Article 31 Digital Operational Resilience Act (DORA), Powers of The Lead Overseer

Article 31 of the Digital Operational Resilience Act (DORA) outlines the powers and responsibilities of the Lead Overseer in overseeing critical ICT third-party service providers. This article is pivotal in ensuring that these providers meet the stringent requirements for maintaining digital operational resilience within the financial sector. It grants the Lead Overseer comprehensive authority to request information, conduct investigations, and enforce compliance measures to safeguard the stability and security of financial services.

Powers of the Lead Overseer

• Information Requests and Investigations: The Lead Overseer is empowered to request all relevant information and documentation necessary for performing their duties, as specified in Article 32. This includes conducting general investigations and inspections to ensure compliance with the Act’s provisions, as outlined in Articles 33 and 34.

• Post-Oversight Reporting: Following oversight activities, the Lead Overseer can request detailed reports from critical ICT third-party providers. These reports should outline the actions taken or remedies implemented in response to any recommendations made by the Lead Overseer, ensuring that necessary improvements are executed.

• Recommendations and Requirements: The Lead Overseer is authorized to make recommendations on several key areas, including:

• ICT Security and Quality: Recommendations may involve the implementation of specific ICT security and quality requirements, such as regular updates, encryption protocols, and other measures essential for safeguarding the ICT services provided to financial entities.

• Contractual Conditions: The Lead Overseer can suggest terms and conditions under which critical ICT third-party service providers operate. This includes measures to prevent single points of failure, mitigate systemic risks, and minimize potential impacts on the financial sector.

• Subcontracting Arrangements: The Lead Overseer examines subcontracting arrangements, particularly those involving third-country sub-contractors. If further subcontracting poses risks to service provision or financial stability, the Lead Overseer can address these risks accordingly.

• Restrictions on Subcontracting: In cases where subcontracting involves critical functions and third-country providers, the Lead Overseer may prohibit such arrangements if they are deemed to pose significant risks.

• Consultation and Cooperation: Before exercising these powers, the Lead Overseer must consult the Oversight Forum to ensure that their actions align with broader oversight objectives. Critical ICT third-party service providers are required to cooperate in good faith and assist the Lead Overseer in fulfilling their responsibilities.

• Enforcement and Penalties:

• To enforce compliance, the Lead Overseer can impose periodic penalty payments on critical ICT third-party service providers. These penalties are designed to compel adherence to the information requests, investigations, and reporting obligations stipulated in Article 31(1).

• Penalties are calculated daily and continue until compliance is achieved, with a maximum duration of six months from the notification date. The amount of the penalty is set at 1% of the average daily worldwide turnover of the provider from the preceding business year.

• These penalties are administrative and enforceable, governed by civil procedure rules in the Member State where inspections are carried out. The amounts collected are allocated to the general budget of the European Union.

• Public Disclosure and Rights of Defence:

• The European Supervisory Authorities (ESAs) are required to publicly disclose any imposed periodic penalty payments, unless such disclosure could severely impact financial markets or cause undue harm to involved parties.

• Before imposing penalties, the Lead Overseer must provide representatives of the critical ICT third-party provider with an opportunity to respond to the findings. The decisions are based on findings that the provider has had a chance to address, ensuring respect for their defense rights. The provider has access to the relevant files, excluding confidential or internal preparatory documents of the Lead Overseer.

Conclusion

Article 31 of DORA equips the Lead Overseer with substantial authority to ensure compliance and manage risks associated with critical ICT third-party service providers. By granting powers to request information, conduct investigations, and enforce penalties, the article aims to enhance the digital operational resilience of financial entities. The provisions for consultation, cooperation, and public disclosure underscore the commitment to transparency and fair process, while the emphasis on rights of defense ensures that providers are treated equitably throughout the oversight process. This framework is crucial for maintaining the stability and security of the financial sector, protecting it from potential disruptions and ensuring robust digital resilience.