Exercise of the powers of the Lead Overseer outside the Union


TL;DR This article outlines the provisions for the Digital Operations Resilience Act from the EU, which enables oversight activities to be conducted on a third-country premises owned or used for providing services to Union financial entities. It outlines conditions such as the need for an inspection to be judged necessary by the Lead Overseer, and that it must be directly related to providing services to financial entities. It also outlines that EBA, ESMA or EOPIA must conclude administrative cooperation arrangements with the third-country relevant authority regarding the procedures for coordination, information transmission, regular updates on regulatory developments, and details allowing a representative of the third country to participate in inspections if needed. Lastly, it details the inability of the Lead Overseer to conduct activities outside of the Union, and the need to exercise its power on the basis of available facts and documents and to document and explain the consequences of its inability.
  1. When oversight objectives cannot be attained by means of interacting with the subsidiarymeans a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU; set up for the purpose of Article 31(12), or by exercising oversight activities on premises located in the Union, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; may exercise the powers, referred to in the following provisions, on any premises located in a third-country which is owned, or used in any way, for the purposes of providing services to Union financial entitiesas defined in Article 2, points (a) to (t), by a critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31;, in connection with its business operations, functions or services, including any administrative, business or operational offices, premises, lands, buildings or other properties:

    1. in Article 35(1), point (a); and

    2. in Article 35(1), point (b), in accordance with Article 38(2), points (a), (b) and (d), and in Article 39(1) and (2), point (a).

    The powers referred to in the first subparagraph may be exercised subject to all of the following conditions:

    1. the conduct of an inspection in a third-country is deemed necessary by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to allow it to fully and effectively perform its duties under this Regulation;

    2. the inspection in a third-country is directly related to the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t) in the Union;

    3. the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; concerned consents to the conduct of an inspection in a third-country; and

    4. the relevant authority of the third-country concerned has been officially notified by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and raised no objection thereto.

  2. Without prejudice to the respective competences of the Union institutions and of Member States, for the purposes of paragraph 1, EBA, ESMA or EIOPA shall conclude administrative cooperation arrangements with the relevant authority of the third country in order to enable the smooth conduct of inspections in the third country concerned by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and its designated team for its mission in that third country. Those cooperation arrangements shall not create legal obligations in respect of the Union and its Member States nor shall they prevent Member States and their competent authoritiesas defined in Article 46 from concluding bilateral or multilateral arrangements with those third countries and their relevant authorities.

    Those cooperation arrangements shall specify at least the following elements:

    1. the procedures for the coordination of oversight activities carried out under this Regulation and any analogous monitoring of ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; in the financial sector exercised by the relevant authority of the third country concerned, including details for transmitting the agreement of the latter to allow the conduct, by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and its designated team, of general investigations and on-site inspections as referred to in paragraph 1, first subparagraph, on the territory under its jurisdiction;

    2. the mechanism for the transmission of any relevant information between EBA, ESMA or EIOPA and the relevant authority of the third country concerned, in particular in connection with information that may be requested by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; pursuant to Article 37;

    3. the mechanisms for the prompt notification by the relevant authority of the third-country concerned to EBA, ESMA or EIOPA of cases where an ICT third-party service provider established in a third countrymeans an ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services; and designated as critical in accordance with Article 31(1), point (a), is deemed to have infringed the requirements to which it is obliged to adhere pursuant to the applicable law of the third country concerned when providing services to financial institutions in that third country, as well as the remedies and penalties applied;

    4. the regular transmission of updates on regulatory or supervisory developments on the monitoring of ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; of financial institutions in the third country concerned;

    5. the details for allowing, if needed, the participation of one representative of the relevant third-country authority in the inspections conducted by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and the designated team.

  3. When the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; is not able to conduct oversight activities outside the Union, referred to in paragraphs 1 and 2, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall:

    1. exercise its powers under Article 35 on the basis of all facts and documents available to it;

    2. document and explain any consequence of its inability to conduct the envisaged oversight activities as referred to in this Article.

    The potential consequences referred to in point (b) of this paragraph shall be taken into consideration in the Lead Overseer’s recommendations issued pursuant to Article 35(1), point (d).