Article 35 Digital Operational Resilience Act (DORA), Ongoing Oversight
Article 35 of the Digital Operational Resilience Act (DORA) focuses on the ongoing oversight of critical ICT third-party service providers. This article outlines the processes and responsibilities associated with the oversight activities, including the establishment and functioning of joint examination teams and the development of regulatory standards.
Establishment of Examination Teams
When conducting general investigations or on-site inspections of critical ICT third-party service providers, the Lead Overseers will be supported by an examination team. This team is specifically created for each provider deemed critical. The examination team comprises members from both the Lead Overseer and the competent authorities that supervise the financial entities receiving services from the ICT third-party provider. The team is limited to a maximum of ten members, ensuring it remains manageable and focused. All team members must possess expertise in ICT and operational risk, ensuring that they can effectively address the complex issues that may arise. The team operates under the coordination of a designated ESA staff member, known as the Lead Overseer Coordinator, who oversees the preparation and execution of oversight activities.
Composition and Coordination of the Examination Team
The composition and operational details of the joint examination team are further specified by common draft regulatory technical standards developed by the European Supervisory Authorities (ESAs) through their Joint Committee. These standards will outline the designation of team members from the relevant competent authorities and detail their specific tasks and working arrangements. The ESAs are tasked with submitting these draft regulatory technical standards to the European Commission within one year from the date DORA comes into force. The Commission holds the delegated power to adopt these standards, in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, No 1094/2010, and No 1095/2010. This regulatory framework ensures a structured approach to oversight and allows for the standardization of practices across different jurisdictions.
Recommendations and Reporting
Following the completion of an investigation or on-site inspection, the Lead Overseer is required to consult with the Oversight Forum and then adopt recommendations for the critical ICT third-party service provider. This process must be completed within three months after the investigation or inspection ends. The recommendations aim to address any issues identified during the oversight activities and guide the provider in enhancing their operations and compliance.
Communication of Recommendations
Once adopted, the recommendations are communicated promptly to both the critical ICT third-party service provider and the competent authorities overseeing the financial entities receiving services from that provider. This immediate communication ensures that all relevant parties are informed and can take necessary actions based on the recommendations.
Consideration of Third-Party Certifications
In fulfilling their oversight responsibilities, Lead Overseers may consider various third-party certifications and internal or external audit reports provided by the critical ICT third-party service provider. These documents can offer valuable insights into the provider’s compliance with operational and ICT standards and may assist in shaping the oversight process.
Article 35 of DORA is designed to ensure thorough and effective oversight of critical ICT third-party service providers, promoting operational resilience and safeguarding the stability of the financial sector. Through the establishment of examination teams, development of regulatory standards, and systematic communication of recommendations, the article supports a robust framework for ongoing supervision and improvement.
