Question ID: 2752
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT third-party risk management (DORA)
Article: 30(3)((e)(iv))
Status: Rejected
Date of submission: 07 Aug 2023
Question
Is our understanding correct that this provision allows to include an obligation on the financial entity to provide details on the scope, procedures to be followed and the frequency of such inspections and audits, but that it does not constitute a requirement to include such an obligation?
Background of the question
Art. 30 para 3(e)(i) requires an unrestricted right of access, inspection and audit. An obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits could be seen as restrictions counter to the requirement of unrestricted access. However, if unrestricted access is provided without any obligation to provide details, it would lessen the financial entity’s position to be forced to include such an obligation.
EIOPA answer
This question has been rejected because the issue it seeks confirmation of a requirement already clearly set out in the regulation.