§ DORA · Article 39
DORA Article 39: Obligations, Deadlines & Penalties
At a glance
Article 39 of the DORA imposes 6 obligations on Lead Overseer, critical ICT third-party service provider. At least one obligation carries an explicit compliance deadline. Non-compliance may result in administrative fines or other penalties.
§ Obligations
All obligations under Article 39
Obligation 1
The Lead Overseer shall consult the Joint Oversight Network (JON) for the purposes of exercising inspection powers.
Regulation (EU) 2022/2554, Article 39, Article 39
- Obligated entity
-
Lead Overseer
- Action required
-
consult
- Deadline
-
—
- Penalty
-
—
Obligation 2
Officials and other persons authorised by the Lead Overseer shall exercise their powers upon production of a written authorisation specifying the subject matter, purpose, and periodic penalty payments.
Regulation (EU) 2022/2554, Article 39, Article 39
- Obligated entity
-
Lead Overseer
- Action required
-
produce
- Deadline
-
—
- Penalty
-
—
Obligation 3
The Lead Overseer shall inform the competent authorities of the financial entities using the ICT third-party service provider in good time before the start of the inspection.
Regulation (EU) 2022/2554, Article 39, Article 39
- Obligated entity
-
Lead Overseer
- Action required
-
inform
- Deadline
-
in good time before the start of the inspection
- Penalty
-
—
Obligation 4
The Lead Overseer shall give reasonable notice to critical ICT third-party service providers before any planned on-site inspection, unless notice is not possible due to emergency or would render the inspection ineffective.
Regulation (EU) 2022/2554, Article 39, Article 39
- Obligated entity
-
Lead Overseer
- Action required
-
notify
- Deadline
-
reasonable notice before planned on-site inspection
- Penalty
-
—
- Exemptions
- emergency or crisis situation, or if notice would render inspection ineffective
Obligation 5
The critical ICT third-party service provider shall submit to on-site inspections ordered by decision of the Lead Overseer.
Regulation (EU) 2022/2554, Article 39, Article 39
- Obligated entity
-
critical ICT third-party service provider
- Action required
-
submit
- Deadline
-
—
- Penalty
-
periodic penalty payments provided for in Article 35(6)
Obligation 6
The Lead Overseer shall inform the critical ICT third-party service provider of the consequences of opposing an inspection, including the possibility for competent authorities to require financial entities to terminate contractual arrangements.
Regulation (EU) 2022/2554, Article 39, Article 39
- Obligated entity
-
Lead Overseer
- Action required
-
inform
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 39
Who must comply with Article 39 of the DORA?
+
Lead Overseer, critical ICT third-party service provider.
What does Article 39 of the DORA require?
+
consult produce inform
What is the compliance deadline for DORA Article 39?
+
in good time before the start of the inspection; reasonable notice before planned on-site inspection
What are the penalties for non-compliance with DORA Article 39?
+
periodic penalty payments provided for in Article 35(6)