ESAs' draft RTS on Joint Examination Team roles under DORA

The Digital Operational Resilience Act (DORA) is an EU wide regulation that aims to enhance the digital operational resilience of the financial sector. DORA covers a wide range of financial entities, such as banks, investment firms, payment service providers, electronic money institutions, insurance companies, and many others including critical third party vendors.

One of the key elements of DORA is the level 2 requirements, that specify the technical details and methodologies for implementing the level 1 requirements, which are the general principles and obligations established by the regulation.

On 17 January, the European Supervisory Authorities (ESAs) – the EBA, EIOPA, and ESMA - issued their final draft technical standards in relation to those level 2 requirements directly impacting financial entities. On 18 April, the ESAs followed up with their draft RTS on the level 2 requirements to be followed by the competent authorities in relation to the joint examination team (JET).

Under DORA, the JET will assist the Lead Overseer with daily oversight of a critical third party provider (CTPP) made up of staff from the ESAs and the relevant competent authorities (CAs). The ESAs are required to develop an RTS establishing the criteria for determining the composition of the JET ensuring a balanced participation of staff members from the ESA and the CAs, their designation, tasks and working arrangements.

The ESAs have proposed the following technical standards:

RTS on determining the composition of the JET:

Upon initial designation as a CTPP, or when there is a material change regarding the CTPP, the Lead Overseer will establish a JET assigned to oversee the CTPP’s activities. The number of members of the JET and its composition is determined by the Lead Overseer, in agreement with the Joint Oversight Network, and in consultation with the Oversight Forum. A material change regarding a CTPP means a significant change to:

• the services provided by the CTPP;
• the activities performed by financial entities using the CTPP; or
• the list of CTPP at Union level referred in Article 31(9) of DORA.

In defining the number and composition of the team, the Lead Overseer must consider several factors including:

• the tasks in the individual annual oversight plans for each CTPP to which the JET is assigned;
• the number of CTPP overseen by the JET;
• the stability of the composition of the JET to ensure proper knowledge retention;
• the necessary technical and non-technical skills required for the execution of the tasks by the JET;
• the Member States in which the CTPP provides ICT services, and the competent authorities which supervise the financial entities making use of those services;
• the different types, sizes, and number of financial entities to which the CTPP provides ICT services; and
• ensuring a proportionate cross-sectoral representation of the authorities nominating members of the JET.

The ESAs and the relevant CAs will then each nominate staff members based on their specific technical expertise. If an authority does not have staff with the required expertise, it is expected to use best efforts to address this shortfall and try to reinforce its capabilities for future exercises.

RTS on the designation of the JET:

In order to ensure the most efficient use of the limited staff with the required technical expertise, each JET can be assigned to multiple CTPPs. CTPPs will be grouped and assigned to a particular JET by the Lead Overseer based on their risk profile and the level of oversight activities that is likely to be required. The Lead Overseer will consult with both the Joint Oversight Network and the Oversight Forum to ensure the proposed resource allocation and commitment is realistic.

RTS on the tasks of the JET:

The JET will assist the Lead Overseer in conducting oversight activities, including:

• drafting the annual individual oversight plans for each of its assigned CTPP;
• performing assessments of whether its assigned CTPPs have appropriate rules, procedures, mechanisms and arrangements in place to manage the ICT risk they may pose to financial entities;
• collecting and assessing any information requested from its assigned CTTPs by the Lead Overseer as necessary to carry out its oversight duties;
• conducting investigations and inspections of its assigned CTPPs;
• drafting recommendations to its assigned CTPPs in relation to meeting their obligation to have appropriate rules, and arrangements in place to manage their ICT risk to financial entities;
• assessing CTPP remediation plans and progress reports;
• preparing requests for information for the Lead Overseer, and drafting decisions from the Lead Overseer relating to investigations, inspections, and penalty payments;
• assisting with developing benchmarks for CTPPs; and
• assisting in unplanned ad hoc activities deemed necessary by the Lead Overseer.

RTS on the working arrangements of the JET:

The JET members will be required to carry out their tasks with due skill, care, and diligence, following oversight procedures drafted by the ESAs. The members will also need to comply with the Lead Overseer’s information and data handling specifications and the ESAs’ confidentiality regimes.

Next steps

The public consultation closes 18 May. The ESAs will consider feedback when finalising the draft RTS, and expect to finalise the it by 17 July 2024. Once finalised, the RTS will be subject to endorsement by the European Commissions and the non-objection by the European Parliament and the Council. The expected date of application of these technical standards is 17 January 2025.