DORA2026-03-103 min read

DORA Article 39 Explained: International Cooperation

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

In an increasingly interconnected global financial landscape, the Digital Operational Resilience Act (DORA) emphasizes the importance of international cooperation to ensure the stability and integrity of financial markets. Article 39 of DORA focuses specifically on the cooperation between European Union (EU) authorities and third-country financial entities in overseeing Information and Communication Technology (ICT) third-party service providers. As financial institutions rely more heavily on digital services, understanding and complying with Article 39 is crucial for maintaining operational resilience and mitigating ICT risks.

Key Requirements

DORA Article 39 sets forth several key requirements to foster international collaboration and harmonize ICT third-party oversight:

  1. Mutual Recognition Agreements (MRAs): The European Supervisory Authorities (ESAs) are tasked with negotiating MRAs with third-country authorities to recognize each other’s regulatory and supervisory frameworks concerning ICT third-party providers.

  2. Cooperation Arrangements: In the absence of MRAs, cooperation arrangements can be established to facilitate information exchange and collaboration on supervisory activities.

  3. Confidentiality and Sensitive Information: Both the EU and third-country authorities must ensure the protection of confidential and sensitive information shared under these agreements.

  4. Proportionality and Reciprocity: The level of cooperation should be proportionate to the potential risks posed by third-party providers and based on the principle of reciprocity.

  5. Joint Supervisory Activities: Supervisory authorities can undertake joint activities, including on-site inspections and assessments of third-country ICT third-party providers.

  6. Consultation and Notification: Authorities must consult and notify each other in cases where significant decisions or actions relate to third-party providers operating across borders.

Implementation Guide

To ensure compliance with DORA Article 39, financial entities should consider the following practical steps:

  1. Assess Third-Party Risks: Conduct a thorough risk assessment of your third-party ICT providers, particularly those operating in different jurisdictions.

  2. Monitor Regulatory Developments: Keep abreast of any MRAs or cooperation arrangements negotiated by ESAs with third-country authorities.

  3. Develop Internal Policies: Establish clear policies and procedures for managing international cooperation and information sharing in line with MRAs and cooperation arrangements.

  4. Secure Data Exchange Mechanisms: Implement secure and compliant mechanisms for exchanging sensitive data with third-country authorities.

  5. Train Staff: Ensure that staff involved in international cooperation activities are trained in relevant regulatory requirements and best practices.

  6. Regular Audits and Reviews: Conduct regular audits and reviews to ensure continuous compliance with Article 39 requirements.

Common Pitfalls

Several common pitfalls can arise when implementing DORA Article 39:

  1. Lack of Awareness: Insufficient awareness among staff and management about the requirements and implications of international cooperation.

  2. Inadequate Documentation: Failing to maintain proper documentation of international cooperation activities, which can lead to non-compliance and regulatory penalties.

  3. Data Protection Compliance: Overlooking data protection requirements when sharing sensitive information with third-country authorities.

  4. Inefficient Communication: Poor communication channels between EU and third-country authorities can lead to delays and misinterpretations.

  5. Ignoring Reciprocity: Assuming cooperation is one-sided without ensuring that reciprocity is part of the agreement.

How Matproof Helps

Matproof's compliance management platform simplifies the process of tracking and evidencing compliance with Article 39. It automates the collection of risk assessments, policy documentation, and communication records related to international cooperation, ensuring that financial entities can demonstrate compliance efficiently and effectively.

Related Articles

For further reading on DORA and related topics, consider exploring these articles:

DORA Article 39International Cooperationdigital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo