The wording "unrestricted rights of access" in the DORA act art 30 (3.e.i) is found to be very troublesome. The issue can be seen also within "JC 2023 84 - Final report on draft RTS to specify the policy on ICT services supporting critical or important functions" in article 8 (Contractual clauses for the use of ICT services supporting critical or important functions) and item (2) there, which has the following text: …the relevant contractual arrangements shall include information access, inspection, audit, and ICT testing rights. The law about communication services is also strict and clear and it clearly limits the access to certain information. The way DORA act and the above RTS are written can be interpreted so that those limits would be breached. Finnish law (917/2014) defines the cases, when or where it is allowed to handle (including to read) transmission data. Too wide information access can lead to issues with privacy including GDPR and in some cases, would be in direct conflict with wider security requirements.

This question has been rejected because the objective of the Q&A tool is not to answer questions that put into doubt the correctness of the legal framework, seek a modification of the legal framework or would require such a modification in order to address the question.