Article 33 Digital Operational Resilience Act (DORA), General Investigations

Jul 25, 2024by Sneha Naskar

The Digital Operational Resilience Act (DORA) aims to strengthen the ICT (Information and Communication Technology) resilience of financial entities by establishing comprehensive regulatory frameworks. Article 33 of DORA outlines the authority and procedures for the Lead Overseer to conduct general investigations of ICT third-party service providers. These investigations ensure compliance with regulatory standards and help maintain the integrity and security of services provided to financial entities.

Digital Operational Resilience Act (DORA), General Investigations

Scope and Authority of the Lead Overseer

Purpose and Conduct of Investigations

    The Lead Overseer, with the assistance of an examination team as specified in Article 34(1), is tasked with conducting necessary investigations of ICT third-party service providers. These investigations are vital for ensuring that these providers adhere to the regulatory requirements set forth in DORA.

    Empowerment of the Lead Overseer

      The Lead Overseer is granted several powers to facilitate thorough investigations:

      • Examination of Records and Data: The Lead Overseer can examine records, data, procedures, and any other materials relevant to their tasks, regardless of the storage medium.
      • Certified Copies and Extracts: The Lead Overseer can take or obtain certified copies of, or extracts from, the examined records, data, procedures, and other materials.
      • Summoning Representatives: Representatives of the ICT third-party service provider can be summoned for oral or written explanations on facts or documents related to the investigation’s subject matter and purpose. The responses can be recorded.
      • Interviews: The Lead Overseer can interview any natural or legal person willing to provide information pertinent to the investigation.
      • Requesting Communication Records: The Lead Overseer can request records of telephone and data traffic to gather more information.

      DORA Compliance Framework

      Procedures and Requirements

      • Written Authorisation for Investigations

        Officials and other persons authorised by the Lead Overseer to conduct investigations must present a written authorisation. This document should specify the investigation's subject matter and purpose. It should also indicate the periodic penalty payments outlined in Article 31(4) for failure to provide required records, data, procedures, or complete answers to questions.

        • Obligations of ICT Third-Party Service Providers

          Representatives of ICT third-party service providers are required to comply with the investigations based on the Lead Overseer's decision. This decision must clearly state the investigation's subject matter and purpose, the periodic penalty payments as per Article 31(4), the legal remedies available under EU Regulations No 1093/2010, No 1094/2010, and No 1095/2010, and the right to have the decision reviewed by the Court of Justice.

          Notification and Compliance

          • Informing Competent Authorities

            Before conducting an investigation, the Lead Overseer must inform the competent authorities of the financial entities using the ICT third-party service provider. This notification includes the details of the investigation and the identities of the authorised persons involved. This step ensures transparency and coordination among relevant regulatory bodies.

            • Submission to Investigations

            ICT third-party service providers must submit to the investigations as mandated by the Lead Overseer’s decision. This compliance is crucial for maintaining the integrity of the financial sector’s ICT infrastructure. Failure to comply can result in periodic penalty payments, reinforcing the importance of cooperation.

            Ensuring Compliance and Accountability

            1. Enforcement of Penalties

            In cases where ICT third-party service providers fail to comply with the investigation requirements, the Lead Overseer can enforce periodic penalty payments. These penalties serve as a deterrent against non-compliance and ensure that providers adhere to the regulatory standards.

            1. Legal Remedies and Review

            ICT third-party service providers have the right to seek legal remedies under EU Regulations No 1093/2010, No 1094/2010, and No 1095/2010. Additionally, they can request a review of the Lead Overseer’s decision by the Court of Justice. This provision ensures that providers have a fair opportunity to contest decisions and protect their interests.

            Article 33 of the Digital Operational Resilience Act (DORA) provides a robust framework for the Lead Overseer to conduct general investigations of ICT third-party service providers. By outlining clear procedures, powers, and responsibilities, this article ensures that investigations are thorough and effective. The provisions for compliance, enforcement of penalties, and legal remedies contribute to maintaining a resilient and secure ICT infrastructure within the financial sector. Through these measures, DORA enhances the overall operational resilience of financial entities, safeguarding them against potential ICT risks and disruptions.

            DORA Compliance Framework