Article 35 Digital Operational Resilience Act (DORA), Ongoing Oversight

Jul 25, 2024by Sneha Naskar

The Digital Operational Resilience Act (DORA) aims to ensure the robustness of financial entities by regulating their ICT (Information and Communication Technology) systems. Article 35 of DORA delineates the framework for ongoing oversight of critical ICT third-party service providers. This oversight is crucial for maintaining the integrity and security of services provided to financial entities.

Ongoing Oversight

Formation and Role of the Examination Team

  1. Assistance in Investigations and Inspections

The Lead Overseer, tasked with conducting general investigations and on-site inspections, is supported by an examination team for each critical ICT third-party service provider. This team is essential for executing oversight activities effectively.

  1. Composition and Expertise

The joint examination team comprises staff members from both the Lead Overseer and relevant competent authorities that supervise the financial entities receiving services from the critical ICT third-party provider. The team, limited to a maximum of 10 members, includes experts in ICT and operational risk. Coordination is overseen by a designated ESA staff member, known as the Lead Overseer coordinator, ensuring cohesive and efficient operations.

DORA Compliance Framework

Development and Adoption of Standards

  1. Regulatory Technical Standards

The European Supervisory Authorities (ESAs), through the Joint Committee, are responsible for developing common draft regulatory technical standards. These standards detail the designation of joint examination team members from relevant competent authorities, along with their tasks and working arrangements. The ESAs must submit these drafts to the Commission within one year of DORA's entry into force.

  1. Delegation of Powers

The Commission is empowered to adopt the regulatory technical standards in line with Articles 10 to 14 of Regulations (EU) No 1093/2010, No 1094/2010, and No 1095/2010. This delegation ensures that the standards are uniformly applied across all member states, promoting consistency in the oversight process.

Post-Investigation Procedures and Recommendations

  1. Adoption of Recommendations

Within three months after completing an investigation or on-site inspection, the Lead Overseer, following consultation with the Oversight Forum, adopts recommendations directed to the critical ICT third-party service provider. These recommendations are based on the powers outlined in Article 31, ensuring that any identified issues are addressed promptly.

  1. Communication of Recommendations

The recommendations are immediately communicated to both the critical ICT third-party service provider and the competent authorities of the financial entities they serve. This swift communication facilitates timely implementation of necessary measures to rectify any shortcomings identified during the oversight activities.

Consideration of Certifications and Audit Reports

  1. Third-Party Certifications and Audit Reports

To enhance the oversight process, Lead Overseers may consider relevant third-party certifications and internal or external ICT audit reports provided by the critical ICT third-party service provider. These documents offer valuable insights into the provider's compliance with regulatory standards and help inform the oversight activities.

Article 35 of the Digital Operational Resilience Act (DORA) provides a comprehensive framework for ongoing oversight of critical ICT third-party service providers. By establishing detailed procedures for forming and operating examination teams, developing regulatory technical standards, and adopting and communicating recommendations, DORA ensures that financial entities' ICT systems remain secure and resilient. This continuous oversight is vital for maintaining the stability and integrity of the financial sector in the face of evolving ICT risks.

DORA Compliance Framework