Preamble 61 to 73, Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) aims to fortify the EU financial sector's defenses against cyber threats and ICT risks through comprehensive oversight and regulation. Key measures include designating Lead Overseers for critical ICT third-party service providers, specifying contractual requirements, and promoting international cooperation. The following sections detail these essential provisions.

61. Designation Of Lead Overseer

To ensure comprehensive oversight at the Union level, one of the ESAs should be designated as Lead Overseer for each critical ICT third-party service provider within the financial sector. This designation empowers Lead Overseers to conduct investigations, both onsite and offsite inspections, and to access all relevant premises and locations. These measures enable them to gather complete and updated information necessary for acquiring genuine insight into the type, scale, and impact of ICT third-party risks posed to financial entities and, ultimately, to the Union's financial system.

62. Rationale For Lead Oversight

Designating ESAs as Lead Overseers is essential for addressing the systemic dimensions of ICT risk in finance. Given the Union-wide footprint of critical ICT third-party service providers and associated ICT concentration risks, a collective approach at the Union level is imperative. Conducting multiple, uncoordinated audits and access requests by individual competent authorities would not provide a holistic view of ICT third-party risks. Instead, it would create redundancy, burden, and unnecessary complexity for critical ICT third-party providers facing numerous requests.

63. Recommendations And Remedies

Lead Overseers should be empowered to issue recommendations on ICT risk matters and propose suitable remedies, including opposition to specific contractual arrangements that could affect the stability of financial entities or the financial system. National competent authorities should duly consider compliance with these substantive recommendations as part of their responsibilities in prudential supervision of financial entities.

64. Role Of Oversight Framework

The Oversight Framework does not replace financial entities' management of risks associated with ICT third-party service providers. Financial entities remain fully responsible for ongoing monitoring of their contractual arrangements with critical ICT third-party service providers. To avoid duplication and overlap, competent authorities should refrain from individual measures aimed at monitoring risks of critical ICT third-party service providers, coordinating and agreeing on such measures within the Oversight Framework.

65. International Cooperation On Best Practices

To promote global convergence on best practices for reviewing ICT third-party service providers' digital risk management, ESAs should establish cooperation arrangements with relevant third-country supervisory and regulatory authorities. This initiative aims to develop effective standards addressing ICT third-party risks across international jurisdictions.

66. Utilization Of Technical Expertise

Lead Overseers should leverage the technical expertise of competent authorities' experts in operational and ICT risk management. This includes establishing dedicated examination teams for each critical ICT third-party service provider, pooling multidisciplinary resources to support preparation and execution of oversight activities. These activities encompass onsite inspections of critical ICT third-party service providers and necessary follow-up actions.

67. Supervisory Powers And Cooperation

Competent authorities should possess sufficient supervisory, investigative, and sanctioning powers to enforce this Regulation effectively. Administrative penalties should generally be made public. Given the cross-border nature of financial entities and ICT third-party service providers, close cooperation among relevant competent authorities, including with the ECB for specific tasks under Council Regulation (EU) No 1024/2013, and consultation with ESAs should involve mutual exchange of information and provision of assistance during supervisory activities.

68. Delegated Acts And Technical Standards

To further specify and harmonize designation criteria for critical ICT third-party service providers and oversee fees, the Commission should be delegated powers to adopt acts under Article 290 of the Treaty on the Functioning of the European Union. This includes defining systemic impacts of ICT failures, determining reliance levels of global systemically important institutions (G-SIIs) and other systemically important institutions (O-SIIs), assessing market presence of ICT providers, migration costs, service jurisdictions, oversight fees, and payment modalities. Consultations during preparatory work, as per the Interinstitutional Agreement of 13 April 2016 on Better Law-Making, ensure transparency and equal participation from the European Parliament, Council, and Member States' experts.

69. Amendments And Consistency Across Regulations

This Regulation consolidates ICT risk management provisions from various Union financial services regulations and directives, including Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, and (EU) No 909/2014. Amendments should clarify that relevant ICT risk-related provisions are incorporated into this Regulation. Regulatory technical standards, developed by ESAs under Article 290, ensure consistent harmonization of requirements for ICT risk management, reporting, testing, and key monitoring aspects of ICT third-party risk across financial entities.

70. Consultation On Technical Standards

During preparatory work, including at expert level, appropriate consultations should be conducted by the Commission. Regulatory and implementing technical standards, developed by ESAs in areas of ICT risk management, reporting, testing, and key requirements, should facilitate proportional application across financial entities based on their nature, scale, complexity, and activities.

71. Standardized Reporting And Templates

ESAs should develop draft implementing technical standards to establish standardized templates, forms, and procedures for financial entities reporting major ICT-related incidents and maintaining information registers. These standards should account for varying sizes, complexities, risks, and activities of financial entities. The Commission should adopt these standards through implementing acts, empowering ESAs under Article 291 TFEU and in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010.

72. Amendment Of Delegated And Implementing Acts

Existing delegated and implementing acts under different financial services legislation should be amended to incorporate provisions for digital operational resilience, aligned with this Regulation's scope on operational risk articles. Empowerments within these acts should be modified to reflect provisions covering digital operational resilience, currently part of other regulations.

73. Union-Level Measures

Achieving a high level of digital operational resilience across all financial entities necessitates harmonizing diverse rules existing within Union acts and Member States' legal frameworks. Union-level measures under this Regulation, aligning with the subsidiarity principle as per Article 5 of the Treaty on European Union, ensure proportionate and effective implementation without exceeding necessary scope under Article 5's principle of proportionality.