Preamble 61 to 73, Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is designed to strengthen the EU financial sector's defenses against cyber threats and ICT risks through a structured and comprehensive oversight framework. The Act introduces measures such as the designation of Lead Overseers for critical ICT third-party service providers, the specification of essential contractual requirements, and the promotion of international cooperation. Below are the key provisions outlined in Preamble 61 to 73 of DORA.
61 Designation of Lead Overseer
To ensure thorough oversight across the Union, one of the European Supervisory Authorities (ESAs) will be designated as the Lead Overseer for each critical ICT third-party service provider within the financial sector. This designation grants the Lead Overseer the authority to conduct both onsite and offsite inspections and access all relevant premises and locations. This enables them to gather the necessary information to fully understand the type, scale, and impact of ICT third-party risks on financial entities and the broader Union financial system.
62 Rationale for Lead Oversight
Designating ESAs as Lead Overseers is essential to managing the systemic risks associated with ICT in the financial sector. Given the extensive reach of critical ICT third-party service providers and the potential for ICT concentration risks, a Union-wide approach is crucial. Multiple uncoordinated audits by individual authorities would fail to provide a comprehensive understanding of these risks, leading to redundancy, increased burdens, and unnecessary complexity for the service providers.
63 Recommendations and Remedies
Lead Overseers should be empowered to issue recommendations on ICT risk management and propose remedies, including opposing specific contractual arrangements that may threaten the stability of financial entities or the financial system. National competent authorities should incorporate these recommendations into their prudential supervision responsibilities for financial entities.
64 Role of the Oversight Framework
The Oversight Framework under DORA is intended to complement, not replace, financial entities' management of risks associated with ICT third-party service providers. Financial entities remain responsible for continuously monitoring their contractual arrangements with these providers. Competent authorities should coordinate their monitoring efforts within the Oversight Framework to prevent duplication and overlap.
65 International Cooperation on Best Practices
To foster global convergence on best practices for managing digital risks posed by ICT third-party service providers, the ESAs should establish cooperation arrangements with relevant supervisory and regulatory authorities in third countries. This initiative aims to create effective standards for addressing ICT risks internationally.
66 Utilization of Technical Expertise
Lead Overseers should leverage the technical expertise of operational and ICT risk management experts from competent authorities. This includes forming dedicated examination teams for each critical ICT third-party service provider, pooling resources to support the preparation and execution of oversight activities, including onsite inspections and necessary follow-up actions.
67 Supervisory Powers and Cooperation
Competent authorities must have sufficient supervisory, investigative, and enforcement powers to implement DORA effectively. Administrative penalties for non-compliance should generally be made public. Given the cross-border nature of financial entities and ICT third-party service providers, there must be close cooperation among relevant competent authorities, including the European Central Bank (ECB) for specific tasks under Council Regulation (EU) No 1024/2013. This cooperation should involve mutual information exchange and assistance during supervisory activities.
68 Delegated Acts and Technical Standards
To further specify and harmonize criteria for the designation of critical ICT third-party service providers and to oversee associated fees, the European Commission should be delegated powers to adopt acts under Article 290 of the Treaty on the Functioning of the European Union. These acts will define the systemic impacts of ICT failures, assess the reliance of global and systemically important institutions on ICT providers, and establish oversight fees and payment modalities. The Commission should consult widely during the preparatory work, ensuring transparency and equal participation from the European Parliament, the Council, and Member State experts.
69 Amendments and Consistency Across Regulations
DORA consolidates ICT risk management provisions from various Union financial services regulations and directives, including Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, and (EU) No 909/2014. Amendments to these regulations should clarify that ICT risk-related provisions are now integrated into DORA. The ESAs will develop regulatory technical standards under Article 290 to ensure consistent harmonization of ICT risk management, reporting, testing, and monitoring requirements across financial entities.
70 Consultation on Technical Standards
During the development of regulatory and implementing technical standards for ICT risk management, reporting, testing, and other key requirements, the Commission should conduct appropriate consultations, including at the expert level. These standards should ensure proportional application across financial entities, considering their nature, scale, complexity, and activities.
71 Standardized Reporting and Templates
The ESAs should draft implementing technical standards to create standardized templates, forms, and procedures for financial entities to report major ICT-related incidents and maintain information registers. These standards should accommodate financial entities' diverse sizes, complexities, risks, and activities. The Commission will adopt these standards through implementing acts, empowering the ESAs under Article 291 TFEU and in line with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010.
72 Amendment of Delegated and Implementing Acts
Existing delegated and implementing acts under different financial services legislation should be amended to incorporate digital operational resilience provisions, aligning with DORA's scope on operational risk. Empowerments within these acts should be updated to reflect the digital operational resilience provisions currently covered by other regulations.
73 Union-Level Measures
To achieve a high level of digital operational resilience across all financial entities, it is essential to harmonize the diverse rules existing within Union acts and Member States' legal frameworks. Union-level measures under DORA, by the subsidiarity principle as per Article 5 of the Treaty on European Union, ensure proportionate and effective implementation without exceeding the necessary scope as outlined in the principle of proportionality.
These provisions underscore DORA's commitment to creating a unified and resilient digital infrastructure for the EU's financial sector, ensuring it remains robust in the face of evolving ICT risks and cyber threats.