Article 29 Digital Operational Resilience Act (DORA), Structure Of The Oversight Framework

The Digital Operational Resilience Act (DORA) establishes a comprehensive oversight framework to manage ICT third-party risks across financial sectors. Article 29 outlines the structure and function of the Oversight Forum, detailing its role in supporting the Joint Committee and the Lead Overseer in monitoring and mitigating ICT risks. This article emphasizes the importance of coordinated efforts and consistent approaches to enhance the digital operational resilience of financial entities within the European Union.

Establishment of the Oversight Forum

The Joint Committee, following the provisions of Article 57 of Regulation (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010, will establish the Oversight Forum as a sub-committee. This forum is tasked with supporting the Joint Committee and the Lead Overseer in addressing ICT third-party risks across financial sectors. Its primary role is to prepare draft joint positions and common acts for the Joint Committee.

The Oversight Forum will regularly discuss developments related to ICT risks and vulnerabilities. By doing so, it promotes a consistent approach in monitoring ICT third-party risks at the Union scale. This consistency is crucial for maintaining the stability and security of financial services across member states.

Collective Assessment and Coordination

On an annual basis, the Oversight Forum will conduct a collective assessment of the oversight activities and findings related to all critical ICT third-party providers. This assessment aims to promote coordination measures that enhance the digital operational resilience of financial entities. Additionally, it seeks to foster best practices for addressing ICT concentration risk and explore strategies to mitigate cross-sector risk transfers.

The findings and benchmarks from these assessments will be submitted to the Joint Committee. These comprehensive benchmarks of critical ICT third-party service providers will be adopted as joint positions of the European Supervisory Authorities (ESAs) in accordance with Article 56(1) of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010.

Composition of the Oversight Forum

The Oversight Forum will be composed of the Chairpersons of the ESAs and one high-level representative from the current staff of the relevant competent authority from each Member State. In addition to these core members, the Executive Directors of each ESA, along with representatives from the European Commission, the European Systemic Risk Board (ESRB), the European Central Bank (ECB), and the European Union Agency for Cybersecurity (ENISA), will participate as observers. This diverse composition ensures a wide range of expertise and perspectives, enhancing the effectiveness of the forum's oversight activities.

Guidelines on Cooperation

In accordance with Article 16 of Regulation (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010, the ESAs will issue guidelines on cooperation between the ESAs and competent authorities. These guidelines will detail the procedures and conditions for executing tasks between competent authorities and the ESAs. They will also specify the exchange of information necessary for competent authorities to follow up on recommendations addressed by Lead Overseers to critical ICT third-party providers, as outlined in point (d) of Article 31(1).

Compatibility with Other Union Rules

The requirements set out in this section of DORA are designed to complement, not override, existing Union rules. This includes the application of Directive (EU) 2016/1148 and other Union oversight rules applicable to providers of cloud computing services. This approach ensures a harmonized regulatory environment, avoiding conflicts and redundancies in the oversight of ICT third-party providers.

Annual Reporting

Based on the preparatory work conducted by the Oversight Forum, the ESAs, through the Joint Committee, will present an annual report to the European Parliament, the Council, and the Commission. This report will detail the application of this section, providing insights into the effectiveness of the oversight framework and highlighting any areas for improvement. This transparency ensures accountability and continuous enhancement of the oversight processes.

The structure of the Oversight Framework under Article 29 of DORA is a critical component in managing ICT third-party risks within the financial sector. Through the establishment of the Oversight Forum, coordinated assessments, comprehensive guidelines, and annual reporting, this framework aims to enhance the digital operational resilience of financial entities across the European Union. This coordinated approach ensures that financial entities can effectively manage ICT risks, safeguarding the stability and security of financial services in an increasingly digitalized environment.