DORA RTS on Joint Examination Teams

Browse Articles Full Text and PDF
View at EUR-Lex Download PDF

Commission Delegated Regulation (EU) 2025/420 of 16 December 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements (Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council, of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, and in particular Article 41(2), second subparagraph, thereof,

HAS ADOPTED THIS REGULATION:

Recitals

(1)
The oversight framework established by Regulation (EU) 2022/2554 should be built on a structured and continuous cooperation between the European Supervisory Authorities (ESAs) and the competent authorities through the Oversight Forum and the joint examination teams.
(2)
The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 should ensure that their staff members that are to be appointed as members of the joint examination team referred to in Article 40(1) of that Regulation has the technical expertise required in the profiles needed in the joint examination teams. The demonstration that an authority does not have staff meeting the specific technical expertise needed in the joint examination teams should be considered by the Lead Overseer as a justification to discharge, at that point in time, the authorities of their obligation to nominate staff members to the joint examination teams. In that case, the authority should nevertheless commit on the best effort basis to address that shortfall of expertise and try to reinforce its capabilities to contribute to the joint examination teams in the context of the next exercise.
(3)
Staff members of the authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 that are designated as members of a joint examination team as referred to in Article 40(1) of that Regulation should continue to be employees of the nominating authority and therefore subject to working hours and permanent location of work as included in their employment contracts.
(4)
To ensure the most effective use of resources in the execution of oversight activities, members of joint examination teams should be able to be part of several joint examination teams and to oversee multiple critical ICT third-party service providers. The number of the critical ICT third-party service providers to be assigned to a specific member of joint examination team, and overall staffing needs of the joint examination teams, should take into account the risk profile of the critical ICT third-party service providers and the envisaged level of intensity of oversight activities. That possibility to oversee multiple critical ICT third-party service providers is taken into account in the strategic multi-annual oversight plan, updated annually by the Lead Overseers to the extent necessary, and reflected into the individual annual oversight plan. To ensure the reliability of the planned and ongoing commitment of resource staffing of the joint examination teams by the nominating authorities, the Lead Overseer should consult both the Joint Oversight Network and the Oversight Forum on the strategic multi-annual oversight plan.
(5)
The Lead Overseer should apply a combination of criteria and principles when identifying the number of staff members in each joint examination team and the resulting composition. Given the diverse technological and geographical footprint and the use made by various financial entities of critical ICT third-party service providers, those criteria and principles should take into account the technical nature of the oversight tasks, the different grade of dependency of financial entities on the services provided by the critical ICT third-party service providers, the geographical distribution, the size and the number of financial entities relying on those services and, where possible, a proportionate cross-sectoral representation. In performing that task, the Lead Overseer should rely on the information provided by the competent authorities in the context of the designation of the critical ICT third-party service providers, including information needed for all the sub-criteria as laid down in Commission Delegated Regulation (EU) 2024/1502 and consider the criticality of the critical ICT third-party service providers for the provisioning of specific financial services both at Member State and Union level.
(6)
To ensure that the structure and the composition of the joint examination teams are fit for purpose and to ensure the efficiency and effectiveness of the Oversight Framework continuously, the Lead Overseer and the members of the joint examination teams should periodically assess the achievements of the joint examination teams. The Lead Overseer and the nominating authorities should use those assessments to verify whether the members of the joint examination teams are still fit for performing their tasks and make changes to the membership of the joint examination teams, where appropriate.
(7)
In order to ensure that the members of the joint examination teams work as a single team and oversight activities are conducted in a consistent manner, the ESAs should specify the oversight procedures to be followed by the members of the joint examination teams and the Lead Overseer coordinator in the performance of their duties.
(8)
Since the oversight tasks involve the processing of confidential information, the Lead Overseer should grant members of the joint examination team access to such information and to the relating IT (including tools, applications and datasets) and non-IT (including policy, procedures and documentation) resources on a need-to-know basis and within the specified scope of their assignments if that is necessary for members of the joint examination team to assist the Lead Overseer in the fulfilment of its statutory functions or tasks. When laying down arrangements between the Lead Overseer and the competent authorities to implement this Regulation, consistent with Commission Delegated Regulation (EU) 2024/1505, to ensure the proper financing of the costs associated to the resources provided by the nominating authorities, the Lead Overseer should include in such arrangements a section detailing the procedure of reimbursement of the direct and indirect costs of all nominating authorities involved in the joint examination teams. Furthermore, to ensure a transparent and trustworthy execution of the oversight activities, those arrangements should also ensure that the members of the joint examination teams are free from any conflict of interests while performing their duties.
(9)
This Regulation is based on the draft regulatory technical standards submitted to the European Commission by the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority.
(10)
The Joint Committee of the European Supervisory Authorities referred to in Article 54 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council, in Article 54 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council and in Article 54 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential costs and benefits of the proposed standards and requested advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010, the Insurance and Reinsurance Stakeholder Group and the Occupational Pensions Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1094/2010, and the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010,

Article 1Tasks of the members of the joint examination team

1.   The members of the joint examination team shall perform their tasks under the coordination of the Lead Overseer coordinator. Those tasks shall include the ongoing support of the activities carried out by the Lead Overseer and the execution of specific tasks. Those tasks shall be:

  1. (a)
    assist the Lead Overseer in the preparation and drafting of the individual annual oversight plan referred to in Article 33(4) of Regulation (EU) 2022/2554;
  2. (b)
    assist the Lead Overseer in performing the assessment referred to in Article 33(2) of Regulation (EU) 2022/2554;
  3. (c)
    assess the information obtained by the Lead Overseer from the critical ICT third-party service provider under Article 37 of Regulation (EU) 2022/2554 and Chapter II of Commission Delegated Regulation (EU) 2025/295;
  4. (d)
    conduct general investigations on the critical ICT third-party service providers referred to in Article 38 of Regulation (EU) 2022/2554;
  5. (e)
    conduct the inspections referred to in Article 39(1) of Regulation (EU) 2022/2554;
  6. (f)
    draft the recommendations referred to in Article 35(1), point (d), of Regulation (EU) 2022/2554;
  7. (g)
    assess the remediation plan and the progress reports referred to in Article 4 of Delegated Regulation (EU) 2025/295;
  8. (h)
    prepare and draft the requests and decisions referred to in Article 35(6), Article 37(1), Article 38(4), and Article 39(6) of Regulation (EU) 2022/2554;
  9. (i)
    assist the Lead Overseer in its contribution to horizontal oversight activities, including in the development of the comprehensive benchmarks referred to in Article 32(3) of Regulation (EU) 2022/2554;
  10. (j)
    ensure that the relevant information relating to financial entities making use of the services provided by critical ICT third-party service providers are shared with the Lead Overseer;
  11. (k)
    assist the Lead Overseer in unplanned ad hoc activities deemed necessary by the Lead Overseer for the purpose of oversight.

2.   Where the Lead Overseer significantly revises the individual annual oversight plan during the year, the Lead Overseer shall involve the members of the joint examination team in the execution of the individual annual oversight plan and in the revision of that.

Article 2Establishment of the joint examination team

1.   After the first designation of an ICT third-party service provider as critical in accordance with Article 31(1), point (a), of Regulation (EU) 2022/2554, the Lead Overseer, in agreement with the Joint Oversight Network referred to in Article 34(1) of Regulation (EU) 2022/2554, shall establish the joint examination team responsible to carry out the oversight activities over that critical ICT third-party service provider.

2.   Where material changes regarding the situation of the critical ICT third-party service provider occur the Lead Overseer may update, in agreement with the Joint Oversight Network, the composition of the joint examination team responsible to carry out the oversight activities over that critical ICT third-party service provider.

For that purpose, material changes regarding the critical ICT third-party service provider shall relate to any of the following:

  1. (a)
    the services provided by critical ICT third-party service provider;
  2. (b)
    the activities performed by financial entities that are supported by ICT services of the critical ICT third-party service provider;
  3. (c)
    the list of critical ICT third-party service providers at Union level referred to in Article 31(9) of Regulation (EU) 2022/2554.

3.   The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall nominate one or more individuals from their staff to be appointed as members of the joint examination team. An individual may be nominated and appointed as member of one or more joint examination teams.

4.   The Lead Overseer shall appoint the individuals nominated as members of the joint examination team either on a full-time or on a part-time basis, depending on their availability, the specific needs of the Lead Overseer, and the agreement between the nominating authority and the Lead Overseer.

5.   When nominating the members of the joint examination teams, the authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall assess their technical expertise, qualifications and skills in ICT and relevant areas, including communication and collaboration skills, as well as audit and supervision skills.

6.   The Lead Overseer may require the nominating authorities to modify their nominations only in justified circumstances and when the profiles of the nominated individuals do not match the profile of the resources needed.

7.   The Lead Overseer and the authorities shall take all appropriate and possible measures to ensure that the joint examination team is staffed adequately in accordance with the annual individual oversight plan.

Article 3Members of the joint examination team

1.   The Lead Overseer shall determine the number of members of the joint examination team and its composition in agreement with the Joint Oversight Network referred to in Article 34(1) of Regulation (EU) 2022/2554 and in consultation with the Oversight Forum referred to in Article 32(1) of that Regulation.

2.   The Lead Overseer shall determine that number as part of the process of the establishment of the joint examination team, and as required over time, taking into account:

  1. (a)
    the tasks included in the individual annual oversight plans drafted for each critical ICT third-party service provider overseen by the joint examination team;
  2. (b)
    the strategic objectives of the multi-annual oversight plan drafted for all critical ICT third-party service providers overseen by all the joint examination teams.

3.   To determine the number and the composition of members in the joint examination team, the Lead Overseer shall consider at least all of the following:

  1. (a)
    the envisaged level of intensity of oversight activities to be performed in relation to all critical ICT third-party service providers;
  2. (b)
    the size and complexity of the ICT third-party service provider overseen by the joint examination team and by the ESAs as Lead Overseers;
  3. (c)
    the specific individual oversight needs related to the specific critical ICT third-party service provider, as assessed by the Lead Overseer;
  4. (d)
    the stability of the composition of the joint examination team, ensuring a proper knowledge retention;
  5. (e)
    the necessary skills required for the execution of the tasks by the joint examination team, considering the technical and non-technical ICT knowledge requirements;
  6. (f)
    the Member States in which the critical ICT third-party service provider provides ICT services supporting critical or important functions of the financial entities, and the competent authorities which supervise the financial entities making use of those services;
  7. (g)
    the different types, sizes, and numbers of financial entities to which the critical ICT third-party service provider provides ICT services supporting critical or important functions;
  8. (h)
    the competent authorities which supervise the financial entities that are the most dependent on the ICT services provided by the critical ICT third-party service providers;
  9. (i)
    a proportionate cross-sectoral representation of the nominating authorities of the joint examination team.

4.   When nominating members of the joint examination team, the authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall consider at least points (c), (d), (e), (g) and (h) of paragraph 3.

Article 4Change of the membership in the joint examination team

Periodically, or where the Lead Overseer changes, or where material changes as specified in Article 2(2) occur, the Lead Overseer, after having consulted the members of the joint examination team, shall assess the results of the members of the joint examination team. Both the nominating authorities and Lead Overseer shall use the results of that assessment to decide whether it is appropriate to change the membership of the joint examination team.

Article 5Working arrangements of the members of the joint examination team

1.   The members of the joint examination team shall carry out their tasks identified in the individual annual oversight plan with due skill, care, and diligence, without any bias and in accordance with the instructions of the Lead Overseer coordinator referred to in Article 40(2), second subparagraph of Regulation (EU) 2022/2554.

2.   When carrying out oversight tasks, the members of the joint examination team shall follow oversight procedures drafted jointly by the European Supervisory Authorities in relation to the conduct of oversight activities and any relevant operational area, including specifications relating to the use of IT tools and equipment and time management.

3.   The members of the joint examination team shall follow the information and data handling specifications and instructions provided by the Lead Overseer coordinator referred to in Article 40(2), second subparagraph of Regulation (EU) 2022/2554 and shall comply with the confidentiality regime of the European Supervisory Authorities.

4.   The Lead Overseer and the nominating authorities shall establish arrangements to implement the requirements laid down in this Regulation, including arrangements on the time spent and estimated costs related to the oversight activities performed by the joint examination team, training, and ethical and conduct considerations in relation to the role of the members of the joint examination team, where appropriate.

5.   The Lead Overseer and the nominating authorities shall ensure that the arrangements referred to in paragraph 4 are timely implemented, reviewed, and kept up to date.

Article 6Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.