§ DORA · Article 37
DORA Article 37: Obligations, Deadlines & Penalties
At a glance
Article 37 of the DORA imposes 5 obligations on Lead Overseer, critical ICT third-party service provider. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 37
Obligation 1
Critical ICT third-party service providers must provide all information necessary for the Lead Overseer to carry out its duties, including business documents, contracts, policies, and audit reports.
Regulation (EU) 2022/2554, Article 37, Article 37
- Obligated entity
-
critical ICT third-party service provider
- Action required
-
provide
- Deadline
-
—
- Penalty
-
—
Obligation 2
When sending a simple request for information, the Lead Overseer must refer to this Article as the legal basis, state the purpose, specify required information, set a time limit, and inform the representative that provision is voluntary but must not be incorrect or misleading.
Regulation (EU) 2022/2554, Article 37, Article 37
- Obligated entity
-
Lead Overseer
- Action required
-
refer
- Deadline
-
—
- Penalty
-
—
Obligation 3
When requiring information by decision, the Lead Overseer must refer to this Article as the legal basis, state the purpose, specify required information, set a time limit, indicate periodic penalty payments for non-compliance, and indicate the right to appeal.
Regulation (EU) 2022/2554, Article 37, Article 37
- Obligated entity
-
Lead Overseer
- Action required
-
refer
- Deadline
-
—
- Penalty
-
—
Obligation 4
Representatives of critical ICT third-party service providers must supply the information requested, remaining fully responsible if the information is incomplete, incorrect, or misleading.
Regulation (EU) 2022/2554, Article 37, Article 37
- Obligated entity
-
critical ICT third-party service provider
- Action required
-
supply
- Deadline
-
—
- Penalty
-
—
Obligation 5
The Lead Overseer must transmit a copy of the decision to supply information without delay to the competent authorities of the financial entities using the services and to the JON.
Regulation (EU) 2022/2554, Article 37, Article 37
- Obligated entity
-
Lead Overseer
- Action required
-
transmit
- Deadline
-
without delay
- Penalty
-
—
§ Frequently asked
Questions about Article 37
Who must comply with Article 37 of the DORA?
+
Lead Overseer, critical ICT third-party service provider.
What does Article 37 of the DORA require?
+
provide refer supply
What is the compliance deadline for DORA Article 37?
+
without delay