DORA2026-03-104 min read

DORA Article 36 Explained: Harmonisation of Conditions Enabling the Conduct of Oversight

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

The Digital Operational Resilience Act (DORA) is a regulatory framework designed to enhance the digital operational resilience of financial entities within the European Union (EU). At the heart of DORA lies the necessity to harmonize the conditions enabling the conduct of oversight, which is addressed in Article 36. This article aims to provide a comprehensive understanding of the harmonisation process required, its implications for financial entities, and the steps necessary for compliance.

DORA Article 36 is significant because it sets forth the conditions under which oversight bodies can supervise the digital operational resilience of financial entities. It aims to ensure that these entities have appropriate governance, risk management, and reporting mechanisms in place. This harmonization is crucial for maintaining consistency across the EU's financial sector, promoting stability, and addressing the risks associated with Information and Communication Technology (ICT) systems.

Key Requirements

DORA Article 36 outlines several key requirements for financial entities to ensure harmonisation of oversight conditions:

  • Transparent Reporting: Financial entities must ensure that their reporting to oversight bodies is transparent and timely, covering all relevant aspects of their ICT risk management.

  • Effective Governance: Entities must implement effective governance structures to oversee their ICT risk management processes, including the appointment of a designated person responsible for operational resilience.

  • Risk Assessment Practices: Entities are required to carry out regular risk assessments and develop comprehensive ICT risk management frameworks.

  • Third-Party Risk Management: Financial entities must manage risks associated with third-party providers, particularly those providing critical or important functions, through due diligence and ongoing monitoring.

  • Incident Reporting and Analysis: Entities must have incident reporting mechanisms in place to notify oversight bodies promptly and conduct thorough analysis to prevent future occurrences.

  • Regular Audits and Reviews: Conducting regular audits and reviews of ICT risk management practices ensures ongoing compliance and resilience.

Implementation Guide

To ensure compliance with DORA Article 36, financial entities should take the following practical steps:

  1. Establish Clear Governance Structures: Define roles and responsibilities for ICT risk management within the organization, including the appointment of a designated person.

  2. Develop ICT Risk Management Frameworks: Create comprehensive frameworks that include risk identification, assessment, mitigation, and reporting processes.

  3. Conduct Regular Risk Assessments: Regularly assess ICT risks, including those associated with third-party providers, and update risk management strategies accordingly.

  4. Implement Effective Reporting Mechanisms: Develop systems for reporting incidents and breaches to oversight bodies in a transparent and timely manner.

  5. Regular Audits and Reviews: Schedule regular audits and reviews of ICT risk management practices to ensure ongoing compliance and identify areas for improvement.

  6. Training and Awareness: Provide training to staff on the importance of digital operational resilience and the specific requirements of DORA Article 36.

  7. Documentation and Record-Keeping: Maintain thorough documentation of all risk assessments, incident reports, audits, and reviews to provide evidence of compliance.

Common Pitfalls

Financial entities should be aware of the following common pitfalls when implementing DORA Article 36 requirements:

  • Lack of Clear Governance: Failing to define clear roles and responsibilities can lead to confusion and gaps in oversight.

  • Inadequate Risk Assessment: Not conducting regular and comprehensive risk assessments can result in unidentified or unmanaged risks.

  • Poor Incident Reporting: Delayed or incomplete incident reporting can hinder the ability to learn from mistakes and prevent future incidents.

  • Neglecting Third-Party Risks: Overlooking the risks associated with third-party providers can expose the entity to significant operational and reputational risks.

  • Insufficient Documentation: Poor record-keeping can lead to difficulties in demonstrating compliance and may result in regulatory penalties.

How Matproof Helps

Matproof's compliance management platform streamlines the process of tracking and evidence collection for DORA Article 36 requirements. By automating compliance tasks, Matproof helps financial entities maintain clear governance structures, conduct regular risk assessments, and ensure transparent incident reporting, all while maintaining comprehensive documentation for regulatory audits.

Related Articles

For further reading on DORA and its implications for financial entities, consider exploring the following related articles:

DORA Article 36Harmonisation of Conditions Enabling the Conduct of Oversightdigital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo