  # Base fee — ESA sets actual amount

    VARIABLE_RATE = 0.00015  # 0.015% of EU client revenue (illustrative)
    ACTIVITY_RATE_MEASURE = 8_000.0  # Per Art.40 measure
    ACTIVITY_RATE_INSPECTION = 25_000.0  # Per inspection

    def base_fee(self) -> float:
        return self.fixed_annual_fee

    def variable_fee(self) -> float:
        return self.eu_client_revenue_eur * self.VARIABLE_RATE

    def activity_fee(self) -> float:
        return (
            self.art40_measures_issued_prior_year * self.ACTIVITY_RATE_MEASURE
            + self.inspections_conducted_prior_year * self.ACTIVITY_RATE_INSPECTION
        )

    def total_estimated_fee(self) -> float:
        return self.base_fee() + self.variable_fee() + self.activity_fee()

    def invoice_due_date(self, invoice_date: date) -> date:
        return invoice_date + timedelta(days=30)

    def late_payment_interest(self, invoice_date: date, payment_date: date) -> float:
        due = self.invoice_due_date(invoice_date)
        if payment_date <= due:
            return 0.0
        days_late = (payment_date - due).days
        ecb_rate = 0.035  # ECB reference rate + 3.5% — check current ECB rate
        daily_rate = ecb_rate / 365
        return self.total_estimated_fee() * daily_rate * days_late

    def fee_summary(self) -> dict:
        return {
            "provider": self.provider_name,
            "eu_client_revenue": self.eu_client_revenue_eur,
            "base_fee": self.base_fee(),
            "variable_fee": round(self.variable_fee(), 2),
            "activity_fee": self.activity_fee(),
            "total_estimated_fee": round(self.total_estimated_fee(), 2),
            "art40_measures_this_year": self.art40_measures_issued_prior_year,
            "inspections_this_year": self.inspections_conducted_prior_year,
        }

Art.44: Register of Information — The Universal Financial Entity Obligation

Art.44 is the most broadly applicable article in Chapter V. Unlike Art.40–43, which concern CTPPs and the oversight framework, Art.44 directly and exclusively targets every financial entity subject to DORA — not just those using designated CTPPs.

What the Register Must Contain

Every financial entity must maintain a register of information covering all contractual arrangements with ICT third-party service providers. The register is not limited to:

Critical or material arrangements only
CTPPs only
ICT services above a monetary threshold

The register covers all ICT third-party arrangements, including minor SaaS subscriptions, cloud storage services, development tool licenses, and monitoring platforms. The breadth is intentional — regulators need a complete ICT supply chain map, not a curated list of what each financial entity considers important.

Required Register Fields

The ESAs have developed Implementing Technical Standards (ITS) specifying the minimum register fields. Based on the ITS templates:

Field	Description	Example
`contractual_arrangement_id`	Unique identifier for each arrangement	CA-2024-0042
`financial_entity_name`	Full legal name of the financial entity	Acme Bank SA
`financial_entity_lei`	Legal Entity Identifier	549300XKTK...
`third_party_service_provider_name`	Full legal name of the provider	AWS EMEA SARL
`third_party_service_provider_lei`	LEI if available	—
`third_party_hq_country`	Country of headquarters	Luxembourg
`ict_service_description`	Type and nature of service	Cloud infrastructure (IaaS)
`service_criticality`	Critical / Non-critical per Art.28 assessment	Critical
`data_classification`	Types of data processed: personal / confidential / public	Personal, Confidential
`start_date`	Date contractual arrangement entered into force	2022-01-15
`end_date_or_notice_period`	Expiry date or applicable notice period	12 months notice
`last_audit_date`	Most recent ICT third-party risk assessment date	2025-09-01
`sub_outsourcing_flag`	Does the provider sub-outsource the relevant service?	Yes
`sub_outsourcing_providers`	Names of material sub-outsourcing providers	Equinix, Cloudflare
`concentration_flag`	Is this provider used by >60% of EU financial sector?	No
`data_processing_location`	Where data is stored and processed	EU (Frankfurt, Amsterdam)

Submission and Update Obligations

Financial entities must:

Maintain the register continuously — updates required when any material contract term changes
Submit annually to their NCA — on or before 31 January each year for the preceding calendar year
Submit on request — NCAs can demand the full register at any time; financial entities must produce it within 5 working days
Report material changes — changes to critical service arrangements must be reported to NCAs within 20 working days of the change taking effect

The annual submission creates a publicly accessible aggregate picture: the ESAs use aggregated register data to identify sector-wide ICT concentration risks (Art.29) and to populate the oversight framework — if a provider appears in 30% of registers, that is concentration risk evidence relevant to CTPP designation under Art.31.

The Connection Between Art.44 and Art.31

This connection is often underappreciated. The Art.44 register is not just a compliance record — it is regulatory intelligence. When the ESAs are assessing whether a given ICT provider meets the CTPP designation criteria under Art.31(2), register data submitted by financial entities is primary evidence:

Number of financial entities using the provider
Total annual fee value across the sector
Criticality classifications applied by financial entities
Geographic concentration of clients

A provider that appears in many registers as "Critical" is significantly more likely to be designated. This means financial entities' own classification decisions (critical vs. non-critical under Art.28) feed back into the oversight framework and affect the providers they use.

from dataclasses import dataclass, field
from datetime import date
from enum import Enum
from typing import Optional
import json


class ServiceCriticality(Enum):
    CRITICAL = "critical"
    NON_CRITICAL = "non_critical"
    UNDER_ASSESSMENT = "under_assessment"


class DataClassification(Enum):
    PERSONAL = "personal"
    CONFIDENTIAL = "confidential"
    PUBLIC = "public"


@dataclass
class ICTContractualArrangement:
    arrangement_id: str
    provider_name: str
    provider_lei: Optional[str]
    provider_hq_country: str
    service_description: str
    criticality: ServiceCriticality
    data_classifications: list[DataClassification]
    start_date: date
    end_date: Optional[date]
    notice_period_months: Optional[int]
    last_audit_date: Optional[date]
    sub_outsourcing: bool = False
    sub_outsourcing_providers: list[str] = field(default_factory=list)
    data_processing_locations: list[str] = field(default_factory=list)
    is_ctpp_designated: bool = False

    def audit_overdue(self, max_interval_days: int = 365) -> bool:
        if self.last_audit_date is None:
            return True
        return (date.today() - self.last_audit_date).days > max_interval_days

    def days_since_last_audit(self) -> Optional[int]:
        if self.last_audit_date is None:
            return None
        return (date.today() - self.last_audit_date).days

    def to_register_entry(self) -> dict:
        return {
            "arrangement_id": self.arrangement_id,
            "provider_name": self.provider_name,
            "provider_lei": self.provider_lei,
            "provider_hq_country": self.provider_hq_country,
            "service_description": self.service_description,
            "criticality": self.criticality.value,
            "data_classifications": [d.value for d in self.data_classifications],
            "start_date": self.start_date.isoformat(),
            "end_date": self.end_date.isoformat() if self.end_date else None,
            "notice_period_months": self.notice_period_months,
            "last_audit_date": self.last_audit_date.isoformat() if self.last_audit_date else None,
            "audit_overdue": self.audit_overdue(),
            "sub_outsourcing": self.sub_outsourcing,
            "sub_outsourcing_providers": self.sub_outsourcing_providers,
            "data_processing_locations": self.data_processing_locations,
            "is_ctpp_designated": self.is_ctpp_designated,
        }


@dataclass
class DORARegisterOfInformation:
    entity_name: str
    entity_lei: str
    reporting_year: int
    arrangements: list[ICTContractualArrangement] = field(default_factory=list)

    def add_arrangement(self, arrangement: ICTContractualArrangement) -> None:
        self.arrangements.append(arrangement)

    def critical_arrangements(self) -> list[ICTContractualArrangement]:
        return [a for a in self.arrangements if a.criticality == ServiceCriticality.CRITICAL]

    def overdue_audits(self) -> list[ICTContractualArrangement]:
        return [a for a in self.arrangements if a.audit_overdue()]

    def third_country_critical(self) -> list[ICTContractualArrangement]:
        eu_countries = {
            "AT", "BE", "BG", "CY", "CZ", "DE", "DK", "EE", "ES", "FI",
            "FR", "GR", "HR", "HU", "IE", "IT", "LT", "LU", "LV", "MT",
            "NL", "PL", "PT", "RO", "SE", "SI", "SK"
        }
        return [
            a for a in self.arrangements
            if a.criticality == ServiceCriticality.CRITICAL
            and a.provider_hq_country not in eu_countries
        ]

    def concentration_analysis(self) -> dict:
        from collections import Counter
        country_counts = Counter(a.provider_hq_country for a in self.critical_arrangements())
        return {
            "total_critical": len(self.critical_arrangements()),
            "by_country": dict(country_counts),
            "non_eu_critical": len(self.third_country_critical()),
            "sub_outsourcing_count": sum(1 for a in self.arrangements if a.sub_outsourcing),
        }

    def annual_submission_ready(self) -> bool:
        return len(self.overdue_audits()) == 0

    def export_register(self) -> str:
        return json.dumps(
            {
                "entity_name": self.entity_name,
                "entity_lei": self.entity_lei,
                "reporting_year": self.reporting_year,
                "submission_date": date.today().isoformat(),
                "total_arrangements": len(self.arrangements),
                "critical_count": len(self.critical_arrangements()),
                "overdue_audits": len(self.overdue_audits()),
                "arrangements": [a.to_register_entry() for a in self.arrangements],
            },
            indent=2,
        )

    def compliance_gaps(self) -> list[str]:
        gaps = []
        if self.overdue_audits():
            gaps.append(
                f"{len(self.overdue_audits())} arrangements have overdue ICT risk assessments"
            )
        tc = self.third_country_critical()
        if tc:
            gaps.append(
                f"{len(tc)} critical arrangements with third-country providers — verify Art.42 EU subsidiary status"
            )
        missing_lei = [a for a in self.arrangements if not a.provider_lei]
        if missing_lei:
            gaps.append(f"{len(missing_lei)} arrangements missing provider LEI")
        missing_location = [a for a in self.arrangements if not a.data_processing_locations]
        if missing_location:
            gaps.append(f"{len(missing_location)} arrangements missing data processing location")
        return gaps

Dimension	DORA Art.40–44	NIS2 Equivalent	GDPR Equivalent
Oversight recommendations	Art.40 binding measures to CTPPs	Art.32(1)(d) — binding NCA measures to essential entities	Art.58(2)(d) — DPA corrective orders
Enforcement chain (regulator → intermediate → entity)	Art.41 — Lead Overseer → NCA → Financial Entity	Art.21 NCA measures → operator	No direct equivalent (DPA acts directly)
Third-country entity requirement	Art.42 — EU subsidiary within 12 months	Art.26 — no direct third-country entity requirement	Art.27 — EU representative for non-EU controllers processing EU data
Supervisory fees	Art.43 — fees charged to CTPPs	No equivalent (NIS2 funded by member state budgets)	No equivalent
Supply chain register	Art.44 — comprehensive ICT third-party register	Art.21(2)(d) — supply chain security measures	Art.30 — records of processing activities (processor register)
Register submission frequency	Art.44 — annually + on-request (5 working days)	Art.21 assessments — no standard register submission	Art.30 — available on request, no periodic submission
Criticality classification	Art.28 — entity assesses each arrangement	Art.23(11) — significant incidents reported	Art.32(1) — risk-based approach to processor vetting
Concentration risk	Art.29 — entity-level; Art.44 aggregate → Art.31 sector-level	No equivalent	No equivalent

Key intersection: Art.44 register vs. GDPR Art.30 records of processing activities

Financial entities subject to both DORA and GDPR will recognise significant overlap between the Art.44 ICT third-party register and GDPR Art.30 processor records. However, they are not the same:

Field	DORA Art.44 Register	GDPR Art.30 Records
Scope	All ICT third-party arrangements	All data processing activities
Personal data required	Data classification flags	Description of personal data categories
Non-ICT services	Not applicable	Includes non-digital processing
Service criticality	Required	Not required
Sub-outsourcing	Required	Required (Art.30(2)(d))
Submission to regulator	Annually + on request	On request only

In practice, compliance teams can build a unified third-party register that satisfies both — with DORA-specific fields (criticality, notice period, last ICT audit) added alongside GDPR-specific fields (personal data categories, retention periods, transfer mechanisms). This reduces duplication and creates a single source of truth for third-party governance.

DORA Chapter V Oversight Chain — Complete Architecture (Art.31–44)

Art.31: Designation criteria
    │
Art.32: ESA structure (JOC + Lead Overseer)
    │
Art.33: Lead Overseer powers (investigation, inspection, recommendation)
    │
Art.34: Coordination between Lead Overseers
    │
Art.35: NCA task delegation
    │
Art.36: General investigation conditions
    │
Art.37: On-site inspection (JET composition + protocols)
    │
Art.38: Ongoing oversight cycle (risk scoring)
    │
Art.39: Intragroup ICT providers (exemption framework)
    │
Art.40: Oversight measures → CTPP remediation obligation
    │
Art.41: NCA follow-up → Financial entity obligation
    │
Art.42: Third-country CTPPs → EU subsidiary requirement
    │
Art.43: Supervisory fees → CTPP cost compliance
    │
Art.44: Register of information → All financial entity obligation

The chain shows that Art.44 sits at the end of the enforcement architecture but serves as input to the beginning: register data from all financial entities feeds back into Art.31 designation assessments, creating a continuous intelligence loop.

Common Failure Patterns

Pattern 1: Art.44 register treated as a "critical arrangements only" document

Teams building the Art.44 register frequently misread its scope as equivalent to the Art.28/30 materiality assessment. The register must include all ICT third-party arrangements — a €500/year monitoring SaaS subscription belongs in the register alongside the core cloud infrastructure contract. Regulators conducting Art.44 register reviews specifically look for incompleteness as evidence of inadequate ICT supply chain governance.

Pattern 2: Art.40 implementation plan treated as a negotiation

CTPPs that receive Art.40 measures sometimes approach the 20-working-day implementation plan deadline as a negotiation window — submitting plans with extended timelines and minimum specificity. The Lead Overseer tracks plan quality. Vague plans with long timelines on high-risk measures are treated as early indicators of non-compliance and accelerate the Art.43 enhanced-fee risk and Art.41 NCA notification risk.

Pattern 3: Ignoring Art.41 implications when using non-compliant CTPPs

Financial entities that see news of a CTPP receiving Art.40 measures often treat it as the CTPP's problem. Under Art.41, the NCA has active obligations to assess those financial entities. Entities that proactively reach out to their NCA with an updated risk assessment after CTPP non-compliance news receive significantly better regulatory treatment than those that wait for the Art.41 request.

Pattern 4: Art.42 subsidiary assessment deferred until after contract signature

Procurement teams sometimes complete RFP and contract negotiations with third-country ICT providers before conducting the Art.42 subsidiary check. If a provider would meet CTPP designation criteria and has no EU subsidiary, the contract may be unenforceable or require immediate renegotiation. Art.42 status should be part of the initial vendor due diligence for any critical ICT service.

Pattern 5: Art.43 fees not budgeted in CTPP business cases

ICT providers building financial services product lines often omit supervisory fees from their regulatory compliance budget. For a provider with €1B+ EU client revenue, annual fees may reach €300,000–€600,000. These fees recur and increase with oversight activity — each Art.40 measure and inspection increases the following year's activity-based component.

Pattern 6: Art.44 register not linked to Art.28 materiality assessment

Financial entities that maintain the Art.44 register as a separate compliance exercise from their Art.28 ICT concentration risk assessment miss the regulatory intelligence feedback loop. The register criticality flags should automatically trigger Art.28 concentration risk review. An entity that has 5 critical arrangements with the same third-country provider without flagging concentration risk will face NCA questions on both Art.28 and Art.44 compliance.

30-Item Compliance Checklist (Art.40–44)

Art.40: Oversight Measures (OVM)

OVM-01 CTPP has established an Art.40 measure tracking register with status, deadlines, and responsible parties
OVM-02 Response protocol exists for Lead Overseer notifications (20-working-day plan submission deadline)
OVM-03 Implementation plans include measurable milestones, not just completion dates
OVM-04 Legal counsel is briefed on Art.40 measure response process
OVM-05 Partial compliance reports include residual risk assessment and revised timeline
OVM-06 Board/senior management receive quarterly Art.40 measure status updates
OVM-07 Escalation protocol exists for measures approaching non-compliance threshold

Art.41: NCA Follow-Up (NCA)

NCA-01 Financial entity has process to monitor Lead Overseer public notifications on CTPPs it uses
NCA-02 Art.41 NCA action triggers are included in the ICT third-party risk governance framework
NCA-03 Contractual arrangements with CTPPs require the CTPP to notify the financial entity of Art.40 measure receipt
NCA-04 Pre-prepared exit scenarios exist for each critical CTPP in the event of sustained non-compliance
NCA-05 NCA engagement protocol exists for proactive outreach following CTPP non-compliance news

Art.42: Third-Country CTPPs (TC)

TC-01 Vendor due diligence process includes Art.42 EU subsidiary check for third-country ICT providers
TC-02 Register of all third-country ICT providers with criticality assessment is maintained
TC-03 For each critical third-country provider: EU subsidiary establishment status documented
TC-04 Contractual arrangements with third-country critical providers include Art.42 compliance obligations
TC-05 Contingency plan exists if critical third-country CTPP fails Art.42 compliance (within 12-month window)
TC-06 NCA prohibition monitoring: process exists to track and respond to NCA prohibition notices

Art.43: Supervisory Fees (FEE)

FEE-01 (CTPP-specific) Annual supervisory fee budgeted and approved by finance
FEE-02 (CTPP-specific) Fee calculation methodology understood (fixed + variable + activity components)
FEE-03 (CTPP-specific) Invoice payment process ensures 30-day deadline compliance
FEE-04 (CTPP-specific) Art.40 measure count and inspection count tracked for activity-fee forecasting

Art.44: Register of Information (REG)

REG-01 Register covers ALL ICT third-party arrangements — not limited to critical or material only
REG-02 All required ITS fields populated for each arrangement
REG-03 Provider LEI recorded where available; gap documented where unavailable
REG-04 Data processing location documented for each arrangement
REG-05 Sub-outsourcing flag and sub-provider names recorded
REG-06 Annual audit conducted for each arrangement — overdue audits tracked and remediated
REG-07 Annual submission process established (31 January deadline)
REG-08 On-request response process: full register available to NCA within 5 working days
REG-09 Material change notification process: NCA informed within 20 working days of critical arrangement changes
REG-10 Register criticality flags linked to Art.28 ICT concentration risk assessment process
REG-11 Unified register approach: Art.44 register extends GDPR Art.30 processor records (not parallel document)

sota.io and DORA Art.40–44

For financial services teams deploying on EU cloud infrastructure, Art.44 creates a direct operational requirement: every cloud and SaaS provider in your ICT stack must be registered.

sota.io, as an EU-native PaaS operating exclusively within EU jurisdictions, simplifies several Art.44 fields. Data processing locations are deterministic (EU-only — no cross-border transfer questions), EU subsidiary status is clear (EU-incorporated entity, no Art.42 concern), and the service description maps cleanly to a single register entry per deployment environment.

For financial entities managing Art.44 register completeness, infrastructure providers that create clean, auditable register entries — predictable jurisdictions, clear sub-outsourcing chains, documented audit rights — reduce the compliance overhead of register maintenance relative to multi-cloud arrangements spanning multiple jurisdictions with complex sub-processor chains.