Exercise of the powers of the Lead Overseer outside the Union

Article 36 confronts one of the most operationally challenging aspects of the DORA oversight framework: the fact that many critical ICT third-party service providers are headquartered outside the European Union, primarily in the United States. Major cloud providers, cybersecurity firms, and technology infrastructure companies often serve the EU financial sector from non-EU jurisdictions, raising questions about the enforceability of EU oversight powers.

The article addresses this by requiring that third-country critical ICT third-party providers designated under Article 31 establish a subsidiary within the EU within 12 months of designation. This EU subsidiary serves as the point of contact for the Lead Overseer and must be structured to enable the effective exercise of all oversight powers — information requests, investigations, and inspections. The requirement ensures that oversight is not merely theoretical but can be practically conducted.

Cooperation arrangements with third-country supervisory authorities are also addressed. Where a critical provider's home jurisdiction has an equivalent oversight framework, the Lead Overseer may rely on cooperation agreements to coordinate activities and avoid duplicative requirements. The assessment of equivalence considers whether the third-country framework provides comparable levels of risk management, transparency, and supervisory access.

For financial entities, Article 36 has significant practical implications. The requirement for an EU subsidiary affects the operational structure of their critical providers, potentially influencing service delivery models, data sovereignty arrangements, and contractual terms. Entities should assess whether their critical third-country providers are preparing for or have completed the subsidiary establishment, and factor any delays or non-compliance into their concentration risk assessments as required by Article 29.