Article 32 Digital Operational Resilience Act (DORA), Request For Information

Article 32 of the Digital Operational Resilience Act (DORA) outlines the procedures and requirements for requesting information from critical ICT third-party providers. This article ensures that the Lead Overseer can obtain necessary information to effectively fulfill its regulatory responsibilities. Below is a detailed summary of Article 32’s provisions.

Authority of the Lead Overseer

The Lead Overseer has the authority to request all pertinent information from critical ICT third-party providers to perform its duties under DORA. This includes:

• Business and Operational Documents: Comprehensive records related to the provider's business operations.

• Contracts and Policies: Documentation of agreements and internal policies.

• ICT Security Audit Reports: Reports detailing security audits conducted on ICT systems.

• Incident Reports: Records of any ICT-related incidents affecting the provider.

• Outsourcing Information: Details regarding parties to whom operational functions or activities have been outsourced.

Simple Request For Information

When making a simple request for information, the Lead Overseer must adhere to specific guidelines:

• Legal Basis: Clearly reference Article 32 as the legal basis for the request.

• Purpose: Clearly state the purpose for which the information is being requested.

• Information Required: Specify the exact information or documents needed.

• Time Limit: Set a clear deadline by which the requested information must be provided.

• Voluntary Nature: Inform the representative of the critical ICT third-party provider that while they are not obliged to comply with the request, any voluntary information provided must be accurate and not misleading.

Formal Decision to Supply Information

In cases where a formal decision is made to require information, the Lead Overseer must:

• Legal Basis: Reference Article 32 as the legal foundation for the decision.

• Purpose: Clearly state the purpose of the information request.

• Details of Information: Specify the information that is required.

• Time Limit: Establish a deadline for the submission of the information.

• Penalties: Indicate any periodic penalty payments as stipulated in Article 31(4) for non-compliance or incomplete information.

• Right to Appeal: Inform the critical ICT third-party provider of their right to appeal the decision before the ESA’s Board of Appeal and to seek judicial review by the Court of Justice of the European Union, in accordance with Articles 60 and 61 of Regulations (EU) No 1093/2010, No 1094/2010, and No 1095/2010.

Responsibilities of Representatives

Representatives of critical ICT third-party service providers must provide the requested information. If lawyers or other duly authorized individuals supply the information on behalf of their clients, the critical ICT third-party provider remains fully responsible for ensuring that the information provided is complete, accurate, and not misleading.

Notification to Competent Authorities

Following a decision to request information, the Lead Overseer must promptly send a copy of the decision to the competent authorities overseeing the financial entities that use the services of the critical ICT third-party provider. This ensures that all relevant parties are informed of the request and can take necessary actions based on the information provided.

Conclusion

Article 32 of DORA establishes a structured process for requesting and obtaining information from critical ICT third-party providers. By defining clear guidelines for both simple requests and formal decisions, the article ensures that the Lead Overseer can effectively gather the information needed to oversee compliance and manage ICT-related risks. The provisions also emphasize the importance of accuracy and responsibility in the information provided, and ensure that competent authorities are kept informed to maintain transparency and oversight.