Article 36 Digital Operational Resilience Act (DORA), Harmonisation Of Conditions Enabling The Conduct Of The Oversight

The Digital Operational Resilience Act (DORA) aims to enhance the security and resilience of the financial sector’s ICT infrastructure. Article 36 of DORA focuses on harmonizing the conditions that enable effective oversight of critical ICT third-party service providers. This harmonization is essential for ensuring consistency and effectiveness in regulatory practices across the European Union.

Development of Regulatory Technical Standards

1. Role of the European Supervisory Authorities (ESAs)

The ESAs, through the Joint Committee, are responsible for developing draft regulatory technical standards. These standards are crucial for specifying various aspects of the oversight process, ensuring that it is conducted uniformly and effectively across all member states.

2. Key Areas for Standard Specification

(a) Voluntary Opt-In Applications

One of the critical areas for which the ESAs must develop standards is the information required from a critical ICT third-party service provider when applying for a voluntary opt-in under Article 28(8). This ensures that all relevant data is provided, facilitating a smooth and efficient opt-in process.

(b) Content and Format of Reports

Another essential aspect is the content and format of reports that may be requested as part of the oversight activities, particularly those outlined in point (c) of Article 31(1). Clear and standardized reporting formats are vital for consistency and ease of analysis.

(c) Presentation of Information

The ESAs are also tasked with specifying the presentation of information. This includes the structure, formats, and methods that a critical ICT third-party service provider must use when submitting, disclosing, or reporting information as per Article 31(1). Standardizing these aspects ensures that the information is presented in a uniform manner, facilitating better understanding and analysis.

(d) Assessment of Measures by Competent Authorities

Lastly, the ESAs must detail how competent authorities should assess the measures taken by critical ICT third-party service providers based on the recommendations of Lead Overseers, as per Article 37(2). This assessment is crucial for ensuring that the recommended measures are effectively implemented and that they address the identified risks.

Timeline For Submission and Adoption

1. Submission of Draft Standards

The ESAs are required to submit the draft regulatory technical standards to the Commission by 1 January 20xx, which is one year after the regulation's entry into force. This deadline ensures that the standards are developed and implemented in a timely manner, allowing for the effective oversight of ICT third-party service providers.

2. Delegation of Powers to the Commission

The Commission is delegated the power to supplement the regulation by adopting the regulatory technical standards. This adoption follows the procedure laid down in Articles 10 to 14 of Regulations (EU) No 1093/2010, No 1094/2010, and No 1095/2010. This delegation ensures that the standards are formally integrated into the regulatory framework, providing a clear and enforceable basis for oversight activities.

Ensuring Effective and Consistent Oversight

1. Importance of Harmonized Standards

The development of harmonized standards is critical for ensuring that oversight activities are conducted consistently and effectively across the EU. These standards provide a clear framework for both ICT third-party service providers and the competent authorities overseeing them, reducing ambiguities and ensuring a high level of compliance.

2. Benefits of Standardization

Standardization offers numerous benefits, including improved transparency, consistency in data presentation, and ease of regulatory analysis. It ensures that all stakeholders are on the same page, facilitating smoother and more effective oversight processes.

Article 36 of the Digital Operational Resilience Act (DORA) plays a vital role in harmonizing the conditions that enable effective oversight of critical ICT third-party service providers. By mandating the development of detailed regulatory technical standards, DORA ensures that oversight activities are conducted uniformly and effectively across the EU. The timely submission and adoption of these standards are crucial for maintaining the security and resilience of the financial sector's ICT infrastructure. This harmonization not only enhances regulatory practices but also ensures that critical ICT third-party service providers meet the required standards, thereby safeguarding the financial sector against ICT-related risks.