Article 34 Digital Operational Resilience Act (DORA), On-site Inspections

The Digital Operational Resilience Act (DORA) is designed to enhance the ICT (Information and Communication Technology) resilience of financial entities by establishing stringent regulatory frameworks. Article 34 of DORA details the authority and procedures for the Lead Overseer to conduct on-site inspections of ICT third-party service providers. These inspections ensure that these providers meet regulatory standards and maintain the security and integrity of their services to financial entities.

Scope and Authority of On-Site Inspections

1. Purpose and Conduct of Inspections

To fulfill its regulatory duties, the Lead Overseer, assisted by examination teams as outlined in Article 35(1), can conduct on-site inspections of ICT third-party providers' business premises. These premises include head offices, operation centers, secondary premises, and any other relevant property. The inspections can also be conducted off-site as necessary.

2. Empowerment of the Lead Overseer

The Lead Overseer and authorized officials have comprehensive powers to ensure thorough inspections:

• Entry and Inspection: They can enter any business premises, land, or property of the ICT third-party providers to conduct inspections.

• Sealing Premises and Records: They have the authority to seal business premises, books, and records for the duration of the inspection, if necessary.

Procedures and Requirements

1. Written Authorization for Inspections

Authorized officials must present a written authorization when conducting an on-site inspection. This authorization specifies the inspection's subject matter and purpose and includes details about periodic penalty payments as provided for in Article 31(4) if the ICT third-party service provider does not comply with the inspection.

2. Obligations of ICT Third-Party Service Providers

Representatives of ICT third-party service providers are required to comply with on-site inspections based on the Lead Overseer's decision. This decision should clearly state the inspection's subject matter and purpose, the date it will begin, the periodic penalty payments as per Article 31(4), the legal remedies available under EU Regulations No 1093/2010, No 1094/2010, and No 1095/2010, and the right to have the decision reviewed by the Court of Justice.

Notification and Compliance

1. Informing Competent Authorities

Before conducting an on-site inspection, the Lead Overseer must inform the competent authorities of the financial entities using the ICT third-party provider's services. This notification ensures transparency and coordination among regulatory bodies.

2. Notice to Service Providers

Lead Overseers are required to give reasonable notice to the critical ICT third-party service providers before any planned on-site visit. However, in cases of emergency or crisis, or if prior notice would compromise the effectiveness of the inspection, the notice may not be given.

Ensuring Compliance and Accountability

1. Full Scope of Inspections

Inspections must cover all relevant ICT systems, networks, devices, information, and data used for or contributing to the provision of services to financial entities. This comprehensive scope ensures that the ICT third-party service providers are fully compliant with regulatory standards.

2. Submission to Inspections

Critical ICT third-party service providers must submit to on-site inspections as mandated by the Lead Overseer's decision. Failure to comply can result in periodic penalty payments, reinforcing the importance of cooperation and compliance with the regulatory framework.

Consequences of Non-Compliance

1. Opposition to Inspections

If officials and other authorized persons find that a critical ICT third-party service provider opposes an inspection, the Lead Overseer will inform the provider of the consequences. These consequences include the possibility for competent authorities of the relevant financial entities to terminate their contractual arrangements with the non-compliant ICT third-party service provider.

2. Enforcement of Penalties

In cases of non-compliance, the Lead Overseer can enforce periodic penalty payments. These penalties serve as a deterrent against opposition and ensure that providers adhere to the regulatory standards.

Article 34 of the Digital Operational Resilience Act (DORA) provides a robust framework for the Lead Overseer to conduct on-site inspections of ICT third-party service providers. By outlining clear procedures, powers, and responsibilities, this article ensures that inspections are thorough and effective. The provisions for compliance, enforcement of penalties, and legal remedies contribute to maintaining a resilient and secure ICT infrastructure within the financial sector. Through these measures, DORA enhances the overall operational resilience of financial entities, safeguarding them against potential ICT risks and disruptions.