Chapter V — Managing of ICT third-party risk
Section II — Oversight framework for critical ICT third-party service providers
Powers of the Lead Overseer
Summary
Enumerates the three core powers of the Lead Overseer: requesting information (Article 37), conducting general investigations (Article 38), and performing on-site inspections (Article 39). These powers are complemented by the ability to issue recommendations and, where appropriate, to publicize a provider's non-compliance.
Key Requirements
- 1
Power to request any information necessary for oversight (Art. 37)
- 2
Power to conduct general investigations including interviews (Art. 38)
- 3
Power to perform on-site inspections of provider premises (Art. 39)
- 4
Power to issue recommendations with comply-or-explain obligations
- 5
Power to publicize non-compliance if a provider fails to address recommendations
Detailed Analysis
Article 35 sets out the enforcement toolkit available to the Lead Overseer, establishing three core investigative powers that form the backbone of the oversight framework. These are: the power to request information (detailed in Article 37), the power to conduct general investigations (Article 38), and the power to perform on-site inspections (Article 39). Together, these powers give the Lead Overseer the means to conduct thorough, evidence-based assessments of critical providers.
Beyond investigative powers, the Lead Overseer can issue formal recommendations to critical providers. These recommendations operate on a comply-or-explain basis — the provider must either implement the recommended changes or provide a reasoned explanation for why it considers alternative measures to be equally effective. This mechanism provides flexibility while maintaining accountability, preventing providers from simply ignoring supervisory guidance.
A particularly significant power is the ability to publicize a provider's failure to comply with recommendations. For technology companies whose business depends on trust and reputation, the threat of public disclosure of regulatory non-compliance is a powerful incentive. This "naming and shaming" mechanism complements the formal supervisory powers and provides a deterrent that works independently of financial penalties.
It is important to note what Article 35 does not include: the Lead Overseer cannot directly impose fines on critical ICT third-party providers. DORA's oversight framework operates through recommendations rather than binding orders, reflecting the fact that these providers are not financial entities and fall outside the traditional regulatory perimeter. However, as Article 42 makes clear, competent authorities can take action at the entity level — requiring financial entities to modify or terminate arrangements with non-compliant providers. This indirect enforcement mechanism can be more impactful than direct fines, as it threatens the provider's revenue stream.
Ready to automate compliance with Article 35?
Valendir maps every DORA requirement to actionable controls, evidence, and workflows.