Article 51 Digital Operational Resilience Act (DORA), Review Clause

To maintain the effectiveness of the Digital Operational Resilience Act (DORA), the Commission is required to review the standards for identifying key ICT third-party service providers by [PO: insert date, five years after the Regulation's effective date]. This review, as stipulated in Article 28(2) of the Regulation, is crucial for ensuring that the criteria used to identify these essential providers remain current and effective. The evaluation will assess the relevance and adequacy of these standards in response to technological advancements and emerging risks, ensuring ongoing resilience and security in the ICT sector.

Evaluation Process

• Assessment of Standards: The evaluation will involve a thorough review of the existing standards that determine which ICT third-party service providers are classified as key. These standards are crucial for ensuring that significant ICT service providers are subject to appropriate oversight and regulation. The Commission will assess whether the current criteria for identifying key providers continue to meet the objectives of the Regulation and effectively address emerging risks and challenges in the ICT sector.

• Consultation with Relevant Authorities: In conducting this evaluation, the Commission will consult with key European authorities, including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Systemic Risk Board (ESRB). These consultations are essential for incorporating a wide range of expertise and perspectives into the evaluation process. By engaging with these authorities, the Commission can ensure that the assessment is comprehensive and considers the implications for different sectors and financial institutions.

• Analysis of Effectiveness and Relevance: The evaluation will focus on several key aspects, including the effectiveness of the current standards in identifying key ICT third-party service providers, their relevance in the context of evolving technological and regulatory landscapes, and their impact on financial stability and operational resilience. The Commission will examine whether the existing criteria adequately address new and emerging risks and whether they align with the broader objectives of the Regulation.

• Consideration of Emerging Risks and Trends: The Commission will also consider emerging risks and trends in the ICT sector that may impact the effectiveness of the current standards. This includes evaluating technological advancements, changes in the market landscape, and new types of threats or vulnerabilities that could affect key ICT service providers. The aim is to ensure that the standards remain robust and adaptable to ongoing developments in the ICT industry.

Reporting and Legislative Proposal

• Submission of Report: Upon completion of the evaluation, the Commission will prepare a report outlining the findings and conclusions of the review. This report will be submitted to the European Parliament and the Council. The report will provide an overview of the effectiveness of the current standards, any identified gaps or areas for improvement, and recommendations for potential changes or updates to the criteria used for identifying key ICT third-party service providers.

• Inclusion of Legislative Proposal: Based on the findings of the evaluation, the Commission may include a legislative proposal with the report if it deems it necessary and suitable. This proposal could suggest amendments or enhancements to the existing standards or introduce new criteria for identifying key ICT service providers. The legislative proposal will be designed to address any identified issues, improve the regulatory framework, and enhance the overall effectiveness of the Regulation in managing risks associated with key ICT third-party service providers.

• Consideration by European Parliament and Council: The European Parliament and the Council will review the report and any accompanying legislative proposal. They will consider the recommendations and proposed changes and may engage in discussions and negotiations to determine the appropriate course of action. The legislative process will involve scrutiny, debate, and potentially further amendments before any new or revised standards are adopted.

Evaluating standards for identifying key ICT third-party service providers is a crucial step in ensuring that regulatory frameworks remain effective and responsive to emerging challenges. By consulting with relevant authorities and considering new risks and trends, the Commission aims to uphold the integrity and resilience of the ICT sector. The subsequent report and potential legislative proposal will provide a foundation for continued improvement and adaptation of the Regulation, contributing to the overall stability and security of the financial and ICT sectors.