DORA2026-03-104 min read

DORA Article 38 Explained: Fees for Critical ICT Third-Party Providers

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

In the evolving landscape of financial regulation, the Digital Operational Resilience Act (DORA) is set to redefine how financial entities and their critical ICT third-party providers manage risks. With the aim of enhancing the digital operational resilience of the financial sector, DORA has specific provisions that impact the fee structure for supervised critical services. This article delves into Article 38 of DORA which concerns the fees payable by financial entities to their critical ICT third-party providers. Understanding and implementing these requirements is crucial for compliance and maintaining competitive advantage in the digital age.

Key Requirements

DORA Article 38 outlines the following requirements for the fee structure of critical ICT third-party providers:

  • Fairness and Proportionality: Fees must be fair, proportionate, and non-discriminatory, ensuring a level playing field across all financial entities.
  • Transparency: Financial entities must have clear, transparent, and understandable fee structures for the services received from critical ICT third-party providers.
  • Risk-Based Approach: Fees should reflect the risks associated with the services provided, incentivizing providers to manage risks effectively.
  • Independence of Supervisory Authority: The fee structure should not compromise the independence of the supervisory authority overseeing compliance with DORA.
  • Review and Adjustment Mechanisms: There must be a mechanism to review and adjust fees periodically to ensure they remain relevant and aligned with market conditions and regulatory expectations.

Implementation Guide

To comply with DORA Article 38, organizations should take the following practical steps:

  1. Assess Current Fee Structures: Conduct a thorough review of current fee structures to identify any discrepancies with DORA's requirements.
  2. Develop a Risk-Based Fee Model: Establish a fee model that takes into account the risk profiles of different services provided by critical ICT third-party providers.
  3. Ensure Transparency: Document fee structures and the rationale behind them, ensuring they are easily understood by all stakeholders.
  4. Establish a Review Mechanism: Create a process for regular review and adjustment of fees to adapt to changes in market conditions and regulatory expectations.
  5. Consult with Supervisory Authorities: Engage with supervisory authorities to ensure alignment with their expectations and to gain insights into best practices.
  6. Train Staff: Educate relevant staff members on DORA’s requirements and the organization’s fee structure, emphasizing the importance of compliance.
  7. Monitor and Report: Implement monitoring processes to track compliance with fee structures and report any issues to management and supervisory authorities as required.

Common Pitfalls

When implementing DORA Article 38, organizations should be mindful of the following common pitfalls:

  • Lack of Transparency: Fee structures that are not clearly communicated can lead to confusion and potential non-compliance.
  • Ignoring Risk Profiles: Failing to consider the risk profiles of services when setting fees can result in an unfair fee model that does not incentivize risk management.
  • Static Fee Models: Not reviewing and adjusting fees periodically can lead to outdated fee structures that do not reflect current market conditions or regulatory expectations.
  • Compromised Supervisory Authority: Allowing fee structures to impact the independence of supervisory authorities can lead to conflicts of interest and potential regulatory issues.

How Matproof Helps

Matproof's compliance management platform provides tools to automate the tracking and evidence collection for Article 38 requirements, ensuring that your organization maintains a transparent and risk-based fee structure. With features such as automated monitoring, document management, and reporting, Matproof helps you stay on top of compliance, reducing the risk of non-compliance and associated penalties.

Related Articles

For further insights into DORA and its implications for financial entities, consider exploring these related articles:

DORA Article 38Fees for Critical ICT Third-Party Providersdigital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo