News

Friday with DORA: What financial penalties does DORA foresee for key third-party ICT service providers?

Zofia Zborowska Zofia Zborowska Associate
21 czerwca 2024
Friday with DORA: What financial penalties does DORA foresee for key third-party ICT service providers?

In order to properly supervise key third-party ICT service providers, Regulation 2022/2554 on operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (hereinafter “DORA” or “the Regulation”) empowers the lead supervisory authority to, among other things:

a) request all relevant information and documents (pursuant to Article 37 of the DORA);
b) conduct general investigations and inspections (pursuant to Articles 38 and 39 of the DORA);
c) requesting reports upon completion of surveillance activities that discuss actions taken or remedial measures implemented by key external ICT service providers (in connection with the recommendations referred to in Article 35(1)(d) of DORA).

If a key external ICT service provider fails to comply with the measures to be taken in connection with the exercise of the powers indicated in (a) – (c) above:

1. in whole or in part, and
2. after a lapse of at least 30 calendar days from the date on which it received notification from the supervisory authority of the relevant measures,

the leading supervisory authority shall adopt a decision imposing a periodic fine to induce the key external ICT service provider to comply with the measures.

Periodic fine:

        • is imposed for each day until the measures are complied with and for no longer than six months after the key external ICT service provider is notified of the decision imposing the penalty;
        • its amount (calculated from the date specified in the decision imposing the periodic penalty) shall be a maximum of 1% of the average daily global turnover of the key external ICT service provider in the preceding fiscal year;
        • is administrative in nature and subject to enforcement;
        • is made public – unless such disclosure would seriously jeopardize financial markets or cause disproportionate harm to affected parties;
        • key ICT service provider has the right to be heard in the case, including the right to access the file (subject to respect for the legitimate interests of others and the protection of corporate secrets).

Related

Friday with DORA – Who is bound by the DORA Ordinance?
21 June 2024

Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022…

Zofia Zborowska Zofia Zborowska Associate
Do you want to receive news?
Subscribe to Newsletter

    Wybierz listę

    Chcę być informowany e-mailowo informacjach ze strony Raczyński Skalski & Partners Kancelaria Radców Prawnych Spółka Partnerska z siedzibą w Warszawie na podany przeze mnie adres e-mail. Czytaj dalej

    Ta witryna jest chroniona przez reCAPTCHA i obowiązuje Polityka prywatności i Warunki korzystania z usługi Google.