Article 43: Oversight fees

Article 43: oversight fees requirement is operationally relevant if you are (or contract with) a critical ICT third-party service provider under DORA’s oversight regime: the Lead Overseer will charge fees that fully cover its oversight costs, and you must be able to receive, validate, pay, and evidence those invoices without control gaps. Build a repeatable “regulatory fee intake-to-payment” process owned by Finance with Compliance oversight.

Key takeaways:

• Confirm whether any of your ICT third parties are designated “critical,” and whether your organization itself could be in-scope as a critical ICT third-party service provider.
• Stand up an auditable workflow for oversight-fee notices: intake, validation, approval, payment, and record retention.
• Tie fee events to your regulatory-response workflow so deadlines, escalations, and disputes are controlled and documented.

Most DORA requirements drive security controls, testing, incident handling, and third-party contracting. Article 43 is different: it creates a supervisory cost-recovery mechanism. The operational risk is not “you failed a penetration test,” it is “you missed or mishandled a supervisory fee” because nobody owned the workflow, approvals stalled, or evidence was scattered across Finance and Legal inboxes.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat Article 43 as a narrowly-scoped governance and financial-control requirement: ensure your organization can (1) identify when it is on the receiving end of an oversight-fee charge (directly as a critical ICT third-party service provider, or indirectly as a regulated entity supporting such a provider), (2) process those fees through controlled financial operations, and (3) show a clean audit trail linking each fee event to the underlying regulatory notice and internal approvals.

This page focuses on quick operationalization: clear applicability calls, an implementable workflow, evidence to retain, exam questions you should expect, and common failure modes.

Regulatory text

What the law says (operator excerpt): Article 43 states that the Lead Overseer shall charge critical ICT third-party service providers fees that fully cover the Lead Overseer’s necessary expenditure for oversight tasks, including costs incurred via the joint examination team (referenced in Article 40) and related advice costs. (Regulation (EU) 2022/2554, Article 43)

Operator meaning:

• There will be a fee mechanism tied to the oversight function.
• The party charged is the critical ICT third-party service provider (not every regulated financial entity by default).
• Your control objective is straightforward: don’t miss the notice, don’t pay the wrong amount without review, don’t miss deadlines, and keep proof that you handled the fee per your internal controls.
  This requirement sits at the intersection of Compliance, Legal, and Accounts Payable.

Primary sources: (Regulation (EU) 2022/2554, Article 43); (Regulation (EU) 2022/2554)

Plain-English interpretation of the requirement

What Article 43 requires in practice

1. The Lead Overseer charges fees to critical ICT third-party service providers to recover necessary oversight costs. (Regulation (EU) 2022/2554, Article 43)
2. If you are the charged entity, you must be able to operationally receive and settle those fees under controlled financial processes, with traceable approvals and documented exceptions (disputes, clarifications, partial payments where legally permitted). This is the practical compliance expectation implied by the existence of the fee obligation. (Regulation (EU) 2022/2554, Article 43)

What it does not mean

• It does not, by itself, require your regulated entity to pay oversight fees unless you are the critical ICT third-party service provider being charged. (Regulation (EU) 2022/2554, Article 43)
• It does not replace contractually-agreed commercial fees with third parties. It is a supervisory fee concept, separate from procurement. (Regulation (EU) 2022/2554, Article 43)

Who it applies to

Direct applicability (you pay)

Critical ICT third-party service providers designated under DORA’s oversight framework are the direct payers under Article 43. (Regulation (EU) 2022/2554, Article 43)

Operational context signals:

• You provide ICT services at scale to financial entities in the EU and are subject to DORA oversight designations.
• You are already interacting with EU oversight structures (for example, responding to oversight information requests).

Indirect applicability (you must manage exposure)

Even if you are a regulated financial entity (not the critical provider), Article 43 still matters operationally because:

• Your key ICT third parties may be designated critical, and the provider may seek to pass through oversight costs contractually. Article 43 does not authorize pass-through by itself, but it creates the business pressure that leads to commercial negotiations. (Regulation (EU) 2022/2554, Article 43)
• You may need procurement and legal readiness to evaluate contractual fee pass-through requests tied to supervisory oversight activities.

What you actually need to do (step-by-step)

Below is a control build that a CCO/GRC lead can stand up quickly with Finance as the control owner.

Step 1: Make an applicability decision and record it

Create a short memo (one page is fine) answering:

• Are we a critical ICT third-party service provider under DORA oversight (now or plausibly in the near term)?
• If no, do we contract with any third party that could be designated critical, where oversight-fee pass-through might appear in negotiations?

Artifact: “DORA Article 43 applicability assessment” with sign-off by Compliance and Finance, and Legal if you expect pass-through discussions. (Regulation (EU) 2022/2554, Article 43)

Step 2: Assign ownership (Finance owns, Compliance governs)

Define RACI:

• Accounts Payable (Owner): invoice intake, payment execution, ledger posting.
• Compliance (Approver/Controller): confirms the notice is legitimate and tracked as a regulatory event; validates process adherence.
• Legal (Consulted): disputes, clarifications, and any pass-through contract changes.
• Business/Service Owner (Consulted): confirms the oversight activity relates to your services where needed.

One common miss: teams park this in Compliance. It belongs in Finance with a compliance gate.

Step 3: Build a “regulatory fee intake-to-payment” workflow

Implement a documented workflow with these minimum stages:

1. Intake and authentication

   • Central mailbox or ticket queue for regulatory notices and fee communications.
   • Verification steps: sender domain, reference numbers, named authority/Lead Overseer details, and internal cross-check that the organization is in-scope to receive such a notice.

2. Record creation

   • Open a case in your GRC/ticketing system with: date received, due date, amount, currency, reference, and attached notice.
   • Tag as “DORA oversight fee” for reporting.

3. Validation and approval

   • Finance validates invoice completeness and payment instructions.
   • Compliance validates the notice is connected to oversight under DORA and is routed per your regulatory-response workflow. (Regulation (EU) 2022/2554, Article 43)
   • Legal reviews if there is ambiguity, dispute grounds, or non-standard terms.

4. Payment execution

   • Pay through normal controlled payment rails (dual approval thresholds per your internal finance controls).
   • Store payment confirmation and remittance advice in the case record.

5. Closeout and retention

   • Mark case closed only when payment evidence is attached and approvals are complete.
   • If disputed: document the dispute basis, communications log, and final resolution.

Step 4: Tie Article 43 events to your regulatory-response workflow

Article 43 is about fees, but the operational risk is response discipline. You want one consistent mechanism to:

• track deadlines,
• manage escalations,
• document final outcomes.

If you already run a regulatory-response workflow for information requests and exams, add a fee subtype and reuse the same escalation ladder (Finance controller → Head of AP → CFO delegate, with Compliance visibility). This aligns with the practical control pattern of “regulatory-response workflow with legal/compliance sign-off.” (Regulation (EU) 2022/2554, Article 43)

Where Daydream fits naturally: Daydream can act as your requirement-to-control register for DORA, then link each Article 43 fee event to owners, SLAs, and evidence so you can answer supervisory questions without reconstructing history from email threads. (Regulation (EU) 2022/2554, Article 43)

Step 5: Prepare for cost pass-through requests (if you are a regulated entity customer)

If your critical ICT third party asks to pass through oversight fees:

• Require a written justification and mapping to the provider’s oversight notice.
• Route to Legal and Procurement for contract review.
• Ensure your third-party risk file records the change, approvals, and any impact to pricing, termination rights, and audit/oversight cooperation terms.

Article 43 does not, by itself, bless pass-through terms. Your control is to manage the change as a contract and third-party risk event, not an “AP exception.”

Required evidence and artifacts to retain

Keep these in a single case file per fee event:

• Original oversight-fee notice/invoice and all attachments. (Regulation (EU) 2022/2554, Article 43)
• Authenticity checks (internal checklist, screenshots/headers if needed).
• Approvals (Finance approval, Compliance approval, Legal review if applicable).
• Payment proof (bank confirmation, remittance advice, ledger entry reference).
• Communications log (questions raised, responses, dispute letters, resolution).
• Applicability assessment and RACI (current versions).
• Procedure document for “DORA oversight fee intake-to-payment.”

Retention period should follow your regulatory record retention and finance recordkeeping rules; document what you chose and apply it consistently. (Regulation (EU) 2022/2554)

Common exam/audit questions and hangups

Expect reviewers to test whether you can produce a complete trail quickly:

1. “Show me your process.” Who owns it, what are the steps, where is it documented?
2. “Show me one completed example end-to-end.” Notice → approvals → payment proof → closeout notes.
3. “How do you verify the notice is genuine?” This is a common fraud angle for any payment process.
4. “How do you ensure deadlines are met?” Ticket SLAs, escalation, and backup approvers.
5. “How do you handle disputes?” Legal involvement and documented resolution steps.

Hangup to avoid: producing payment evidence without the underlying notice and approvals, or producing a notice without proof of payment posting.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails in audits	Fix
Treating oversight fees as “just another invoice”	No regulatory traceability; approvals don’t reflect regulatory risk	Create a dedicated case type tied to the regulatory-response workflow
Compliance owns payments	Creates bottlenecks; weak segregation of duties	Finance owns payment; Compliance approves legitimacy and tracking
Evidence scattered in email	Slow retrieval; incomplete audit trail	One system of record per fee event with required attachments
No plan for pass-through requests	Contract changes occur without risk review	Route pass-through proposals through Procurement/Legal and third-party risk governance

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for Article 43, so this page does not list case examples.

Operational risk still matters:

• Supervisory relationship risk: missed payments or unmanaged disputes can escalate into broader oversight friction.
• Control risk: weak intake and verification controls can expose you to payment fraud attempts that mimic regulatory notices.
• Third-party commercial risk: if your providers pass through costs, you need a controlled contract-change pathway.

All of these are manageable with tight workflow design and evidence discipline anchored to the text that fees are charged to cover oversight costs. (Regulation (EU) 2022/2554, Article 43)

Practical 30/60/90-day execution plan

Day 30: Stand up the minimum viable control

• Finalize the applicability assessment and RACI.
• Publish the written fee intake-to-payment procedure (draft is acceptable if approved and followed).
• Create the case template with required fields and an evidence checklist.
• Run a tabletop using a mock notice to test routing, approvals, and evidence capture.

Day 60: Operationalize and integrate

• Integrate with your regulatory-response workflow so escalations and deadlines are standard.
• Train AP, Compliance, and Legal on “what good looks like” and what must be attached to close a case.
• Add a contract review playbook for pass-through requests (if you are a regulated entity customer).

Day 90: Prove it works and harden

• Run a second drill focused on dispute handling and documentation.
• Perform a lightweight internal audit: sample the case file for completeness and segregation of duties.
• If you use Daydream, map Article 43 to the owners, controls, and evidence fields so you can report status and retrieve artifacts quickly during supervisory interactions. (Regulation (EU) 2022/2554, Article 43)

Frequently Asked Questions

Does Article 43 mean every financial entity must budget and pay “oversight fees”?

Article 43 specifies fees charged by the Lead Overseer to critical ICT third-party service providers. (Regulation (EU) 2022/2554, Article 43) If you are a regulated entity customer, your exposure is usually indirect through commercial negotiations.

We are not a critical ICT third-party service provider. Do we need a control anyway?

You still need readiness if your key ICT third parties may become critical and attempt fee pass-through or require contract amendments tied to oversight activity. Keep an applicability memo and a contract-change pathway so you can respond consistently. (Regulation (EU) 2022/2554)

What evidence will an auditor ask for first?

A complete end-to-end example: the fee notice, internal approvals, payment confirmation, and a clear closeout record in one place. Auditors also ask for the written procedure and ownership. (Regulation (EU) 2022/2554, Article 43)

How should we validate that a fee notice is legitimate?

Require intake through a controlled channel, verify sender authenticity and references, and route validation through Compliance before payment. Document the checks in the case file so you can show what you did, not just what you paid. (Regulation (EU) 2022/2554, Article 43)

Can we dispute or delay payment if the amount seems wrong?

Treat disputes as Legal-led with Compliance visibility and Finance execution. Record the dispute basis, communications, and resolution so the final outcome is auditable. (Regulation (EU) 2022/2554, Article 43)

Where should this live in our GRC/control framework?

Place it under DORA governance and third-party oversight readiness, but assign day-to-day ownership to Finance/AP. Track it as a regulatory event type so it follows your regulatory-response workflow and evidence standards. (Regulation (EU) 2022/2554, Article 43)