Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 44 International cooperation
Summary What does Article 44 of the DORA regulation say?
This article deals with international cooperation on ICT third-party risk, sitting alongside the oversight framework for critical ICT third-party service providers established in Article 36.
It authorises EBA, ESMA, and EIOPA to enter into administrative arrangements with regulatory and supervisory authorities in third countries, with the goal of developing shared best practices around ICT risk management, controls, mitigation, and incident response.
The article also establishes a reporting obligation, requiring the ESAs to periodically consolidate and report back to the EU institutions on what those international discussions have revealed.
Important points:
- EBA, ESMA, and EIOPA may conclude administrative arrangements with third-country authorities to foster international cooperation on ICT third-party risk.
- The ESAs are required to submit a joint confidential report every five years to the European Parliament, the Council, and the Commission on the findings from those international discussions.
- The reporting must focus on the evolution of ICT third-party risk and its implications for financial stability, market integrity, investor protection, and the functioning of the internal market.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Without prejudice to Article 36, EBA, ESMA and EIOPA may, in accordance with Article 33 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively, conclude administrative arrangements with third-country regulatory and supervisory authorities to foster international cooperation on ICT third-party risk across different financial sectors, in particular by developing best practices for the review of ICT risk management practices and controls, mitigation measures and incident responses.
The ESAs shall, through the Joint Committee, submit every five years a joint confidential report to the European Parliament, to the Council and to the Commission, summarising the findings of relevant discussions held with the third countries’ authorities referred to in paragraph 1, focusing on the evolution of ICT third-party risk and the implications for financial stability, market integrity, investor protection and the functioning of the internal market.
Relevant recitals
Recital 94 Convergence at international level
To promote convergence at international level as regards the use of best practices in the review and monitoring of ICT third-party service providers’ digital risk-management, the ESAs should be encouraged to conclude cooperation arrangements with relevant supervisory and regulatory third-country authorities.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT risk
Definition
ICT third-party service provider
Definition
network and information system
Definition
Joint Committee
Definition
ICT services
Definition
ICT third-party risk