Translations:Digital Operational Resilienec Act (DORA)/40/en

The supervision of ICT third-party providers is carried out by the ESAs, which under Article 31(2) DORA may designate them as “critical.” A lead supervisory authority will be appointed for each critical ICT third-party provider, with far-reaching powers, including information requests, inspections, and recommendations regarding security requirements and subcontracting. Central audits of ICT providers may also be conducted. It remains to be clarified which Austrian authority (possibly the FMA) will carry out such audits.