Digital Operational Resilience Act (DORA), Article 37, Follow-up by competent authorities.
1. Within 30 calendar days after the receipt of the recommendations issued by Lead Overseers pursuant to point (d) of Article 31(1), critical ICT third-party service providers shall notify the Lead Overseer whether they intend to follow those recommendations. Lead Overseers shall immediately transmit this information to competent authorities.
2. Competent authorities shall monitor whether financial entities take into account the risks identified in the recommendations addressed to critical ICT third-party providers by the Lead Overseer in accordance with points (d) of Article 31(1).
3. Competent authorities may, in accordance with Article 44, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers.
4. When taking the decisions referred to in paragraph 3, competent authorities shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provider, as well as the seriousness of the non-compliance, having regard to the following criteria:
(a) the gravity and the duration of the non-compliance;
(b) whether the non-compliance has revealed serious weaknesses in the critical ICT third-party service provider’s procedures, management systems, risk management and internal controls;
(c) whether financial crime was facilitated, occasioned or otherwise attributable to the non-compliance;
(d) whether the non-compliance has been committed intentionally or negligently.
5. Competent authorities shall regularly inform the Lead Overseers on the approaches and measures taken in their supervisory tasks in relation to financial entities as well as on the contractual measures taken by the latter where critical ICT third-party service have not endorsed in part or entirely recommendations addressed by the Lead Overseers.