# Art. 33 — Lead Overseer tasks 1. The [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer), appointed in accordance with [Article 31(1), point (b)](/dora/digital-operational-resilience-act/chapter-v-managing-ict-third-party-risk/article-31-designation-of-critical-providers.md), shall conduct the oversight of the assigned [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) and shall be, for the purposes of all matters related to the oversight, the primary point of contact for those [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider). 2. For the purposes of paragraph 1, the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) shall assess whether each [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) which it may pose to financial entities. The assessment referred to in the first subparagraph shall focus mainly on [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) provided by the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) supporting the [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) of financial entities. Where necessary to address all relevant risks, that assessment shall extend to [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting functions other than those that are critical or important. 3. The assessment referred to in paragraph 2 shall cover: 1. ICT requirements to ensure, in particular, the security, availability, continuity, scalability and quality of services which the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) provides to financial entities, as well as the ability to maintain at all times high standards of availability, authenticity, integrity or confidentiality of data; 2. the physical security contributing to ensuring the ICT security, including the security of premises, facilities, data centres; 3. the risk management processes, including [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management policies, ICT business continuity policy and ICT response and recovery plans; 4. the governance arrangements, including an organisational structure with clear, transparent and consistent lines of responsibility and accountability rules enabling effective [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management; 5. the identification, monitoring and prompt reporting of material [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) to financial entities, the management and resolution of those incidents, in particular [cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack); 6. the mechanisms for data portability, application portability and interoperability, which ensure an effective exercise of termination rights by the financial entities; 7. the testing of ICT systems, infrastructure and controls; 8. the ICT audits; 9. the use of relevant national and international standards applicable to the provision of its [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) to the financial entities. 4. Based on the assessment referred to in paragraph 2, and in coordination with the Joint Oversight Network (JON) referred to in [Article 34(1)](/dora/digital-operational-resilience-act/chapter-v-managing-ict-third-party-risk/article-34-operational-coordination.md), the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) shall adopt a clear, detailed and reasoned individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider). That plan shall be communicated yearly to the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider). Prior to the adoption of the oversight plan, the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer) shall communicate the draft oversight plan to the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider). Upon receipt of the draft oversight plan, the [critical ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) may submit a reasoned statement within 15 calendar days evidencing the expected impact on customers which are entities falling outside of the scope of this Regulation and where appropriate, formulating solutions to mitigate risks. 5. Once the annual oversight plans referred to in paragraph 4 have been adopted and notified to the [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider), competent authorities may take measures concerning such [critical ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/critical-ict-third-party-service-provider) only in agreement with the [Lead Overseer](https://www.mica.wtf/definitions/definitions/dora/lead-overseer). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-v-managing-ict-third-party-risk/article-33-tasks-of-the-lead-overseer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.