Art. 32 Structure of the Oversight Framework | DORA regulation | DORA

1. The Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010;, in accordance with Article 57(1) of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, shall establish the Oversight Forum as a sub-committee for the purposes of supporting the work of the Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; and of the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; referred to in Article 31(1), point (b), in the area of ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; across financial sectors. The Oversight Forum shall prepare the draft joint positions and the draft common acts of the Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; in that area.
2. The Oversight Forum shall regularly discuss relevant developments on ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and promote a consistent approach in the monitoring of ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; at Union level.
1. The Oversight Forum shall, on a yearly basis, undertake a collective assessment of the results and findings of the oversight activities conducted for all critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; and promote coordination measures to increase the digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; of financial entities, foster best practices on addressing ICT concentration riskmeans an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole; and explore mitigants for cross-sector risk transfers.
1. The Oversight Forum shall submit comprehensive benchmarks for critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; to be adopted by the Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; as joint positions of the ESAs in accordance with Article 56(1) of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
1. The Oversight Forum shall be composed of:
  1. the Chairpersons of the ESAs;
  2. one high-level representative from the current staff of the relevant competent authority referred to in Article 46 from each Member State;
  3. the Executive Directors of each ESA and one representative from the Commission, from the ESRB, from ECB and from ENISA as observers;
  4. where appropriate, one additional representative of a competent authority referred to in Article 46 from each Member State as observer;
  5. where applicable, one representative of the competent authorities designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31;, as observer.
2. The Oversight Forum may, where appropriate, seek the advice of independent experts appointed in accordance with paragraph 6.
1. Each Member State shall designate the relevant competent authority whose staff member shall be the high-level representative referred in paragraph 4, first subparagraph, point (b), and shall inform the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; thereof.
2. The ESAs shall publish on their website the list of high-level representatives from the current staff of the relevant competent authority designated by Member States.
1. The independent experts referred to in paragraph 4, second subparagraph, shall be appointed by the Oversight Forum from a pool of experts selected following a public and transparent application process.
2. The independent experts shall be appointed on the basis of their expertise in financial stability, digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; and ICT security matters. They shall act independently and objectively in the sole interest of the Union as a whole and shall neither seek nor take instructions from Union institutions or bodies, from any government of a Member State or from any other public or private body.
1. In accordance with Article 16 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAs shall by 17 July 2024 issue, for the purposes of this Section, guidelines on the cooperation between the ESAs and the competent authorities covering the detailed procedures and conditions for the allocation and execution of tasks between competent authorities and the ESAs and the details on the exchanges of information which are necessary for competent authorities to ensure the follow-up of recommendations pursuant to Article 35(1), point (d), addressed to critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31;.
1. The requirements set out in this Section shall be without prejudice to the application of Directive (EU) 2022/2555 and of other Union rules on oversight applicable to providers of cloud computing services.
1. The ESAs, through the Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; and based on preparatory work conducted by the Oversight Forum, shall, on yearly basis, submit a report on the application of this Section to the European Parliament, the Council and the Commission.