Digital Operational Resilience Act (DORA), Article 30, Tasks of the Lead Overseer.
1. The Lead Overseer shall assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities.
2. The assessment referred to in paragraph 1 shall include:
(a) ICT requirements to ensure, in particular, the security, availability, continuity, scalability and quality of services which the critical ICT third-party service provider provides to financial entities, as well as the ability to maintain at all times high standards of security, confidentiality and integrity of data;
(b) the physical security contributing to ensuring the ICT security, including the security of premises, facilities, datacentres;
(c) the risk management processes, including ICT risk management policies, ICT business continuity and ICT disaster recovery plans;
(d) the governance arrangements, including an organisational structure with clear, transparent and consistent lines of responsibility and accountability rules enabling an effective ICT risk management;
(e) the identification, monitoring and prompt reporting of ICT-related incidents to the financial entities, the management and resolution of those incidents, in particular cyber-attacks;
(f) the mechanisms for data portability, application portability and interoperability, which ensure an effective exercise of termination rights by the financial entities;
(g) the testing of ICT systems, infrastructure and controls;
(h) the ICT audits;
(i) the use of relevant national and international standards applicable to the provision of its ICT services to the financial entities.
3. Based on the assessment referred to in paragraph 1, the Lead Overseer shall adopt a clear, detailed and reasoned individual Oversight plan for each critical ICT third-party service provider. That plan shall be communicated each year to the critical ICT third-party service provider.
4. Once the annual Oversight plans referred to in paragraph 3 have been agreed and notified to the critical ICT third-party service providers, competent authorities may only take measures concerning critical ICT third-party service providers in agreement with the Lead Overseer.