Article 32 Digital Operational Resilience Act (DORA), Request For Information

Jul 25, 2024by Sneha Naskar

Article 32 of the Digital Operational Resilience Act (DORA) establishes the procedures and requirements for the Lead Overseer to request information from critical ICT third-party service providers. This article outlines the processes, legal bases, and responsibilities involved in ensuring that the Lead Overseer can effectively carry out its oversight duties. By obtaining necessary information, the Lead Overseer ensures that ICT third-party providers comply with regulatory standards, thereby enhancing the resilience of financial entities.

Article 32 Digital Operational Resilience Act (DORA), Request For Information

Procedures For Requesting Information

  1. Information Request by the Lead Overseer

The Lead Overseer is empowered to request all information necessary to perform its regulatory duties under DORA. This includes various business or operational documents, contracts, policy documentation, ICT security audit reports, and ICT-related incident reports. The scope of the information request also extends to any details related to parties to whom the critical ICT third-party provider has outsourced operational functions or activities.

  1. Simple Requests for Information

When the Lead Overseer sends a simple request for information, specific guidelines must be followed:

  • Legal Basis: The request must refer to Article 32 as the legal basis.
  • Purpose: The request should clearly state its purpose.
  • Specificity: It must specify the exact information required.
  • Time Limit: A deadline for providing the requested information must be set.
  • Voluntary Compliance: The critical ICT third-party service provider must be informed that compliance with the request is voluntary. However, if they choose to respond, the information provided must be accurate and not misleading.

DORA Compliance Framework

  1. Mandatory Requests for Information

In cases where the Lead Overseer requires information on a mandatory basis, additional steps are necessary:

  • Legal Basis: The request must again refer to Article 32 as the legal basis.
  • Purpose: It should state the purpose of the request.
  • Specificity: The request must detail the specific information required.
  • Time Limit: A clear deadline for providing the information must be established.
  • Penalties: The request should indicate the periodic penalty payments that will be applied if the information provided is incomplete.
  • Rights to Appeal: It should inform the provider of their right to appeal the decision before ESA’s Board of Appeal and the right to have the decision reviewed by the Court of Justice of the European Union (Court of Justice) in accordance with relevant regulations.

Responsibilities of ICT Third-Party Providers

  • Compliance with Information Requests

Representatives of critical ICT third-party service providers are obligated to supply the information requested by the Lead Overseer. They may choose to authorize lawyers to act on their behalf, but the service provider remains fully responsible for the completeness, accuracy, and truthfulness of the information provided.

  • Accuracy and Completeness

Any information provided in response to a request, whether voluntary or mandatory, must be accurate and not misleading. This ensures that the Lead Overseer can rely on the information to make informed decisions about the ICT third-party provider’s compliance with regulatory standards.

  • Communication with Competent Authorities

The Lead Overseer must send a copy of the decision to supply information to the competent authorities of the financial entities using the critical ICT third-party providers’ services. This step ensures that all relevant parties are informed about the information request and the response provided.

Ensuring Compliance and Accountability

  • Enforcement of Penalties

If the information supplied is incomplete or the critical ICT third-party provider fails to comply with the mandatory request, the Lead Overseer can impose periodic penalty payments. These penalties serve as a coercive measure to ensure compliance and are calculated based on a percentage of the provider’s average daily worldwide turnover from the previous business year.

  • Rights of Appeal and Judicial Review

Providers have the right to appeal the decision to request information before ESA’s Board of Appeal. Additionally, they can seek a judicial review of the decision by the Court of Justice. These rights ensure that providers have a fair opportunity to contest the Lead Overseer's decisions and protect their interests.

Article 32 of DORA outlines a clear and structured process for the Lead Overseer to request information from critical ICT third-party service providers. By establishing guidelines for both simple and mandatory requests, the article ensures that the Lead Overseer can effectively gather the necessary information to oversee compliance. The responsibilities placed on ICT third-party providers, along with the mechanisms for enforcement and appeals, create a robust framework for maintaining digital operational resilience in the financial sector.

DORA Compliance Framework