Article 36 Digital Operational Resilience Act (DORA), Harmonisation Of Conditions Enabling The Conduct Of The Oversight

Sep 12, 2024

Article 36 of the Digital Operational Resilience Act (DORA) addresses the standardization and harmonization of conditions required for effective oversight of critical ICT third-party service providers. This article mandates the development of regulatory technical standards to ensure consistency and clarity in the oversight processes. Here is a comprehensive summary of Article 36.

Article 36 Digital Operational Resilience Act (DORA), Harmonisation Of Conditions Enabling The Conduct Of The Oversight

Development of Regulatory Technical Standards

The European Supervisory Authorities (ESAs) are tasked with developing draft regulatory technical standards through the Joint Committee. These standards are designed to provide detailed guidelines and specifications across several key areas:

  • Voluntary Opt-in Application Information: The ESAs will specify the information that critical ICT third-party service providers must include when applying for a voluntary opt-in under Article 28(8). This ensures that the application process is clear and uniform, allowing for consistent evaluation of such requests.
  • Report Content and Format: The draft standards will outline the content and format of reports that may be requested as part of the oversight process, specifically for the purposes described in point (c) of Article 31(1). These guidelines will help standardize the reporting requirements and facilitate the assessment of compliance and performance.
  • Presentation of Information: The standards will detail the structure, formats, and methods required for presenting information. This includes how critical ICT third-party service providers must submit, disclose, or report information in accordance with Article 31(1). The goal is to ensure that information is presented in a consistent and accessible manner, making it easier for oversight bodies to review and act upon it.
  • Assessment of Measures by Competent Authorities: The ESAs will also define the specifics of how competent authorities should assess the measures taken by critical ICT third-party service providers. This assessment will be based on recommendations provided by Lead Overseers as outlined in Article 37(2). The standards will ensure that the evaluation process is thorough and consistent across different jurisdictions.
DORA Compliance Framework

Submission and Adoption of Standards

The ESAs are required to submit these draft regulatory technical standards to the European Commission by 1 January [Insert Year – one year after the date of entry into force]. This submission will initiate the formal process for adopting the standards.

Following the submission, the European Commission holds the delegated power to supplement the DORA Regulation by adopting these regulatory technical standards. This process will be conducted in accordance with the procedures established in Articles 10 to 14 of Regulations (EU) No 1093/2010, No 1094/2010, and No 1095/2010, respectively. These procedures ensure that the standards are thoroughly reviewed and formally integrated into the regulatory framework.

Conclusion

Article 36 of DORA plays a critical role in harmonizing the oversight conditions for critical ICT third-party service providers. By directing the ESAs to develop detailed regulatory technical standards, the article aims to ensure uniformity and clarity in the oversight processes. The standards will cover key aspects such as the information required for voluntary opt-in applications, report formats, information presentation, and the assessment of measures based on oversight recommendations. The systematic approach to developing, submitting, and adopting these standards underscores the importance of consistency and transparency in the regulation of ICT third-party services within the financial sector.

DORA Compliance Framework