Article 37 Digital Operational Resilience Act (DORA), Follow-Up By Competent Authorities

Article 37 of the Digital Operational Resilience Act (DORA) outlines the responsibilities of competent authorities in following up on recommendations made by Lead Overseers regarding critical ICT third-party service providers. This article emphasizes the procedures and considerations involved in ensuring that these recommendations are addressed effectively.

Notification Of Intent To Follow Recommendations

Within 30 calendar days of receiving recommendations from Lead Overseers as specified in Article 31(1)(d), critical ICT third-party service providers must inform the Lead Overseer whether they intend to implement those recommendations. The Lead Overseer is then required to promptly relay this information to the competent authorities. This step ensures that the Lead Overseer remains informed about the actions of the ICT service providers and facilitates timely oversight.

Monitoring By Competent Authorities

Competent authorities are responsible for monitoring whether financial entities are addressing the risks identified in the recommendations made to critical ICT third-party providers by the Lead Overseer. This involves overseeing how financial entities incorporate these recommendations into their risk management strategies and ensuring that appropriate measures are in place to mitigate identified risks.

Actions In Case Of Non-Compliance

If a critical ICT third-party provider does not adequately address the risks highlighted in the recommendations, competent authorities have the authority to take decisive action. They may, under Article 44, require financial entities to temporarily suspend, either partially or fully, the use or deployment of services provided by the non-compliant ICT third-party provider. In more severe cases, they may mandate the termination of relevant contractual arrangements with the provider. This ensures that financial entities are protected from ongoing or unresolved risks associated with their third-party service providers.

Criteria For Decision-Making

When deciding on actions such as suspension or termination of services, competent authorities must consider several factors:

• Gravity and Duration of Non-Compliance: The severity and length of the non-compliance are critical in determining the appropriate response. Authorities assess how serious and prolonged the issues are to gauge their impact on financial stability.

• Weaknesses Revealed: Authorities evaluate whether the non-compliance has exposed significant deficiencies in the ICT third-party provider’s procedures, management systems, risk management, and internal controls. This assessment helps in understanding the root causes of the issues and their implications.

• Facilitation of Financial Crime: If the non-compliance has facilitated, caused, or otherwise been linked to financial crime, this factor heavily influences the decisions made by competent authorities. Ensuring that financial crimes are not enabled by ICT service provider failures is a priority.

• Intentional or Negligent Behavior: The nature of the non-compliance, whether intentional or negligent, is also considered. Authorities differentiate between deliberate malfeasance and accidental oversight to tailor their responses appropriately.

Regular Reporting

Competent authorities must keep the Lead Overseers updated on their supervisory activities related to financial entities. This includes reporting on the approaches and measures taken to address issues arising from critical ICT third-party services. Additionally, they must provide information on any contractual actions taken by financial entities if the ICT third-party providers have not fully embraced the recommendations issued by the Lead Overseers. This regular reporting helps maintain transparency and ensures that all parties involved are aware of ongoing compliance issues and actions.

Conclusion

Article 37 establishes a framework for effective follow-up on recommendations made by Lead Overseers regarding critical ICT third-party service providers. It outlines the process for notifying intentions to follow recommendations, the responsibilities of competent authorities in monitoring compliance, and the actions that may be taken in response to non-compliance. By setting criteria for decision-making and requiring regular reporting, the article ensures that risks are managed appropriately and that the integrity of financial services is maintained.