DORA
Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
Cybersecurity
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
Digital Operational Resilience Act
- Recitals
CHAPTER I
General provisionsArticles 1 — 4
CHAPTER II
ICT risk managementArticles 5 — 16
CHAPTER III
ICT-related incident management, classification and reportingArticles 17 — 23
CHAPTER IV
Digital operational resilience testingArticles 24 — 27
CHAPTER V
Managing of ICT third-party riskArticles 28 — 44
CHAPTER VI
Information-sharing arrangementsArticles 45 — 45
CHAPTER VII
Competent authoritiesArticles 46 — 56
CHAPTER VIII
Delegated actsArticles 57 — 57
CHAPTER IX
Transitional and final provisionsArticles 58 — 64
DORA
DORA Article 39. Inspections
- 1.In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the joint examination teams referred to in Article 40(1), may enter in, and conduct all necessary onsite inspections on, any business premises, land or property of the ICT third-party service providers, such as head offices, operation centres, secondary premises, as well as to conduct off-site inspections. For the purposes of exercising the powers referred to in the first subparagraph, the Lead Overseer shall consult the JON.
- 2.The officials and other persons authorised by the Lead Overseer to conduct an on-site inspection shall have the power to:
- (a)enter any such business premises, land or property; and
- (b)seal any such business premises, books or records, for the period of, and to the extent necessary for, the inspection.
The officials and other persons authorised by the Lead Overseer shall exercise their powers upon production of a written authorisation specifying the subject matter and the purpose of the inspection, and the periodic penalty payments provided for in Article 35(6) where the representatives of the critical ICT third-party service providers concerned do not submit to the inspection.
- 3.In good time before the start of the inspection, the Lead Overseer shall inform the competent authorities of the financial entities using that ICT third-party service provider.
- 4.Inspections shall cover the full range of relevant ICT systems, networks, devices, information and data either used for, or contributing to, the provision of ICT services to financial entities.
- 5.Before any planned on-site inspection, the Lead Overseer shall give reasonable notice to the critical ICT third-party service providers, unless such notice is not possible due to an emergency or crisis situation, or if it would lead to a situation where the inspection or audit would no longer be effective.
- 6.The critical ICT third-party service provider shall submit to on-site inspections ordered by decision of the Lead Overseer. The decision shall specify the subject matter and purpose of the inspection, fix the date on which the inspection shall begin and shall indicate the periodic penalty payments provided for in Article 35(6), the legal remedies available under Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, as well as the right to have the decision reviewed by the Court of Justice.
- 7.Where the officials and other persons authorised by the Lead Overseer find that a critical ICT third-party service provider opposes an inspection ordered pursuant to this Article, the Lead Overseer shall inform the critical ICT third-party service provider of the consequences of such opposition, including the possibility for competent authorities of the relevant financial entities to require financial entities to terminate the contractual arrangements concluded with that critical ICT third-party service provider.