Article 44: International cooperation

Article 44: international cooperation requirement is operationalized by making your ICT third-party risk posture “supervisor-ready” for cross-border information sharing: clear ownership, a controlled regulatory-response process, and complete evidence that can be provided quickly and consistently if EU supervisors coordinate with third-country authorities. This is about readiness and traceability, not signing your own international agreements. (Regulation (EU) 2022/2554, Article 44)

Key takeaways:

• Treat Article 44 as an exam-readiness requirement: your ICT third-party risk evidence must be coherent, exportable, and defensible across jurisdictions. (Regulation (EU) 2022/2554, Article 44)
• Put a single owner on cross-border supervisory requests and run them through a disciplined workflow with Legal/Compliance sign-off. (Regulation (EU) 2022/2554, Article 44)
• Maintain a register that maps DORA obligations to controls, accountable owners, and evidence artifacts so you can respond without scrambling. (Regulation (EU) 2022/2554)

Article 44 sits in the part of DORA that empowers EU supervisory authorities to cooperate with third-country regulators on ICT third-party risk. You do not “comply” with Article 44 by drafting an international cooperation policy. You comply by running ICT third-party risk management in a way that holds up when supervisors coordinate, share expectations, or request aligned information across borders. (Regulation (EU) 2022/2554, Article 44)

For a CCO or GRC lead, the operational question is simple: if your competent authority asks for ICT third-party risk materials that may be exchanged under international administrative arrangements, can you provide complete, consistent, and well-governed information without creating legal, confidentiality, or accuracy problems? That means two things in practice. First, you need a clean internal system of record for ICT third-party risk decisions and controls. Second, you need a controlled intake-and-response workflow for supervisory requests, including escalation paths and approvals. (Regulation (EU) 2022/2554, Article 44)

This page gives you requirement-level implementation guidance: who owns what, what process to run, and what evidence to retain so you can execute quickly under supervisory pressure.

Regulatory text

DORA Article 44 states that the European Supervisory Authorities (EBA, ESMA, and EIOPA) may conclude administrative arrangements with third-country regulatory and supervisory authorities to foster international cooperation on ICT third-party risk across financial sectors, including developing best practices for reviewing ICT risk management practices, controls, and mitigation measures. (Regulation (EU) 2022/2554, Article 44)

What that means for operators: Article 44 is not a direct “must publish X” obligation on your firm. It is a supervisory cooperation mechanism that increases the likelihood of cross-border scrutiny and coordinated supervisory information needs. Your operational obligation is to ensure your ICT third-party risk management program can withstand coordinated review and that your supervisory responses are accurate, consistent, and controlled. (Regulation (EU) 2022/2554, Article 44)

Plain-English interpretation (what the requirement expects)

If you rely on third parties for ICT services (including cloud, managed security, SaaS, data providers, outsourced IT, and critical subcontractors), expect supervisors to align across borders on what “good” looks like and to request comparable artifacts. Your job is to:

• run ICT third-party risk controls that are clearly owned and consistently executed; and
• be able to produce evidence quickly, with legal/Compliance governance, in a format that survives external sharing. (Regulation (EU) 2022/2554, Article 44)

Who it applies to

Entity scope

This affects DORA-regulated financial entities that manage ICT risk and ICT third-party risk in scope of DORA. (Regulation (EU) 2022/2554)

Operational scope (where it shows up)

Article 44 becomes real when any of the following are true:

• You use third parties headquartered outside the EU, or with delivery centers outside the EU.
• Your group has entities regulated in multiple jurisdictions and shares ICT services or third parties.
• You face supervisory requests involving third-party dependencies, subcontracting chains, incident history, concentration risk, or exit planning. (Regulation (EU) 2022/2554, Article 44)

What you actually need to do (step-by-step)

Step 1: Assign ownership for “international cooperation readiness”

Name a single accountable owner (often the CCO, Head of Operational Resilience, or Head of Third-Party Risk) for inbound supervisory coordination topics related to ICT third-party risk. Document a RACI that includes:

• ICT risk management
• Third-party risk management (TPRM/VRM)
• CISO / Security operations
• Legal (confidentiality, privilege, data transfer)
• Procurement / Vendor management
• Business service owners (important functions) (Regulation (EU) 2022/2554, Article 44)

Exam focus: supervisors look for clear accountability when information must be compiled fast across multiple teams. (Regulation (EU) 2022/2554, Article 44)

Step 2: Build a “DORA Article 44 evidence map” (single register)

Create one register that maps:

• the DORA requirement area (Article 44 context, plus your related DORA ICT third-party risk controls)
• control statements (what you do)
• control owners
• where evidence lives
• how often it updates
• how it is approved for external sharing (Regulation (EU) 2022/2554)

This is where tools like Daydream earn their place: you want a single, searchable system that ties obligations to controls and artifacts, with ownership and workflow, so responses do not depend on tribal knowledge.

Step 3: Implement a regulatory-response workflow (request to closure)

Stand up a workflow that treats each supervisory request as a controlled record:

1. Intake & classification: who received it, regulator, scope, due date, confidentiality marking.
2. Triage: what artifacts are needed (contracts, risk assessments, testing results, incident reports, remediation plans).
3. Tasking: assign contributors with deadlines.
4. Legal/Compliance review: verify confidentiality, accuracy, consistency with prior submissions, and whether any third-party contractual notice/consent is required.
5. Approval: named accountable executive signs off.
6. Submission & retention: store final package, what was sent, and any follow-up Q&A.
7. Remediation tracking: if gaps are identified, open corrective actions with owners and evidence of closure. (Regulation (EU) 2022/2554, Article 44)

Operational detail that prevents pain: create a “regulatory response pack” template (index + standard exhibits) so every request produces a consistent binder.

Step 4: Normalize what “good evidence” looks like for ICT third-party risk

Article 44’s cooperation aim is “best practices” around review of controls and mitigation. Prepare evidence that supports those reviews, such as:

• third-party segmentation and criticality rationale
• due diligence standards (security, resilience, financial, subcontracting)
• contract clauses and negotiated exceptions with approvals
• ongoing monitoring outputs and issue management
• exit plans and substitutability assessments
• concentration risk views and dependency mapping (Regulation (EU) 2022/2554, Article 44)

Do a quality pass: can a reviewer unfamiliar with your firm understand decisions from the record alone?

Step 5: Run readiness drills and close gaps

Schedule periodic “supervisory request drills” where you simulate a cross-border request for one critical third party. Measure:

• how quickly you can compile the pack
• whether artifacts conflict (different versions, different metrics)
• whether approvals and confidentiality markings are consistent
• whether remediation items get closed with proof (Regulation (EU) 2022/2554, Article 44)

Required evidence and artifacts to retain

Keep these artifacts in a controlled repository with versioning and access controls:

• Article 44 readiness RACI and governance notes (ownership, escalation)
• Regulatory response procedure (intake, triage, review, approval, retention)
• DORA-to-controls mapping register (obligation → control → owner → evidence)
• Third-party inventory scoped to ICT services, including criticality tiering
• Third-party due diligence files (assessments, risk acceptances, approvals)
• Contract repository extracts (relevant ICT third-party terms and amendments)
• Ongoing monitoring records (reports, alerts, review minutes)
• Issue and remediation tracker with validation evidence
• Prior supervisory submissions and correspondence logs (Regulation (EU) 2022/2554, Article 44)

Common exam/audit questions and hangups

Expect variations of:

• “Show me your process to respond to ICT third-party risk information requests, including Legal review and final approval.”
• “How do you ensure consistency between what different group entities submit?”
• “Where is the system of record for third-party risk decisions and accepted exceptions?”
• “How do you validate that remediation actions were completed, not just planned?”
• “Can you produce the evidence set for your most critical ICT third party, including subcontractor oversight?” (Regulation (EU) 2022/2554, Article 44)

Hangups that slow teams down:

• Evidence scattered across procurement tools, GRC, ticketing, and shared drives.
• No standard “binder” format, so every request is reinvented.
• Unclear authority to share third-party materials due to confidentiality constraints. (Regulation (EU) 2022/2554, Article 44)

Frequent implementation mistakes (and how to avoid them)

1. Treating Article 44 as a policy-only requirement.
   Fix: build response operations and evidence mapping; a policy does not answer supervisory questions. (Regulation (EU) 2022/2554, Article 44)

2. No single accountable owner for supervisory ICT third-party risk responses.
   Fix: assign one accountable owner and enforce a RACI for contributors and approvers. (Regulation (EU) 2022/2554, Article 44)

3. Submitting inconsistent information across requests or entities.
   Fix: maintain a canonical metrics set and a controlled repository of “latest approved” artifacts for critical third parties. (Regulation (EU) 2022/2554)

4. Weak remediation evidence.
   Fix: require validation artifacts (test results, screenshots, change tickets, updated contract language) before closing actions. (Regulation (EU) 2022/2554, Article 44)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for Article 44. (Regulation (EU) 2022/2554)

Risk implications still matter operationally:

• Supervisory friction risk: slow, inconsistent, or poorly governed responses elevate supervisory attention.
• Legal/confidentiality risk: sharing third-party materials without review can breach contractual terms or create privilege issues.
• Control credibility risk: if you cannot evidence operation of ICT third-party controls, supervisors may view the program as immature. (Regulation (EU) 2022/2554, Article 44)

Practical 30/60/90-day execution plan

First 30 days (stabilize governance and visibility)

• Assign accountable owner and approve RACI for ICT third-party supervisory responses. (Regulation (EU) 2022/2554, Article 44)
• Inventory where key third-party risk artifacts live; identify gaps and duplicates. (Regulation (EU) 2022/2554)
• Draft and approve a regulatory-response workflow with Legal/Compliance sign-off gates. (Regulation (EU) 2022/2554, Article 44)
• Build the first version of the DORA mapping register (obligation → controls → evidence). (Regulation (EU) 2022/2554)

Days 31–60 (standardize evidence and run a first drill)

• Define the “regulatory response pack” template and required exhibits for a critical ICT third party. (Regulation (EU) 2022/2554, Article 44)
• Populate the mapping register for your highest-risk ICT third parties first (focus on critical services and key dependencies). (Regulation (EU) 2022/2554)
• Execute a readiness drill; log issues as corrective actions with owners and due dates. (Regulation (EU) 2022/2554, Article 44)

Days 61–90 (operationalize and make it repeatable)

• Expand evidence mapping coverage to remaining in-scope ICT third parties; retire redundant repositories where possible. (Regulation (EU) 2022/2554)
• Implement recurring cadence: metrics review, issue closure validation, and quarterly refresh of critical third-party packs (your chosen cadence should match your risk profile). (Regulation (EU) 2022/2554, Article 44)
• Consider consolidating into Daydream to keep requirements, control ownership, and evidence in one place with workflow and audit-ready output.

Frequently Asked Questions

Does Article 44 require my firm to sign international cooperation agreements?

No. Article 44 describes administrative arrangements that EU supervisory authorities may conclude with third-country authorities. Your obligation is readiness: run ICT third-party risk controls and evidence in a way that supports cross-border supervisory scrutiny. (Regulation (EU) 2022/2554, Article 44)

What should I do differently if my key ICT third parties are outside the EU?

Tighten your evidence and response governance because cross-border supervision and data sharing becomes more likely. Focus on contract repository accuracy, subcontractor transparency, and a repeatable “response pack” for each critical third party. (Regulation (EU) 2022/2554, Article 44)

What is the single most important artifact to build first?

Build the obligation-to-controls-to-evidence register, because it prevents scramble during requests and exposes ownership gaps quickly. Pair it with a regulatory-response workflow so you can execute under time pressure. (Regulation (EU) 2022/2554)

How do I prevent inconsistent submissions across different regulators or group entities?

Use a controlled repository of approved artifacts and a single response workflow with Legal/Compliance review. Maintain a “prior submissions” log so teams reconcile new responses against what was sent before. (Regulation (EU) 2022/2554, Article 44)

Are confidentiality constraints a blocker to being “cooperation-ready”?

They are a governance requirement, not an excuse. Add Legal review gates, track third-party contractual restrictions, and document what can be shared externally and under what approvals. (Regulation (EU) 2022/2554, Article 44)

How does Daydream help with the article 44: international cooperation requirement?

Daydream helps by mapping DORA requirements to named control owners and specific evidence artifacts in one system, then running a consistent request-and-response workflow. That reduces “find-the-proof” time and keeps supervisory outputs consistent. (Regulation (EU) 2022/2554, Article 44)