Article 37 Digital Operational Resilience Act (DORA), Follow-up By Competent Authorities

The Digital Operational Resilience Act (DORA) aims to enhance the resilience and security of the financial sector's information and communication technology (ICT) systems. Article 37 outlines the responsibilities of competent authorities in monitoring and enforcing compliance with the recommendations issued by Lead Overseers to critical ICT third-party service providers. This article details the procedures and actions required to ensure that the identified risks are addressed effectively.

Notification and Monitoring

1. Notification by Critical ICT Third-Party Service Providers

Within 30 calendar days of receiving recommendations from Lead Overseers, as stipulated in point (d) of Article 31(1), critical ICT third-party service providers must notify the Lead Overseer of their intention to follow these recommendations. The Lead Overseer must immediately transmit this information to the competent authorities. This prompt communication ensures that the authorities are aware of the service providers' compliance intentions and can take appropriate actions if necessary.

2. Monitoring by Competent Authorities

Competent authorities are responsible for monitoring whether financial entities consider the risks identified in the recommendations addressed to critical ICT third-party providers by the Lead Overseer. This ongoing oversight is crucial for ensuring that financial entities remain vigilant and proactive in mitigating ICT-related risks, thereby maintaining the overall resilience of the financial sector.

Enforcement Actions

3. Temporary Suspension or Termination of Services

Competent authorities have the power to enforce compliance by requiring financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider. This suspension remains in effect until the identified risks have been addressed. In more severe cases, authorities may require financial entities to terminate, in part or completely, the relevant contractual arrangements with the critical ICT third-party service providers. Such measures ensure that the risks are mitigated promptly and effectively.

4. Criteria for Decision-Making

When deciding to suspend or terminate services, competent authorities must consider several factors, including the type and magnitude of the risk not addressed by the critical ICT third-party service provider and the seriousness of the non-compliance. The following criteria guide their decisions:

(a) Gravity and Duration of Non-Compliance: Authorities assess the severity and the length of time the non-compliance has persisted. More severe and prolonged non-compliance issues typically warrant stronger enforcement actions.

(b) Weaknesses in Procedures and Controls: If the non-compliance reveals significant weaknesses in the service provider’s procedures, management systems, risk management, and internal controls, authorities are likely to take more stringent measures to ensure these weaknesses are addressed.

(c) Facilitation of Financial Crime: Authorities consider whether the non-compliance has facilitated, occasioned, or is otherwise attributable to financial crime. In such cases, the enforcement actions may be more severe to prevent future occurrences.

(d) Intentional or Negligent Non-Compliance: The nature of the non-compliance, whether intentional or negligent, also influences the decision. Intentional non-compliance is generally viewed more seriously and may result in stricter enforcement measures.

Regular Reporting and Coordination

5. Reporting by Competent Authorities

Competent authorities must regularly inform Lead Overseers about the approaches and measures taken in their supervisory tasks concerning financial entities. This includes reporting on the contractual measures taken by financial entities when critical ICT third-party service providers have not endorsed the recommendations in part or entirely. Regular reporting ensures continuous coordination and alignment between competent authorities and Lead Overseers, promoting a unified approach to overseeing and mitigating ICT-related risks.

Article 37 of the Digital Operational Resilience Act (DORA) establishes a comprehensive framework for competent authorities to follow up on recommendations issued by Lead Overseers to critical ICT third-party service providers. Through timely notifications, vigilant monitoring, and decisive enforcement actions, competent authorities play a crucial role in maintaining the resilience and security of the financial sector's ICT systems. By adhering to the criteria for decision-making and ensuring regular reporting and coordination, they contribute to the effective oversight and management of ICT-related risks, thereby safeguarding the stability and integrity of the financial sector.