Article 48: Cooperation between authorities

Article 48 is a supervisor-to-supervisor cooperation requirement, but you operationalize it by making your organization “easy to supervise” across borders: consistent evidence, clear ownership, and a controlled regulatory-response workflow that supports information-sharing between competent authorities and any Lead Overseer. Build traceability from DORA duties to controls, artifacts, and rapid regulator-ready retrieval. (Regulation (EU) 2022/2554, Article 48)

Key takeaways:

• Treat Article 48 as an operational readiness requirement: your documentation and response discipline must withstand multi-authority scrutiny. (Regulation (EU) 2022/2554, Article 48)
• Centralize ownership and evidence for DORA execution so parallel regulator requests don’t produce inconsistent answers.
• Run regulator-request drills and track corrective actions to closure with validation evidence.

“Article 48: cooperation between authorities requirement” reads like it applies only to regulators. In practice, it shapes how examinations, information requests, and follow-ups land on you. When competent authorities cooperate “closely among themselves,” they compare notes, align supervisory approaches, and may coordinate requests, findings, or remediation expectations across jurisdictions and entity boundaries. If your ICT risk governance, incident evidence, third-party oversight artifacts, and remediation tracking are fragmented, cross-authority coordination becomes your problem quickly: inconsistent answers, mismatched timelines, and “who owns this?” confusion.

Your job as a Compliance Officer, CCO, or GRC lead is to ensure your operating model can withstand coordinated supervision. That means three things: (1) a single register that maps DORA obligations to accountable owners, controls, and evidence artifacts; (2) a regulatory-response workflow that produces consistent, approved outputs; and (3) a remediation discipline that shows not just plans, but verified closure.

This page gives you requirement-level guidance you can implement immediately, with concrete steps, artifacts, and audit-ready prompts tied to Article 48. (Regulation (EU) 2022/2554, Article 48)

Regulatory text

Excerpt (operator-relevant): “Competent authorities shall cooperate closely among themselves and, where applicable, with the Lead Overseer.” (Regulation (EU) 2022/2554, Article 48)

Plain-English interpretation

Article 48 directs competent authorities to coordinate. You do not “comply” by filing a specific report under this article; you comply by being consistently governable and evidencable under coordinated supervision. Expect that:

• Different authorities may request overlapping ICT risk, incident, testing, and third-party information.
• Authorities may reconcile discrepancies between what you provide and what other firms, group entities, or third parties provide.
• Remediation commitments made to one authority may be visible to others.

Operational goal: one truth, many consumers—a controlled, versioned set of supervisory-ready artifacts with clear ownership and fast retrieval. (Regulation (EU) 2022/2554, Article 48)

Who it applies to

Entity scope

• Financial entities in scope of DORA that are subject to competent authority supervision, especially those operating in multiple EU jurisdictions or within groups where multiple authorities may have an interest. (Regulation (EU) 2022/2554)

Operational contexts where this shows up

• Cross-border operations: branches/subsidiaries with local regulators plus a consolidating supervisor.
• Group ICT services: shared SOC, shared infrastructure, shared incident response, shared third-party contracts.
• Critical ICT third parties: if your supervisory engagement is influenced by oversight activity involving a Lead Overseer, you should assume requests may reference shared information flows. (Regulation (EU) 2022/2554, Article 48)

What you actually need to do (step-by-step)

This is the fastest operational path to satisfy the “cooperation between authorities” reality without guessing what regulators will coordinate.

Step 1: Build an Article 48 “supervisory cooperation readiness” register

Create a single register entry for Article 48 that points to:

• Accountable executive owner: typically the CCO/CISO/Head of Operational Resilience (choose one accountable party).
• Operational owners: ICT risk, security operations, incident manager, third-party risk, internal audit, legal.
• Evidence set: the exact artifacts you will provide under request.

Practical tip: In Daydream, teams maintain this as a requirement-to-evidence map so every DORA obligation has named owners and a “click path” to artifacts.

Step 2: Implement a regulatory-response workflow (intake → triage → approve → deliver)

Define a workflow that assumes multiple authorities may ask the “same” question in different ways.

Minimum workflow design:

1. Intake channel: one mailbox/ticket queue for all supervisory requests; log date received, requesting authority, deadline, scope.
2. Triage: classify request type (information request, interview, on-site, remediation update) and impacted domains (incidents, testing, third party, governance).
3. Assignment: route tasks to owners with a required response format and internal due date.
4. Quality control: compliance + legal sign-off; confirm consistency with previous submissions.
5. Delivery and record: store the final package, delivery method, and acknowledgment.
6. Post-mortem: capture gaps discovered and open corrective actions.

Key control: version control and “previously provided” cross-referencing so you can explain changes without contradiction.

Step 3: Standardize your supervisory evidence packages

Authorities coordinating with each other increases sensitivity to inconsistent formatting, definitions, and time windows. Standardize:

• Definitions: what counts as an ICT incident, major incident, outage, “service,” “critical function,” “material third party.”
• Time windows: reporting periods, lookback periods, and “as of” dates within evidence.
• System-of-record: a declared source for incident timelines, risk assessments, third-party inventory, and remediation status.

Deliverables should be reproducible: if two authorities ask for the same data, you can generate the same output from the same source.

Step 4: Put corrective action management (CAPA) on rails

Coordinated supervision tends to converge on remediation progress. Build a CAPA discipline that includes:

• Unique IDs per finding
• Owner, due date, dependency tracking
• Milestones and status definitions
• Validation evidence: testing results, configuration screenshots, change tickets, updated procedures
• Closure criteria: who signs off and what proves closure

Avoid “paper closure.” Store validation artifacts with the CAPA record.

Step 5: Run readiness drills that mimic multi-authority coordination

Drill scenarios:

• Two simultaneous information requests with overlapping scope and different deadlines.
• A request that asks you to reconcile statements made by another group entity or a key third party.
• A remediation update where the authority asks for proof, not narrative.

Output from the drill:

• Time-to-assemble evidence
• Gaps in ownership
• “Conflicting truth” incidents (two sources produce different numbers)
• A short corrective action list with owners and tracked closure

Required evidence and artifacts to retain

Keep these artifacts in a single, searchable repository with access controls and an audit trail:

Governance and ownership

• DORA governance chart (committees, roles, RACI)
• Article-to-control mapping register (Article 48 mapped to readiness controls and owners)
• Policies and procedures for regulator communications and response approvals

Supervisory engagement records

• Request log (intake, deadlines, assignments, approvals, delivery proof)
• Final response packages (exact versions sent)
• Internal review notes and legal/compliance approvals

Operational execution evidence (what regulators will cross-check)

• Incident records and timelines (system-of-record exports, post-incident reviews)
• Testing evidence and results summaries (including remediation from failed tests)
• Third-party inventory and due diligence packets for material ICT dependencies
• CAPA tracker with validation artifacts and closure sign-offs

Common exam/audit questions and hangups

Expect questions that test your ability to operate under coordinated supervision:

1. “Show me how you ensure consistent answers across authorities.”
   Hangup: teams respond from email threads, not a controlled workflow.

2. “Who owns DORA evidence for incidents/testing/third parties?”
   Hangup: ownership diffuses across CISO, ops, procurement, and risk.

3. “Provide what you sent last time, and explain what changed.”
   Hangup: no versioning or inability to reconstruct prior submissions.

4. “Demonstrate remediation closure for prior findings.”
   Hangup: closure based on attestation rather than validation evidence.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails under Article 48 cooperation dynamics	Fix
Treating Article 48 as “regulators’ problem”	Coordinated supervision drives stricter consistency expectations on firms	Build a readiness register and evidence map tied to Article 48 (Regulation (EU) 2022/2554, Article 48)
Multiple response channels	Creates conflicting narratives and lost approvals	Single intake + ticketing + sign-off workflow
Evidence scattered across tools	Slow retrieval increases deadline risk; inconsistent data extracts	Declare systems-of-record and standard evidence packages
CAPAs tracked in slides	Hard to prove closure; no audit trail	CAPA system with validation artifacts and closure criteria
No drills	First “test” happens in a live exam	Run request-response drills; open and close gaps

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page avoids case claims.

Risk implication you can plan for without speculating: where authorities cooperate, inconsistency risk rises. Inconsistencies can trigger follow-up requests, widen exam scope, and increase management attention and remediation burden. Article 48 signals that supervisory coordination is expected, so your operational stance should assume information will be compared across authorities and, where relevant, with a Lead Overseer. (Regulation (EU) 2022/2554, Article 48)

Practical 30/60/90-day execution plan

Use phased implementation without calendar promises. Adjust sequencing based on your exam cycle and open findings backlog.

First 30 days (Immediate stabilization)

• Name an accountable owner for “supervisory cooperation readiness” under Article 48.
• Stand up a single supervisory request intake and a request log.
• Draft the response workflow with required sign-offs (compliance + legal at minimum).
• Create an initial evidence inventory: where artifacts live today, who can extract them, and known gaps.

By 60 days (Operationalize and standardize)

• Publish your Article 48 mapping: obligation → controls → owners → evidence artifacts.
• Standardize evidence packages for: incidents, testing, third-party oversight, remediation status.
• Implement basic version control and a “previously submitted” index for regulator packages.
• Establish CAPA closure criteria and validation evidence requirements.

By 90 days (Prove it works)

• Run a readiness drill with two simulated authority requests and one follow-up clarification cycle.
• Measure friction points (handoffs, data conflicts, approval bottlenecks) and fix them.
• Produce a management readout: open gaps, remediation plan, and updated RACI.
• Consider consolidating the whole requirement-to-evidence register in Daydream so your supervisory readiness is maintained as part of BAU compliance, not a scramble.

Frequently Asked Questions

Does Article 48 create a direct obligation on my firm or only on regulators?

The text is directed at competent authorities, but it affects your supervision experience. Operationally, you should prepare for coordinated information requests and ensure your responses and evidence are consistent and reproducible. (Regulation (EU) 2022/2554, Article 48)

What is the single most important control to implement for Article 48 readiness?

A controlled regulatory-response workflow with centralized intake, defined ownership, and compliance/legal sign-off. It prevents inconsistent submissions when multiple authorities engage on the same underlying facts.

How do we avoid inconsistent answers across different regulators or jurisdictions?

Declare systems-of-record for key datasets (incident timelines, third-party inventory, CAPA status) and generate standardized evidence packages from those sources. Keep a “previously submitted” library so updates can be explained cleanly.

What evidence should we keep for supervisory cooperation scenarios?

Keep the request log, the exact response packages delivered (final versions), approval records, and the underlying operational evidence (incident records, testing results, third-party due diligence, CAPA validation). Store them in a searchable repository with access control and audit trail.

We have multiple entities in a group; who should own regulator responses?

Assign one accountable owner for coordination and one intake channel, then delegate drafting to domain owners. Require a consistency review against prior submissions and across group entities before delivery.

How can Daydream help without turning this into a documentation exercise?

Daydream is most effective when you use it to maintain a living requirement-to-evidence map and drive a repeatable response workflow. That keeps ownership current and shortens evidence retrieval when coordinated supervision triggers parallel requests.