Article 34 Digital Operational Resilience Act (DORA), On-Site Inspections
Article 34 of the Digital Operational Resilience Act (DORA) outlines the procedures and authority granted to the Lead Overseer for conducting on-site inspections of critical ICT third-party service providers. These inspections are essential for ensuring compliance with DORA’s requirements and maintaining the digital resilience of financial entities. The article establishes the framework for how inspections should be carried out, including the powers of the Lead Overseer, the notification process, and the consequences of non-compliance.
Authority and Powers of the Lead Overseer
- Scope of Inspections: The Lead Overseer, supported by examination teams as detailed in Article 35(1), is empowered to conduct on-site inspections at any business premises, land, or property of ICT third-party providers. This includes locations such as head offices, operation centers, and secondary premises. Additionally, the Lead Overseer may conduct offline inspections as necessary. These inspections are designed to thoroughly assess all relevant ICT systems, networks, devices, and data involved in providing services to financial entities.
- Inspection Powers: During an on-site inspection, officials and individuals authorized by the Lead Overseer have the authority to enter and inspect the premises. They are empowered to seal business premises and any related books or records for the duration of the inspection, as deemed necessary. To exercise these powers, authorized personnel must present a written authorization detailing the inspection's subject matter, purpose, and the potential imposition of periodic penalty payments under Article 31(4) if there is non-compliance.
- Notification Requirements: Prior to conducting an inspection, the Lead Overseer must notify the competent authorities of the financial entities that use the ICT services provided by the third-party under review. This ensures that all relevant parties are aware of the inspection and its potential impact on the services they rely on.
- Inspection Coverage: The inspections are comprehensive and cover all relevant aspects of the ICT systems and processes. This includes evaluating the systems, networks, and data used or contributing to the delivery of services to financial entities. The objective is to ensure that all elements involved in the service provision comply with DORA's requirements and standards.
- Advance Notice and Exceptions: The Lead Overseer must provide reasonable advance notice to the critical ICT third-party service provider before any planned on-site inspection. However, this notice may be waived in cases of emergencies or crises, or if providing notice would undermine the effectiveness of the inspection. In such situations, immediate action is necessary to address urgent issues.
- Inspection Orders: When ordering an on-site inspection, the Lead Overseer’s decision must clearly specify the subject matter, purpose, and the start date of the inspection. The decision must also outline the periodic penalty payments as per Article 31(4), available legal remedies under EU Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010, and the right to seek judicial review of the decision by the Court of Justice.
- Consequences of Non-Compliance: If the inspection reveals that the critical ICT third-party service provider is obstructing or opposing the inspection, the Lead Overseer must inform the provider of the potential consequences. This includes the possibility that competent authorities of the relevant financial entities may terminate their contractual arrangements with the provider. Such actions underscore the importance of cooperation and compliance with the inspection process.
Conclusion
Article 34 of DORA establishes a rigorous framework for conducting on-site inspections of critical ICT third-party service providers. By granting the Lead Overseer the authority to enter premises, seal records, and impose penalties, the article aims to ensure thorough oversight and enforcement of digital resilience standards. The notification and procedural requirements set out in the article facilitate transparency and allow for the involvement of relevant authorities, while the provisions for advance notice and handling non-compliance ensure that inspections are conducted effectively and fairly. This comprehensive approach is crucial for maintaining the security and stability of the financial sector and ensuring that ICT services meet the necessary regulatory standards.