Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 39 Inspections
Summary What does Article 39 of the DORA regulation say?
This article sets out the on-site inspection powers of the Lead Overseer in relation to critical ICT third-party service providers.
It sits within the broader oversight framework established by Chapter V and works closely alongside Article 38 (general investigations) and Article 40 (joint examination teams), giving the Lead Overseer the practical tools to physically inspect a provider's premises.
The article covers the mechanics of how inspections are initiated, conducted, and enforced, including what happens when a provider refuses to cooperate.
Important points:
- The Lead Overseer has the authority to enter, inspect, and even seal the premises, books, or records of critical ICT third-party service providers, with inspections covering the full range of ICT systems and data used in providing services to financial entities.
- Reasonable notice must be given before a planned inspection, except where an emergency or crisis situation arises, or where giving notice would undermine the effectiveness of the inspection.
- Critical ICT third-party service providers that oppose an inspection face serious consequences, including the possibility that competent authorities may require financial entities to terminate their contractual arrangements with that provider.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the joint examination teams referred to in Article 40(1), may enter in, and conduct all necessary onsite inspections on, any business premises, land or property of the ICT third-party service providers, such as head offices, operation centres, secondary premises, as well as to conduct off-site inspections.
For the purposes of exercising the powers referred to in the first subparagraph, the Lead Overseer shall consult the JON.
The officials and other persons authorised by the Lead Overseer to conduct an on-site inspection shall have the power to:
enter any such business premises, land or property; and
seal any such business premises, books or records, for the period of, and to the extent necessary for, the inspection.
The officials and other persons authorised by the Lead Overseer shall exercise their powers upon production of a written authorisation specifying the subject matter and the purpose of the inspection, and the periodic penalty payments provided for in Article 35(6) where the representatives of the critical ICT third-party service providers concerned do not submit to the inspection.
In good time before the start of the inspection, the Lead Overseer shall inform the competent authorities of the financial entities using that ICT third-party service provider.
Inspections shall cover the full range of relevant ICT systems, networks, devices, information and data either used for, or contributing to, the provision of ICT services to financial entities.
Before any planned on-site inspection, the Lead Overseer shall give reasonable notice to the critical ICT third-party service providers, unless such notice is not possible due to an emergency or crisis situation, or if it would lead to a situation where the inspection or audit would no longer be effective.
The critical ICT third-party service provider shall submit to on-site inspections ordered by decision of the Lead Overseer. The decision shall specify the subject matter and purpose of the inspection, fix the date on which the inspection shall begin and shall indicate the periodic penalty payments provided for in Article 35(6), the legal remedies available under Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, as well as the right to have the decision reviewed by the Court of Justice.
Where the officials and other persons authorised by the Lead Overseer find that a critical ICT third-party service provider opposes an inspection ordered pursuant to this Article, the Lead Overseer shall inform the critical ICT third-party service provider of the consequences of such opposition, including the possibility for competent authorities of the relevant financial entities to require financial entities to terminate the contractual arrangements concluded with that critical ICT third-party service provider.
Relevant recitals
Recital 89 Rights of critical ICT third-party service providers
Due to the significant impact of being designated as critical, this Regulation should ensure that the rights of critical ICT third-party service providers are observed throughout the implementation of the Oversight Framework. Prior to being designated as critical, such providers should, for example, have the right to submit to the Lead Overseer a reasoned statement containing any relevant information for the purposes of the assessment related to their designation. Since the Lead Overseer should be empowered to submit recommendations on ICT risk matters and suitable remedies thereto, which include the power to oppose certain contractual arrangements ultimately affecting the stability of the financial entity or the financial system, critical ICT third-party service providers should also be given the opportunity to provide, prior to the finalisation of those recommendations, explanations regarding the expected impact of the solutions, envisaged in the recommendations, on customers that are entities falling outside the scope of this Regulation and to formulate solutions to mitigate risks. Critical ICT third-party service providers disagreeing with the recommendations should submit a reasoned explanation of their intention not to endorse the recommendation. Where such reasoned explanation is not submitted or where it is considered to be insufficient, the Lead Overseer should issue a public notice summarily describing the matter of non-compliance.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT risk
Definition
ICT third-party service provider
Definition
network and information system
Definition
critical ICT third-party service provider
Definition
ICT services
Definition
Lead Overseer