Cooperation with structures and authorities established by Directive (EU) 2022/2555


TL;DR The Digital Operations Resilience Act from EU aims to foster cooperation between the competent authorities designated by the Regulation and the Cooperation Group established by Article 14 of Directive (EU) 2022/2555. It allows them to participate in the activities of the Cooperation Group in relation to critical ICT third-party service providers and permits consultation and sharing of information with the single points of contact and the CSIRTs designated or established in accordance with Directive EU 2022/2555. It also enables the establishment of cooperation arrangements which include access to information requested by the concerned authorities and the procedures for the coordination of supervisory and oversight activities in relation to the designated entities.
  1. To foster cooperation and enable supervisory exchanges between the competent authoritiesas defined in Article 46 designated under this Regulation and the Cooperation Groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; established by Article 14 of Directive (EU) 2022/2555, the ESAsEuropean Supervisory Authority and the competent authoritiesas defined in Article 46 may participate in the activities of the Cooperation Groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; for matters that concern their supervisory activities in relation to financial entitiesas defined in Article 2, points (a) to (t). The ESAsEuropean Supervisory Authority and the competent authoritiesas defined in Article 46 may request to be invited to participate in the activities of the Cooperation Groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; for matters in relation to essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 subject to Directive (EU) 2022/2555 that have also been designated as critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; pursuant to Article 31 of this Regulation.

  2. Where appropriate, competent authoritiesas defined in Article 46 may consult and share information with the single points of contact and the CSIRTscomputer security incident response teams designated or established in accordance with Directive (EU) 2022/2555.

  3. Where appropriate, competent authoritiesas defined in Article 46 may request any relevant technical advice and assistance from the competent authoritiesas defined in Article 46 designated or established in accordance with Directive (EU) 2022/2555 and establish cooperation arrangements to allow effective and fast-response coordination mechanisms to be set up.

  4. The arrangements referred to in paragraph 3 of this Article may, inter alia, specify the procedures for the coordination of supervisory and oversight activities in relation to essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 subject to Directive (EU) 2022/2555 that have been designated as critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; pursuant to Article 31 of this Regulation, including for the conduct, in accordance with national law, of investigations and on-site inspections, as well as for mechanisms for the exchange of information between the competent authoritiesas defined in Article 46 under this Regulation and the competent authoritiesas defined in Article 46 designated or established in accordance with that Directive which includes access to information requested by the latter authorities.