1. European
  2. Legislation (EU)
  3. EU Regulations
  4. 2022
Date-stamp loading
  1. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) (Digital Operational Resilience Act (DORA) / Regulation on digital operational resilience for the financial sector)
  2. Chapter V Managing of ICT third-party risk (arts. 28-44)
  3. Section II Oversight Framework of critical ICT third-party service providers (arts. 31-44)
  4. Article 38 General investigations
Previous Next
Version status: Entered into force | Document consolidation status: No known changes
Version date: 16 January 2023 - 16 January 2025
  Version 2 of 3  

Article 38 General investigations

1. In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the joint examination team referred to in Article 40(1), may, where necessary, conduct investigations of critical ICT third-party service providers.

2. The Lead Overseer shall have the power to:

(a) examine records, data, procedures and any other material relevant to the execution of its tasks, irrespective of the medium on which they are stored;

(b) take or obtain certified copies of, or extracts from, such records, data, documented procedures and any other material;

(c) summon representatives of the critical ICT third-party service provider for oral or written explanations on facts or documents relating to the subject matter and purpose of the investigation and to record the answers;

(d) interview any other natural or legal person who consents to be interviewed for the purpose of collecting information relating to the subject matter of an investigation;

(e) request records of telephone and data

Comparing proposed amendment...
Previous Next