Digital Operational Resilience Act

Article 31 (Designation of Critical ICT Third-Party Service Providers) primarily outlines the procedures and criteria for designating ICT third-party service providers as critical, the responsibilities of the ESAs and the Lead Overseer, and the conditions for financial entities’ use of services from these providers. It focuses on the regulatory and administrative processes rather than imposing direct operational compliance requirements on financial entities or third-party service providers. Therefore, detailed control mappings to ISO/IEC 27001:2022 or other security frameworks may not be directly relevant or useful for this article, similar to Article 32.

Key Points of Article 31:

1. Designation of Critical ICT Third-Party Service Providers: The ESAs, through the Joint Committee and upon recommendation from the Oversight Forum, designate ICT third-party service providers that are critical for financial entities based on specific criteria.
2. Appointment of Lead Overseer: The Lead Overseer is appointed to conduct the oversight of designated critical ICT third-party service providers.
3. Assessment Criteria: Designation is based on criteria such as the systemic impact on financial services, the importance of financial entities relying on the provider, reliance on critical functions, and the degree of substitutability of the provider.
4. Notification and Appeals: Procedures for notifying ICT third-party service providers of their designation as critical, and the process for submitting reasoned statements or additional information.
5. Publication and Updates: The ESAs, through the Joint Committee, will publish and update a yearly list of critical ICT third-party service providers.
6. Third-Country Providers: Conditions for using services from critical ICT third-party service providers established in third countries, including the requirement to establish a subsidiary in the Union within 12 months.

Since Article 31 deals with the designation process and regulatory oversight of critical ICT third-party service providers, it does not impose specific operational controls on financial entities or the ICT third-party service providers. Instead, it outlines the criteria and administrative processes for designation and oversight. Therefore, direct control mappings to ISO/IEC 27001:2022 or other security frameworks are not necessary for this article.

Article 32 (Structure of the Oversight Framework) primarily outlines the establishment, composition, and tasks of the Oversight Forum and the Lead Overseer. This article focuses on the organizational and procedural aspects of the oversight framework rather than setting direct compliance requirements for financial entities or third-party service providers. Therefore, it does not necessitate the same type of control mappings to ISO/IEC 27001:2022 or other security frameworks as other articles that impose specific operational requirements on financial entities and third-party service providers.

Key Points of Article 32:

1. Establishment of the Oversight Forum: This forum is a sub-committee under the Joint Committee to support ICT third-party risk oversight.
2. Annual Assessment and Coordination: The forum undertakes yearly assessments of oversight activities and promotes coordination to enhance digital operational resilience.
3. Submission of Benchmarks: The forum submits benchmarks for critical ICT third-party service providers to be adopted by the Joint Committee.
4. Composition of the Forum: Includes representatives from ESAs, national competent authorities, the Commission, ESRB, ECB, and ENISA.
5. Appointment of Independent Experts: Experts are appointed based on their expertise and are required to act independently.
6. Publication of Representatives: The ESAs will publish a list of high-level representatives.
7. Guidelines on Cooperation: ESAs will issue guidelines on cooperation and information exchange between ESAs and competent authorities.
8. Non-prejudice to Other Union Rules: The requirements do not prejudice the application of other Union rules on cloud computing service providers.
9. Annual Report: The ESAs, through the Joint Committee, will submit an annual report on the application of this section to the European Parliament, Council, and Commission.

Since Article 32 deals with the oversight structure and responsibilities, it doesn’t impose direct operational or compliance requirements on financial entities or ICT third-party service providers that would necessitate control mappings. The focus here is on ensuring a robust and coordinated oversight mechanism across the financial sector.

Article 33 of the DORA regulation primarily focuses on the responsibilities and tasks of the Lead Overseer in the oversight of critical ICT third-party service providers. However, it does indirectly relate to the compliance of the third-party service providers and the financial entities that use their services in several ways:

1. Oversight and Assessment: The Lead Overseer is tasked with assessing whether critical ICT third-party service providers have comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage ICT risks. This assessment directly impacts the compliance requirements for third-party service providers, as they must adhere to the standards and expectations set by the Lead Overseer.

2. Requirements for Service Providers: The Lead Overseer assesses various aspects of the third-party service provider’s operations, including ICT security, physical security, risk management processes, governance arrangements, incident management, data portability, testing, and ICT audits. Third-party service providers must comply with these requirements to meet the standards set by the Lead Overseer.

3. Communication and Coordination: The oversight plan created by the Lead Overseer, based on their assessment, includes annual oversight objectives and actions. Third-party service providers are required to cooperate with the Lead Overseer and comply with the oversight plan, which includes providing necessary information and addressing any identified issues.

4. Compliance Reporting: Financial entities that use services from critical ICT third-party service providers must ensure that their providers comply with the requirements set forth by the Lead Overseer. This means that financial entities are responsible for selecting compliant third-party service providers and ensuring that they meet the necessary standards and regulations.

Article 34 primarily focuses on the coordination and operational procedures among Lead Overseers to ensure a consistent approach to oversight activities. The main points are:

1. Coordination Among Lead Overseers: The article mandates the creation of a Joint Oversight Network (JON) to coordinate oversight activities among the three Lead Overseers. This coordination is meant to ensure a consistent approach to the oversight of critical ICT third-party service providers.

2. Common Oversight Protocol: The Lead Overseers are required to develop a common oversight protocol, which outlines detailed procedures for day-to-day coordination and swift exchanges of information and responses. This protocol is to be periodically revised to meet operational needs.

3. Ad-hoc Technical Advice: The Lead Overseers can call on the European Central Bank (ECB) and the European Union Agency for Cybersecurity (ENISA) for technical advice and experience sharing, and to participate in specific coordination meetings of the JON.

Article 33 outlines the responsibilities and powers of the Lead Overseer in relation to critical ICT third-party service providers. The Lead Overseer is appointed to ensure that these providers comply with comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage ICT risks. This article includes the power to request information, conduct investigations and inspections, issue recommendations, and ensure regular coordination within the Joint Oversight Network (JON).

Article 36 primarily deals with the operational powers and logistics of the Lead Overseer when conducting oversight activities outside the Union. It doesn’t impose compliance requirements directly on the financial entities or third-party service providers themselves but rather outlines the procedures for the Lead Overseer’s oversight functions.

Therefore, this article does not necessitate the creation of control mappings for compliance purposes related to financial entities or third-party service providers.

Related to the Lead Overseer’s rights and/or responsibilities

Related to the Lead Overseer’s rights and/or responsibilities

Related to the Lead Overseer’s rights and/or responsibilities

Related to the Lead Overseer’s rights and/or responsibilities

Related to the Lead Overseer’s rights and/or responsibilities

Related to the Lead Overseer’s rights and/or responsibilities

The ESAs shall, through the Joint Committee, submit every five years a joint confidential report to the European Parliament, to the Council and to the Commission, summarising the findings of relevant discussions held with the third countries’ authorities referred to in paragraph 1, focusing on the evolution of ICT third-party risk and the implications for financial stability, market integrity, investor protection and the functioning of the internal