Article 31 Digital Operational Resilience Act (DORA), Powers Of The Lead Overseer
Article 31 of the Digital Operational Resilience Act (DORA) outlines the powers granted to the Lead Overseer for managing and overseeing critical ICT third-party service providers. These powers are designed to ensure that these providers adhere to high standards of ICT risk management and resilience. This article details the Lead Overseer's authority, the processes involved, and the mechanisms for enforcing compliance.
Authority and Responsibilities Of The Lead Overseer
The Lead Overseer is vested with several key powers to fulfill their duties effectively:
- Information Requests: The Lead Overseer can request all relevant information and documentation from critical ICT third-party service providers. This power is essential for obtaining a comprehensive understanding of the providers' ICT risk management practices and compliance with DORA's requirements.
- Investigations and Inspections: The Lead Overseer is authorized to conduct general investigations and inspections as outlined in Articles 33 and 34. These investigations are crucial for identifying potential weaknesses or non-compliance issues in the ICT systems and processes of critical providers.
- Follow-Up Reports: After completing oversight activities, the Lead Overseer can request reports detailing the actions taken or remedies implemented by critical ICT third-party providers in response to recommendations. This ensures that providers address any identified issues and align with oversight directives.
- Recommendations and Directives: The Lead Overseer has the authority to make recommendations regarding several areas:
- ICT Security and Quality: Recommendations may focus on specific ICT security measures, such as patch management, updates, and encryption, to ensure high security standards for services provided to financial entities.
- Service Conditions: The Lead Overseer may suggest changes to service conditions and terms to prevent single points of failure and minimize systemic risks across the financial sector.
- Subcontracting Arrangements: Recommendations can also address risks associated with subcontracting, including sub-outsourcing to third-country providers. The Lead Overseer may advise against subcontracting arrangements that could jeopardize service provision or financial stability.
- Subcontracting Restrictions: In certain cases, the Lead Overseer may impose restrictions on subcontracting arrangements if the subcontractor is an ICT service provider from a third country and the subcontracting involves critical or important functions.
Consultation and Cooperation
Before exercising the powers outlined, the Lead Overseer must consult the Oversight Forum. This consultation ensures a collaborative approach to decision-making and enhances the oversight process. Critical ICT third-party service providers are required to cooperate in good faith with the Lead Overseer, assisting in the fulfillment of oversight tasks.
Enforcement and Penalties
To ensure compliance with oversight directives, the Lead Overseer has the authority to impose periodic penalty payments:
- Periodic Penalty Payments: If a provider fails to comply with requests or recommendations, the Lead Overseer can impose a daily penalty payment until compliance is achieved. This penalty can last for up to six months following notification to the provider.
- Penalty Amount: The penalty amount is calculated as 1% of the average daily worldwide turnover of the provider from the preceding business year. This calculation ensures that the penalty is proportionate to the provider's financial scale.
- Enforcement and Jurisdiction: Penalty payments are administrative and enforceable under civil procedure rules in the Member State where enforcement occurs. National courts handle complaints related to enforcement irregularities, and the penalty amounts are allocated to the EU budget.
- Public Disclosure: The European Supervisory Authorities (ESAs) must disclose any imposed penalty payments publicly unless such disclosure would harm financial markets or cause disproportionate damage to involved parties.
Rights Of The Defence
Before imposing a penalty, the Lead Overseer must provide representatives of the critical ICT third-party provider with an opportunity to be heard regarding the findings. Decisions must be based on findings the provider has had the chance to comment on. The rights of the defence, including access to files and protection of business secrets, must be fully respected during proceedings. However, access does not extend to confidential information or internal preparatory documents of the Lead Overseer.
Article 31 of DORA empowers the Lead Overseer with essential tools for overseeing critical ICT third-party service providers. By requesting information, conducting investigations, issuing recommendations, and enforcing penalties, the Lead Overseer plays a crucial role in ensuring that these providers maintain high standards of ICT risk management. The collaborative approach with the Oversight Forum and respect for the rights of the defence further strengthen the oversight framework, promoting resilience and stability in the financial sector's digital infrastructure.