Article 33

Tasks of the Lead Overseer


TL;DR The Digital Operations Resilience Act from EU establishes the Lead Overseer who is responsible for the oversight of critical ICT third party service providers. The Lead Overseer will assess whether these third party service providers have effective rules and procedures in place to manage ICT risks. The assessment will cover items such as ICT security, data centres, risk management procedures, governance arrangements, incident reporting, data portability, testing, ICT audits, and international standards. The Lead Overseer will draft an individual oversight plan and communicate it with the third-party service provider before adoption. Competent authorities may take measures regarding the third-party service providers only with the agreement from the Lead Overseer.
  1. The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation, appointed in accordance with Article 31(1), point (b), shall conduct the oversight of the assigned critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 and shall be, for the purposes of all matters related to the oversight, the primary point of contact for those critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31.

  2. For the purposes of paragraph 1, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall assess whether each critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment which it may pose to financial entitiesas defined in Article 2, points (a) to (t).

    The assessment referred to in the first subparagraph shall focus mainly on ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided by the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 supporting the critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of financial entitiesas defined in Article 2, points (a) to (t). Where necessary to address all relevant risks, that assessment shall extend to ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting functions other than those that are critical or important.

  3. The assessment referred to in paragraph 2 shall cover:

    1. ICT requirements to ensure, in particular, the security, availability, continuity, scalability and quality of services which the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 provides to financial entitiesas defined in Article 2, points (a) to (t), as well as the ability to maintain at all times high standards of availability, authenticity, integrity or confidentiality of data;

    2. the physical security contributing to ensuring the ICT security, including the security of premises, facilities, data centres;

    3. the risk management processes, including ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management policies, ICT business continuity policy and ICT response and recovery plans;

    4. the governance arrangements, including an organisational structure with clear, transparent and consistent lines of responsibility and accountability rules enabling effective ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management;

    5. the identification, monitoring and prompt reporting of material ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity to financial entitiesas defined in Article 2, points (a) to (t), the management and resolution of those incidents, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset;

    6. the mechanisms for data portability, application portability and interoperability, which ensure an effective exercise of termination rights by the financial entitiesas defined in Article 2, points (a) to (t);

    7. the testing of ICT systems, infrastructure and controls;

    8. the ICT audits;

    9. the use of relevant national and international standards applicable to the provision of its ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services to the financial entitiesas defined in Article 2, points (a) to (t).

  4. Based on the assessment referred to in paragraph 2, and in coordination with the Joint Oversight Network (JONJoint Oversight Network ) referred to in Article 34(1), the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall adopt a clear, detailed and reasoned individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31. That plan shall be communicated yearly to the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31.

    Prior to the adoption of the oversight plan, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall communicate the draft oversight plan to the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31.

    Upon receipt of the draft oversight plan, the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 may submit a reasoned statement within 15 calendar days evidencing the expected impact on customers which are entities falling outside of the scope of this Regulation and where appropriate, formulating solutions to mitigate risks.

  5. Once the annual oversight plans referred to in paragraph 4 have been adopted and notified to the critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31, competent authoritiesas defined in Article 46 may take measures concerning such critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 only in agreement with the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation.