Article 41 Digital Operational Resilience Act (DORA), Competent Authorities

Sep 12, 2024

Article 41 of the Digital Operational Resilience Act (DORA) outlines the framework for the designation of competent authorities responsible for ensuring compliance with the regulation across various sectors within the European Union's financial system. These authorities are granted specific powers under their respective legal frameworks to enforce DORA’s provisions, ensuring that financial entities maintain a high level of digital operational resilience.

Article 41 Digital Operational Resilience Act (DORA), Competent Authorities

Overview of Competent Authorities

DORA assigns the responsibility of monitoring and enforcing compliance to a variety of competent authorities, each designated according to existing legal acts that govern different types of financial entities. These authorities are empowered to ensure that their respective sectors adhere to the obligations set out by DORA, thereby protecting the integrity of the financial system against digital threats.

  • Credit Institutions: For credit institutions, the competent authority is designated in line with Article 4 of Directive 2013/36/EU. This is without prejudice to the specific tasks conferred on the European Central Bank (ECB) by Regulation (EU) No 1024/2013. This ensures that credit institutions are subject to rigorous oversight, given their critical role in the financial system.
  • Payment Service Providers: For payment service providers, the competent authority is appointed according to Article 22 of Directive (EU) 2015/2366. These entities play a vital role in facilitating secure and efficient payment systems, making their compliance with DORA essential.
  • Electronic Payment Institutions: The authority responsible for electronic payment institutions is designated under Article 37 of Directive 2009/110/EC. This ensures that these institutions, which provide critical services in the digital economy, adhere to the highest standards of operational resilience.
  • Investment Firms: For investment firms, the competent authority is designated according to Article 4 of Directive (EU) 2019/2034. Investment firms are key players in financial markets, and their compliance with DORA is crucial for maintaining market stability.
  • Crypto-Asset Service Providers: The regulation also extends to crypto-asset service providers, issuers of crypto-assets, issuers of asset-referenced tokens, and issuers of significant asset-referenced tokens. The competent authority for these entities is designated in accordance with the first indent of point (ee) of Article 3(1) of the [Regulation (EU) 20xx MICA Regulation]. This inclusion reflects the growing importance of crypto-assets in the financial ecosystem and the need for robust oversight.
DORA Compliance Framework
  • Central Securities Depositories: For central securities depositories, the competent authority is designated according to Article 11 of Regulation (EU) No 909/2014. These depositories are critical infrastructure in the financial system, and their operational resilience is essential for ensuring the smooth functioning of securities markets.
  • Central Counterparties: Central counterparties, which play a crucial role in the clearing and settlement of financial transactions, are overseen by the competent authority designated under Article 22 of Regulation (EU) No 648/2012. Their compliance with DORA is vital for reducing systemic risk in financial markets.
  • Trading Venues and Data Reporting Service Providers: The competent authority for trading venues and data reporting service providers is designated in accordance with Article 67 of Directive 2014/65/EU. These entities facilitate the exchange of financial instruments and the reporting of market data, making their operational resilience a priority.
  • Trade Repositories: For trade repositories, the competent authority is designated under Article 55 of Regulation (EU) No 648/2012. Trade repositories provide essential services in the collection and maintenance of financial transaction data, and their compliance with DORA is critical for market transparency and stability.
  • Managers of Alternative Investment Funds: The competent authority for managers of alternative investment funds is designated according to Article 44 of Directive 2011/61/EU. These funds represent significant assets under management, and their operational resilience is essential for protecting investors.
  • Management Companies: Management companies are overseen by the competent authority designated in accordance with Article 97 of Directive 2009/65/EC. These companies manage collective investment schemes, and their adherence to DORA is crucial for safeguarding investor interests.
  • Insurance and Reinsurance Undertakings: For insurance and reinsurance undertakings, the competent authority is designated under Article 30 of Directive 2009/138/EC. These entities provide essential financial protection to individuals and businesses, and their operational resilience is necessary for ensuring the reliability of insurance markets.
DORA Compliance Framework
  • Insurance Intermediaries: Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries are overseen by the competent authority designated in accordance with Article 12 of Directive (EU) 2016/97. These intermediaries play a key role in the distribution of insurance products, and their compliance with DORA is important for maintaining consumer trust.
  • Institutions for Occupational Retirement Pensions: The competent authority for institutions for occupational retirement pensions is designated according to Article 47 of Directive 2016/2341. These institutions manage pension funds for employees, and their operational resilience is vital for ensuring the security of retirement savings.
  • Credit Rating Agencies: Credit rating agencies are overseen by the competent authority designated under Article 21 of Regulation (EC) No 1060/2009. These agencies provide critical assessments of credit risk, and their compliance with DORA is necessary for maintaining the credibility of credit ratings.
  • Statutory Auditors and Audit Firms: For statutory auditors and audit firms, the competent authority is designated according to Articles 3(2) and 32 of Directive 2006/43/EC. These auditors play a key role in ensuring the accuracy and reliability of financial statements, making their operational resilience a priority.
  • Administrators of Critical Benchmarks: Administrators of critical benchmarks are overseen by the competent authority designated in accordance with Articles 40 and 41 of Regulation xx/202x. These benchmarks are essential for financial markets, and their compliance with DORA is necessary for maintaining market integrity.
  • Crowdfunding Service Providers: Crowdfunding service providers are designated under Article x of Regulation xx/202x. These platforms facilitate alternative funding methods, and their operational resilience is important for supporting innovation and entrepreneurship.
  • Securitisation Repositories: Finally, securitisation repositories are overseen by the competent authority designated in accordance with Articles 10 and 14(1) of Regulation (EU) 2017/2402. These repositories manage information related to securitised assets, and their compliance with DORA is essential for market transparency.

In summary, Article 41 of DORA establishes a comprehensive framework for the designation of competent authorities across various sectors of the financial system. These authorities are tasked with ensuring that their respective entities comply with DORA’s provisions, thereby enhancing the overall digital operational resilience of the European Union’s financial system.

DORA Compliance Framework