Article 29 Digital Operational Resilience Act (DORA), Structure of The Oversight Framework
Article 29 of the Digital Operational Resilience Act (DORA) establishes a structured oversight framework to manage ICT third-party risks across the financial sector within the European Union. This framework is designed to ensure consistent monitoring, assessment, and coordination regarding the digital operational resilience of financial entities. Below is a comprehensive overview of the provisions set out in Article 29.
Establishment and Role of the Oversight Forum
The Joint Committee, operating under Articles 57 of Regulations (EU) No 1093/2010, No 1094/2010, and No 1095/2010, is tasked with setting up the Oversight Forum. This forum acts as a sub-committee to support the Joint Committee and the Lead Overseer in managing ICT third-party risks across financial sectors. The primary functions of the Oversight Forum include:
- Preparation of Draft Positions: The Oversight Forum is responsible for preparing draft joint positions and common acts related to ICT third-party risk, which are subsequently reviewed and adopted by the Joint Committee.
- Discussion and Coordination: The forum regularly engages in discussions about current developments concerning ICT risks and vulnerabilities. It aims to promote a unified approach to monitoring these risks at the Union level, ensuring that all member states adhere to consistent practices.
Annual Assessment and Coordination
The Oversight Forum conducts an annual collective assessment of oversight activities concerning all critical ICT third-party providers. This assessment focuses on several key areas:
- Coordination Measures: The forum promotes coordination measures designed to enhance the digital operational resilience of financial entities. This involves fostering best practices to manage ICT concentration risks and addressing potential cross-sector risk transfers.
- Benchmarking: The Oversight Forum prepares comprehensive benchmarks of critical ICT third-party service providers. These benchmarks are submitted to the Joint Committee, which adopts them as joint positions of the European Supervisory Authorities (ESAs) under Articles 56(1) of the relevant regulations.
Composition of the Oversight Forum
The Oversight Forum is composed of:
- Chairpersons of the ESAs: The forum includes the Chairpersons of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).
- High-Level Representatives: Each Member State is represented by a high-level official from the relevant competent authority.
- Observers: The forum also includes observers such as the Executive Directors of each ESA, representatives from the European Commission, the European Systemic Risk Board (ESRB), the European Central Bank (ECB), and the European Union Agency for Cybersecurity (ENISA).
Guidelines and Cooperation
In line with Article 16 of Regulations (EU) No 1093/2010, No 1094/2010, and No 1095/2010, the ESAs are tasked with issuing guidelines on the cooperation between the ESAs and competent authorities. These guidelines detail:
- Execution of Tasks: Procedures and conditions for executing tasks between competent authorities and the ESAs.
- Information Exchange: Specific details on the information exchanges required by competent authorities to follow up on recommendations made by Lead Overseers regarding critical ICT third-party providers.
Compliance with Other Regulations
The requirements outlined in Article 29 of DORA must be implemented without affecting the application of Directive (EU) 2016/1148 and other Union rules related to the oversight of cloud computing service providers. This ensures that the DORA framework complements existing regulations and does not overlap or conflict with them.
Reporting to EU Institutions
The ESAs, through the Joint Committee and based on the Oversight Forum’s preparatory work, are required to present an annual report to the European Parliament, the Council, and the Commission. This report covers the application and effectiveness of the oversight framework established under Article 29, providing insights and updates on the management of ICT third-party risks.
Conclusion
Article 29 of DORA sets a robust framework for overseeing ICT third-party risks in the financial sector. By establishing the Oversight Forum, outlining its responsibilities, and detailing the annual assessment and coordination processes, DORA aims to enhance the digital operational resilience of financial entities across the EU. The involvement of high-level representatives and observers ensures a comprehensive approach to managing ICT risks, while the alignment with existing regulations and regular reporting to EU institutions highlights the commitment to effective oversight and continuous improvement.