Art. 41 Harmonisation of conditions enabling the conduct of the oversight activities | DORA regulation | DORA

This article is a technical standards mandate that sits within the Oversight Framework section of DORA.

It instructs the ESAs, acting through the Joint Committee, to develop draft regulatory technical standards that will underpin the practical operation of the oversight regime for critical ICT third-party service providers.

Rather than setting out substantive obligations itself, it delegates the task of fleshing out procedural and structural details — such as how voluntary designation applications should look, what information providers must report, and how joint examination teams should be composed — to technical standard-setting.

It connects directly to the oversight machinery established under Articles 31, 35, and 42.

Important points:

The ESAs are required to develop draft regulatory technical standards covering four areas: voluntary designation applications, reporting formats for ICT third-party service providers, joint examination team composition, and competent authority assessments of measures taken by critical providers.
The ESAs were required to submit those draft standards to the Commission by 17 July 2024.
The Commission holds the delegated power to adopt those regulatory technical standards, giving them binding legal force across the regulation.

1. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify:
  1. the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical under Article 31(11);
  2. the content, structure and format of the information to be submitted, disclosed or reported by the ICT third-party service providers pursuant to Article 35(1), including the template for providing information on subcontracting arrangements;
  3. the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements.
  4. the details of the competent authorities’ assessment of the measures taken by critical ICT third-party service providers based on the recommendations of the Lead Overseer pursuant to Article 42(3).
1. The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024.
2. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 1 in accordance with the procedure laid down in Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.