§ DORA · Article 37

DORA Article 37: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 37 · All obligations · DORA
At a glance
Article 37 of the DORA imposes 5 obligations on Lead Overseer, critical ICT third-party service provider. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 37

Obligation 1
Critical ICT third-party service providers must provide all information necessary for the Lead Overseer to carry out its duties, including business documents, contracts, policies, and audit reports. Regulation (EU) 2022/2554, Article 37, Article 37
Obligated entity
critical ICT third-party service provider
Action required
provide
Deadline
Penalty
Obligation 2
When sending a simple request for information, the Lead Overseer must refer to this Article as the legal basis, state the purpose, specify required information, set a time limit, and inform the representative that provision is voluntary but must not be incorrect or misleading. Regulation (EU) 2022/2554, Article 37, Article 37
Obligated entity
Lead Overseer
Action required
refer
Deadline
Penalty
Obligation 3
When requiring information by decision, the Lead Overseer must refer to this Article as the legal basis, state the purpose, specify required information, set a time limit, indicate periodic penalty payments for non-compliance, and indicate the right to appeal. Regulation (EU) 2022/2554, Article 37, Article 37
Obligated entity
Lead Overseer
Action required
refer
Deadline
Penalty
Obligation 4
Representatives of critical ICT third-party service providers must supply the information requested, remaining fully responsible if the information is incomplete, incorrect, or misleading. Regulation (EU) 2022/2554, Article 37, Article 37
Obligated entity
critical ICT third-party service provider
Action required
supply
Deadline
Penalty
Obligation 5
The Lead Overseer must transmit a copy of the decision to supply information without delay to the competent authorities of the financial entities using the services and to the JON. Regulation (EU) 2022/2554, Article 37, Article 37
Obligated entity
Lead Overseer
Action required
transmit
Deadline
without delay
Penalty
§ Frequently asked

Questions about Article 37

Who must comply with Article 37 of the DORA? +
Lead Overseer, critical ICT third-party service provider.
What does Article 37 of the DORA require? +
provide refer supply
What is the compliance deadline for DORA Article 37? +
without delay
Need a cross-border briefing on DORA Article 37?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles