§ DORA · Article 39

DORA Article 39: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 39 · All obligations · DORA
At a glance
Article 39 of the DORA imposes 6 obligations on Lead Overseer, critical ICT third-party service provider. At least one obligation carries an explicit compliance deadline. Non-compliance may result in administrative fines or other penalties.
§ Obligations

All obligations under Article 39

Obligation 1
The Lead Overseer shall consult the Joint Oversight Network (JON) for the purposes of exercising inspection powers. Regulation (EU) 2022/2554, Article 39, Article 39
Obligated entity
Lead Overseer
Action required
consult
Deadline
Penalty
Obligation 2
Officials and other persons authorised by the Lead Overseer shall exercise their powers upon production of a written authorisation specifying the subject matter, purpose, and periodic penalty payments. Regulation (EU) 2022/2554, Article 39, Article 39
Obligated entity
Lead Overseer
Action required
produce
Deadline
Penalty
Obligation 3
The Lead Overseer shall inform the competent authorities of the financial entities using the ICT third-party service provider in good time before the start of the inspection. Regulation (EU) 2022/2554, Article 39, Article 39
Obligated entity
Lead Overseer
Action required
inform
Deadline
in good time before the start of the inspection
Penalty
Obligation 4
The Lead Overseer shall give reasonable notice to critical ICT third-party service providers before any planned on-site inspection, unless notice is not possible due to emergency or would render the inspection ineffective. Regulation (EU) 2022/2554, Article 39, Article 39
Obligated entity
Lead Overseer
Action required
notify
Deadline
reasonable notice before planned on-site inspection
Penalty
Exemptions
emergency or crisis situation, or if notice would render inspection ineffective
Obligation 5
The critical ICT third-party service provider shall submit to on-site inspections ordered by decision of the Lead Overseer. Regulation (EU) 2022/2554, Article 39, Article 39
Obligated entity
critical ICT third-party service provider
Action required
submit
Deadline
Penalty
periodic penalty payments provided for in Article 35(6)
Obligation 6
The Lead Overseer shall inform the critical ICT third-party service provider of the consequences of opposing an inspection, including the possibility for competent authorities to require financial entities to terminate contractual arrangements. Regulation (EU) 2022/2554, Article 39, Article 39
Obligated entity
Lead Overseer
Action required
inform
Deadline
Penalty
§ Frequently asked

Questions about Article 39

Who must comply with Article 39 of the DORA? +
Lead Overseer, critical ICT third-party service provider.
What does Article 39 of the DORA require? +
consult produce inform
What is the compliance deadline for DORA Article 39? +
in good time before the start of the inspection; reasonable notice before planned on-site inspection
What are the penalties for non-compliance with DORA Article 39? +
periodic penalty payments provided for in Article 35(6)
Need a cross-border briefing on DORA Article 39?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles