Article 51 Digital Operational Resilience Act (DORA), Review Clause

Article 51 of the Digital Operational Resilience Act (DORA) introduces a review mechanism to ensure that the regulation remains effective and relevant over time. This article mandates a comprehensive review of specific provisions of DORA, specifically focusing on the criteria for designating critical ICT third-party service providers. The review process is designed to evaluate the effectiveness of these criteria and to propose any necessary adjustments to enhance the regulation's impact.

Timing and Scope of the Review

Article 51 sets a clear timeline for the review process. By a date specified as five years after the regulation's entry into force, the European Commission is tasked with conducting a thorough review of DORA. This timeframe allows for sufficient observation of the regulation's implementation and the collection of data on its effectiveness. The review is intended to assess whether the criteria used for designating critical ICT third-party service providers, as outlined in Article 28(2) of DORA, continue to meet the regulation's objectives in a rapidly evolving digital landscape.

The review process is not conducted in isolation. It involves consultations with key European supervisory bodies, including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Systemic Risk Board (ESRB). These bodies are crucial stakeholders in the financial regulatory framework, each bringing specific expertise and insights into the functioning and impact of DORA.

Consultation with Supervisory Authorities

The inclusion of consultation with EBA, ESMA, EIOPA, and ESRB ensures that the review process is comprehensive and informed by a broad range of perspectives. The EBA, ESMA, and EIOPA are responsible for overseeing different sectors within the financial system, while the ESRB focuses on systemic risk and financial stability. Their collective input will help evaluate how well the criteria for designating critical ICT third-party service providers are functioning in practice and whether they adequately address emerging risks.

The consultation process will likely involve gathering feedback on the effectiveness of the current criteria, identifying any challenges or gaps that have emerged, and assessing the overall impact of these criteria on the resilience of the financial system. This collaborative approach aims to ensure that the review is thorough and considers the views of all relevant stakeholders.

Reporting and Legislative Proposals

Following the review, the European Commission is required to submit a detailed report to the European Parliament and the Council. This report will summarize the findings of the review, including any identified issues or areas for improvement regarding the designation criteria for critical ICT third-party service providers. The report will provide a basis for assessing whether the current framework is sufficient or if adjustments are needed.

If the review identifies significant issues or suggests that the criteria need to be updated, the Commission may accompany the report with a legislative proposal. This proposal could recommend amendments to the existing criteria or introduce new provisions to enhance the regulation's effectiveness. The legislative proposal will be subject to further scrutiny and approval by the European Parliament and the Council, ensuring that any changes are carefully considered and debated.

Purpose and Impact of the Review

The primary purpose of Article 51's review clause is to ensure that DORA remains effective in addressing the evolving challenges related to digital operational resilience. The designation of critical ICT third-party service providers is a key component of the regulation, as these providers play a crucial role in the financial sector's digital infrastructure. Therefore, it is essential to regularly evaluate whether the criteria used for their designation continue to be appropriate and effective.

The review process also aims to maintain the regulation's relevance in the face of technological advancements and emerging risks. The digital landscape is dynamic, and new threats or changes in technology could necessitate adjustments to the criteria for critical ICT third-party service providers. By conducting a periodic review, Article 51 helps ensure that DORA adapts to these changes and continues to provide robust protection for the financial system.

Conclusion

In summary, Article 51 of the Digital Operational Resilience Act establishes a review mechanism to assess and, if necessary, refine the criteria for designating critical ICT third-party service providers. Scheduled for five years after the regulation's entry into force, this review will involve consultations with key European supervisory authorities and result in a report to the European Parliament and the Council. If needed, the review may lead to legislative proposals for updating the criteria to better address evolving risks and ensure the ongoing effectiveness of DORA in safeguarding digital operational resilience within the EU's financial sector.