Friday with DORA: What financial penalties does DORA foresee for key third-party ICT service providers?

In order to properly supervise key third-party ICT service providers, Regulation 2022/2554 on operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (hereinafter “DORA” or “the Regulation”) empowers the lead supervisory authority to, among other things:

a) request all relevant information and documents (pursuant to Article 37 of the DORA);
b) conduct general investigations and inspections (pursuant to Articles 38 and 39 of the DORA);
c) requesting reports upon completion of surveillance activities that discuss actions taken or remedial measures implemented by key external ICT service providers (in connection with the recommendations referred to in Article 35(1)(d) of DORA).

If a key external ICT service provider fails to comply with the measures to be taken in connection with the exercise of the powers indicated in (a) – (c) above:

1. in whole or in part, and
2. after a lapse of at least 30 calendar days from the date on which it received notification from the supervisory authority of the relevant measures,

the leading supervisory authority shall adopt a decision imposing a periodic fine to induce the key external ICT service provider to comply with the measures.

Periodic fine:

• • • • is imposed for each day until the measures are complied with and for no longer than six months after the key external ICT service provider is notified of the decision imposing the penalty;
      • its amount (calculated from the date specified in the decision imposing the periodic penalty) shall be a maximum of 1% of the average daily global turnover of the key external ICT service provider in the preceding fiscal year;
      • is administrative in nature and subject to enforcement;
      • is made public – unless such disclosure would seriously jeopardize financial markets or cause disproportionate harm to affected parties;
      • key ICT service provider has the right to be heard in the case, including the right to access the file (subject to respect for the legitimate interests of others and the protection of corporate secrets).