Question ID: 2751
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT risk management (DORA)
Article: 30(3)(e)(i)
Status: Rejected
Date of submission: 07 Aug 2023
Question
Is our understanding correct that the requirement to have the right to agree on alternative assurance levels if other clients’ rights are affected is only required if the unrestricted rights of access, inspection and audit are limited where the unrestricted access would affect ICT third-party service provider’s other clients? In other words, Art. 30 para 3(e)(ii) is not an additional requirement that needs to be fulfilled if Art. 30 para 3(e)(i) is already agreed without such restriction?
Background of the question
A right to agree to alternative assurance levels does not seem required if the (primary) assurance levels of Art. 30 para 3(e)(i) have been granted without any restriction due to the ICT third-party service provider’s other clients. However, listing this right as an individual requirement in the list of requirements implies that it would have to be provided in addition to the unrestricted rights of access, inspection and audit.
EIOPA answer
This question has been rejected because it seeks to reinterpret the regulation.