Article 41 Digital Operational Resilience Act (DORA), Competent Authorities

Article 41 of the Digital Operational Resilience Act (DORA) establishes a structured framework for overseeing the compliance of various financial entities with digital operational resilience requirements. This article delineates the roles and responsibilities of the competent authorities designated to enforce and monitor adherence to DORA’s provisions across different sectors within the financial industry. The purpose of Article 41 is to ensure that each type of financial entity, from credit institutions to crypto-asset service providers, adheres to the regulatory standards set out to enhance their digital resilience. By assigning specific authorities to oversee different categories of financial institutions, Article 41 aims to create a robust supervisory environment that upholds high standards of cybersecurity and operational stability.

Oversight by Competent Authorities under DORA

Aside from the provisions governing oversight of critical ICT third-party service providers in Section II of Chapter V of this Regulation, compliance with the obligations outlined herein shall be overseen by the following competent authorities, exercising powers granted by their respective legal frameworks:

(a) Credit Institutions: The competent authority designated under Article 4 of Directive 2013/36/EU, except for specific tasks assigned to the European Central Bank (ECB) under Regulation (EU) No 1024/2013, will oversee compliance for credit institutions. These authorities ensure that credit institutions adhere to the regulatory requirements related to digital operational resilience and other relevant directives.

(b) Payment Service Providers: The competent authority designated under Article 22 of Directive (EU) 2015/2366 will be responsible for overseeing payment service providers. This includes ensuring that these providers comply with regulations designed to enhance their digital resilience and protect the integrity of their payment systems.

(c) Electronic Payment Institutions: The competent authority designated under Article 37 of Directive 2009/110/EC will oversee electronic payment institutions. This authority ensures that electronic payment institutions adhere to the necessary regulations, maintaining the security and efficiency of their services.

(d) Investment Firms: The competent authority designated under Article 4 of Directive (EU) 2019/2034 will oversee investment firms. This authority is responsible for ensuring that investment firms comply with regulatory requirements that enhance their operational resilience against cyber threats and other risks.

(e) Crypto-Asset Service Providers, Issuers of Crypto-Assets, Issuers of Asset-Referenced Tokens, and Issuers of Significant Asset-Referenced Tokens: The competent authority designated under the first indent of point (ee) of Article 3(1) of the forthcoming Regulation (EU) 20xx on Markets in Crypto-Assets (MICA Regulation) will oversee these entities. This authority ensures compliance with regulations that enhance the security and reliability of crypto-asset services and products.

(f) Central Securities Depositories: The competent authority designated under Article 11 of Regulation (EU) No 909/2014 will oversee central securities depositories. This authority ensures that these depositories maintain the necessary standards of operational resilience and cybersecurity.

(g) Central Counterparties: The competent authority designated under Article 22 of Regulation (EU) No 648/2012 will oversee central counterparties. This oversight ensures that central counterparties comply with regulations aimed at enhancing their digital operational resilience.

(h) Trading Venues and Data Reporting Service Providers: The competent authority designated under Article 67 of Directive 2014/65/EU will oversee trading venues and data reporting service providers. This authority ensures that these entities maintain robust cybersecurity measures and adhere to relevant regulatory requirements.

(i) Trade Repositories: The competent authority designated under Article 55 of Regulation (EU) No 648/2012 will oversee trade repositories. This authority is responsible for ensuring that trade repositories comply with regulations designed to enhance their operational resilience and data security.

(j) Managers of Alternative Investment Funds: The competent authority designated under Article 44 of Directive 2011/61/EU will oversee managers of alternative investment funds. This authority ensures that these managers adhere to regulations that enhance their cybersecurity and operational resilience.

(k) Management Companies: The competent authority designated under Article 97 of Directive 2009/65/EC will oversee management companies. This authority is responsible for ensuring that management companies comply with regulations aimed at enhancing their digital operational resilience.

(l) Insurance and Reinsurance Undertakings: The competent authority designated under Article 30 of Directive 2009/138/EC will oversee insurance and reinsurance undertakings. This authority ensures that these undertakings maintain the necessary standards of cybersecurity and operational resilience.

(m) Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: The competent authority designated under Article 12 of Directive (EU) 2016/97 will oversee these intermediaries. This authority ensures that they comply with regulations designed to enhance their operational resilience and cybersecurity.

(n) Institutions for Occupational Retirement Pensions: The competent authority designated under Article 47 of Directive 2016/2341 will oversee these institutions. This authority ensures that they maintain the necessary standards of operational resilience and data security.

(o) Credit Rating Agencies: The competent authority designated under Article 21 of Regulation (EC) No 1060/2009 will oversee credit rating agencies. This authority ensures that these agencies comply with regulations aimed at enhancing their digital operational resilience.

(p) Statutory Auditors and Audit Firms: The competent authority designated under Articles 3(2) and 32 of Directive 2006/43/EC will oversee statutory auditors and audit firms. This authority is responsible for ensuring that they maintain robust cybersecurity measures and adhere to relevant regulatory requirements.

(q) Administrators of Critical Benchmarks: The competent authority designated under Articles 40 and 41 of the forthcoming Regulation (EU) 20xx will oversee administrators of critical benchmarks. This authority ensures that these administrators comply with regulations designed to enhance their operational resilience and cybersecurity.

(r) Crowdfunding Service Providers: The competent authority designated under Article xx of the forthcoming Regulation (EU) 20xx will oversee crowdfunding service providers. This authority ensures that these providers maintain the necessary standards of operational resilience and data security.

(s) Securitisation Repositories: The competent authority designated under Articles 10 and 14(1) of Regulation (EU) 2017/2402 will oversee securitisation repositories. This authority ensures that these repositories comply with regulations aimed at enhancing their operational resilience and cybersecurity.