Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 37 Request for information
Summary What does Article 37 of the DORA regulation say?
This article sits within the Oversight Framework and details the information-gathering powers of the Lead Overseer over critical ICT third-party service providers.
It establishes two distinct mechanisms through which the Lead Overseer can compel the provision of information: a simple request (which is voluntary in nature) and a formal decision (which is binding and carries penalties for non-compliance).
The article carefully sets out what each type of request must contain, and makes clear that responsibility for the accuracy and completeness of any information supplied rests with the critical ICT third-party service provider, even if lawyers submit it on their behalf.
It also connects back to Article 35, as the periodic penalty payments referenced for non-compliance are those established there.
Important points:
- The Lead Overseer has two routes to obtain information from critical ICT third-party service providers: a simple request (voluntary, but any response must not be incorrect or misleading) or a binding decision (which carries the risk of periodic penalty payments for non-compliance or late delivery).
- Critical ICT third-party service providers remain fully responsible for any information supplied, regardless of who physically submits it.
- The Lead Overseer is required to transmit a copy of any formal decision to supply information to the relevant competent authorities and to the Joint Oversight Network without delay.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The Lead Overseer may, by simple request or by decision, require critical ICT third-party service providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies, documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party service provider has outsourced operational functions or activities.
When sending a simple request for information under paragraph 1, the Lead Overseer shall:
refer to this Article as the legal basis of the request;
state the purpose of the request;
specify what information is required;
set a time limit within which the information is to be provided;
inform the representative of the critical ICT third-party service provider from whom the information is requested that he or she is not obliged to provide the information, but in the event of a voluntary reply to the request the information provided must not be incorrect or misleading.
When requiring by decision to supply information under paragraph 1, the Lead Overseer shall:
refer to this Article as the legal basis of the request;
state the purpose of the request;
specify what information is required;
set a time limit within which the information is to be provided;
indicate the periodic penalty payments provided for in Article 35(6) where the production of the required information is incomplete or when such information is not provided within the time limit referred to in point (d) of this paragraph;
indicate the right to appeal the decision to ESA’s Board of Appeal and to have the decision reviewed by the Court of Justice of the European Union (Court of Justice) in accordance with Articles 60 and 61 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
The representatives of the critical ICT third-party service providers shall supply the information requested. Lawyers duly authorised to act may supply the information on behalf of their clients. The critical ICT third-party service provider shall remain fully responsible if the information supplied is incomplete, incorrect or misleading.
The Lead Overseer shall, without delay, transmit a copy of the decision to supply information to the competent authorities of the financial entities using the services of the relevant critical ICT third-party service providers and to the JON.
Relevant recitals
Recital 84 Communication with critical ICT third-party service providers
To facilitate communication with the Lead Overseer and to ensure adequate representation, critical ICT third-party service providers which are part of a group should designate one legal person as their coordination point.
Recital 89 Rights of critical ICT third-party service providers
Due to the significant impact of being designated as critical, this Regulation should ensure that the rights of critical ICT third-party service providers are observed throughout the implementation of the Oversight Framework. Prior to being designated as critical, such providers should, for example, have the right to submit to the Lead Overseer a reasoned statement containing any relevant information for the purposes of the assessment related to their designation. Since the Lead Overseer should be empowered to submit recommendations on ICT risk matters and suitable remedies thereto, which include the power to oppose certain contractual arrangements ultimately affecting the stability of the financial entity or the financial system, critical ICT third-party service providers should also be given the opportunity to provide, prior to the finalisation of those recommendations, explanations regarding the expected impact of the solutions, envisaged in the recommendations, on customers that are entities falling outside the scope of this Regulation and to formulate solutions to mitigate risks. Critical ICT third-party service providers disagreeing with the recommendations should submit a reasoned explanation of their intention not to endorse the recommendation. Where such reasoned explanation is not submitted or where it is considered to be insufficient, the Lead Overseer should issue a public notice summarily describing the matter of non-compliance.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT risk
Definition
ICT third-party service provider
Definition
network and information system
Definition
critical ICT third-party service provider
Definition
group
Definition
ICT services
Definition
Lead Overseer
Definition
ICT-related incident