Digital Operational Resilience Act (DORA), Article 35, Ongoing Oversight.
1. Where conducting general investigations or on-site inspections, the Lead Overseers shall be assisted by an examination team established for each critical ICT third-party service provider.
2. The joint examination team referred to in paragraph 1 shall be composed of staff members from the Lead Overseer and from the relevant competent authorities supervising the financial entities to which the critical ICT third-party service provider provides services, who will join the preparation and execution of the Oversight activities, with a maximum of 10 members. All members of the joint examination shall have expertise in ICT and operational risk. The joint examination team shall work under the coordination of a designated ESA staff member (the ‘Lead Overseer coordinator’).
3. The ESAs, through the Joint Committee, shall develop common draft regulatory technical standards to specify further the designation of the members of the joint examination team coming from the relevant competent authorities, as well as the tasks and working arrangements of the examination team. The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 1 year after the date of entry into force].
Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively.
4. Within 3 months after the completion of an investigation or on-site inspection, the Lead Overseer, after consultation of the Oversight Forum, shall adopt recommendations to be addressed by the Lead Overseer to the critical ICT third-party service provider pursuant to the powers referred to in Article 31.
5. The recommendations referred to in paragraph 4 shall be immediately communicated to the critical ICT third-party service provider and to the competent authorities of the financial entities to which it provides services.
For the purposes of fulfilling the Oversight activities, Lead Overseers may take into consideration any relevant third-party certifications and ICT third-party internal or external audit reports made available by the critical ICT third-party service provider.