Chapter V — Managing of ICT third-party risk
Section II — Oversight framework for critical ICT third-party service providers
Tasks of the Lead Overseer
Summary
Defines the specific tasks and powers of the Lead Overseer in conducting oversight of critical ICT third-party providers, including risk assessments, recommendations, and the ability to request remedial action plans. The Lead Overseer assesses whether each critical provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage ICT risk.
Key Requirements
- 1
Assess ICT risk management arrangements of critical providers
- 2
Issue recommendations to address identified deficiencies
- 3
Request remedial action plans with defined timelines
- 4
Report findings to the Joint Committee and national competent authorities
- 5
Conduct risk-based oversight using a prioritized workplan
Detailed Analysis
Article 33 defines the operational mandate of the Lead Overseer — the ESA designated under Article 31 to conduct direct oversight of a critical ICT third-party service provider. The Lead Overseer's primary task is to assess whether the critical provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage ICT risk that may affect the operational resilience of financial entities.
The assessment scope is deliberately broad. It covers the provider's ICT security governance, physical security, risk management processes, business continuity and disaster recovery arrangements, data handling practices, and subcontracting governance. The Lead Overseer must also evaluate whether the provider's arrangements are proportionate to the scale and complexity of the services provided and the systemic importance of the financial entities it serves.
When the Lead Overseer identifies deficiencies, it issues formal recommendations specifying the issues found and the remedial actions expected. The critical provider must respond with a remedial action plan within a defined timeline, detailing how it will address each recommendation. If the provider fails to respond adequately, or if the deficiencies are severe enough to pose immediate risk to financial stability, the Lead Overseer escalates to the Joint Committee and national competent authorities, which can then take action at the entity level — for instance, requiring financial entities to implement contingency measures or reduce their dependency on the affected provider.
The Lead Overseer operates on a risk-based workplan, concentrating resources on the areas of highest systemic risk. This prioritization considers the number and type of financial entities depending on the provider, the criticality of the functions supported, and the availability of substitutes. Auditors assessing compliance should look for evidence of the provider's engagement with the oversight process: documented responses to recommendations, implemented action plans, and demonstrated improvements in risk management maturity over successive assessment cycles.
Ready to automate compliance with Article 33?
Valendir maps every DORA requirement to actionable controls, evidence, and workflows.