Article 33 Digital Operational Resilience Act (DORA), General Investigations

Article 33 of the Digital Operational Resilience Act (DORA) outlines the investigative powers and procedures that the Lead Overseer may employ to ensure compliance by ICT third-party service providers. This article details the authority and processes for conducting investigations to uphold the standards set forth by the regulation.

Conducting Investigations

To fulfill its regulatory duties, the Lead Overseer, supported by the examination team specified in Article 34(1), is authorized to conduct thorough investigations of ICT third-party service providers. These investigations are crucial for assessing compliance with DORA and ensuring that service providers adhere to required standards.

Powers of the Lead Overseer

The Lead Overseer possesses several key powers during investigations:

• Examination of Records: The Lead Overseer can review records, data, procedures, and any other relevant material, regardless of the format in which they are stored. This broad authority ensures that all pertinent information can be accessed for a comprehensive evaluation.

• Certified Copies and Extracts: The Lead Overseer may take or obtain certified copies or extracts from the records and materials examined. This facilitates accurate documentation and analysis of the information relevant to the investigation.

• Summoning Representatives: The Lead Overseer has the power to summon representatives of the ICT third-party service provider for oral or written explanations concerning facts or documents related to the investigation. The responses from these representatives are recorded as part of the investigative process.

• Interviews: The Lead Overseer can interview any individual or entity that consents to provide information relevant to the investigation. This includes gathering insights from persons who are not directly affiliated with the ICT third-party service provider but who may offer valuable information.

• Requesting Records: The Lead Overseer may request records of telephone and data traffic, if deemed necessary for the investigation. This helps in obtaining a complete picture of the ICT service provider’s operations and communications.

Authorization and Compliance

Officials and other individuals authorized by the Lead Overseer to conduct investigations must present written authorization. This document specifies the subject matter and purpose of the investigation, ensuring transparency and clarity in the investigative process. It also outlines the periodic penalty payments as stipulated in Article 31(4) if there is non-compliance, such as failure to produce requested records or provide complete answers.

Obligations of ICT Third-Party Service Providers

ICT third-party service providers are required to cooperate with investigations based on decisions made by the Lead Overseer. These decisions detail the investigation's subject matter, purpose, and any associated periodic penalty payments for non-compliance. The decision also provides information on legal remedies available under relevant EU regulations and the right to seek a review by the Court of Justice.

Notification to Competent Authorities

Before initiating an investigation, the Lead Overseer must inform the competent authorities of the financial entities using the ICT third-party service provider. This notification includes details about the investigation and the identity of the authorized personnel conducting it. This ensures that all relevant parties are aware of the investigation and its implications.

Conclusion

Article 33 empowers the Lead Overseer with extensive investigative authority to ensure that ICT third-party service providers comply with the Digital Operational Resilience Act. By allowing the examination of records, summoning representatives, conducting interviews, and requesting specific information, the Lead Overseer ensures that the integrity of ICT services provided to financial entities is maintained. These measures support the overarching goal of enhancing the operational resilience and security of the financial sector.