Skip to main content
DORA Auditor

Lead Overseer

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

The Lead Overseer is the European Supervisory Authority (EBA, ESMA, or EIOPA) appointed under DORA Articles 31–33 to oversee a designated critical ICT third-party provider. It exercises the EU-level oversight powers over the provider directly, separately from the national competent authorities that supervise financial entities.

Detailed explanation

When a provider is designated as a critical ICT third-party provider (CTPP), one of the three ESAs is appointed as its Lead Overseer, chosen according to the provider's activities and the financial entities most affected. The Lead Overseer conducts the oversight rather than the many national authorities whose supervised entities use the provider, avoiding fragmented and duplicative supervision of the same firm. Its powers include requesting all relevant information and documentation, conducting general investigations and on-site inspections, issuing recommendations on the provider's ICT risk management, and, where the provider fails to comply, imposing periodic penalty payments until it does. The Lead Overseer works with a Joint Examination Team drawn from the ESAs and competent authorities, and coordinates through an Oversight Forum. Importantly, the Lead Overseer supervises the provider, not the financial entity's use of it: financial entities remain responsible under Articles 28–30 for managing their own third-party risk, including the ability to exit an arrangement if the Lead Overseer's recommendations are not addressed.

In context

This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 31.

Related terms

Sources

  1. DORA Articles 31–33, EUR-Lex