Beta

Source: OJ L 333, 27.12.2022, p. 1–79

EN

Article 37 Request for information

    1. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; may, by simple request or by decision, require critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; to provide all information that is necessary for the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies, documentation, ICT security audit reports, ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reports, as well as any information relating to parties to whom the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; has outsourced operational functions or activities.

    management body Paragraph has special considerations for 'management body' as defined by Article 3 point 30.

    1. When sending a simple request for information under paragraph 1, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall:

      1. refer to this Article as the legal basis of the request;

      2. state the purpose of the request;

      3. specify what information is required;

      4. set a time limit within which the information is to be provided;

      5. inform the representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; from whom the information is requested that he or she is not obliged to provide the information, but in the event of a voluntary reply to the request the information provided must not be incorrect or misleading.

    management body Paragraph has special considerations for 'management body' as defined by Article 3 point 30.

    1. When requiring by decision to supply information under paragraph 1, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall:

      1. refer to this Article as the legal basis of the request;

      2. state the purpose of the request;

      3. specify what information is required;

      4. set a time limit within which the information is to be provided;

      5. indicate the periodic penalty payments provided for in Article 35(6) where the production of the required information is incomplete or when such information is not provided within the time limit referred to in point (d) of this paragraph;

      6. indicate the right to appeal the decision to ESAEuropean Supervisory Authority’s Board of Appeal and to have the decision reviewed by the Court of Justice of the European Union (Court of Justice) in accordance with Articles 60 and 61 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

    1. The representatives means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; of the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; shall supply the information requested. Lawyers duly authorised to act may supply the information on behalf of their clients. The critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; shall remain fully responsible if the information supplied is incomplete, incorrect or misleading.

    1. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall, without delay, transmit a copy of the decision to supply information to the competent authoritiesas defined in Article 46 of the financial entitiesas defined in Article 2, points (a) to (t) using the services of the relevant critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; and to the JONJoint Oversight Network .

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod