Review clause

Article 59 builds in a mandatory review mechanism ensuring that DORA remains fit for purpose as the technology landscape, threat environment, and financial sector evolve. The European Commission must conduct a comprehensive review by January 17, 2028 — three years after DORA's application date — and report its findings to the European Parliament and Council.

The review must assess whether DORA's requirements remain appropriate and proportionate, whether the oversight framework for critical ICT third-party providers is functioning effectively, and whether the harmonised incident reporting framework is delivering the expected benefits. It must also evaluate the regulation's impact on financial entities of different sizes and complexity levels, paying particular attention to the proportionality of obligations for smaller institutions.

This review clause reflects the acknowledgment that technology regulation must be adaptive. The Commission's report may include legislative proposals for amendments if the review identifies significant gaps, disproportionate burdens, or areas where the regulation has not achieved its objectives. Financial entities and ICT providers should document their implementation experience to contribute to this review process.