Request for information

Article 37 details the Lead Overseer's information-gathering power — the most frequently used oversight tool. The Lead Overseer can request any information and documentation necessary for carrying out its oversight duties, covering the full scope of the critical provider's ICT risk management arrangements, governance structures, security controls, business continuity measures, and subcontracting chains.

Procedural safeguards ensure that information requests are transparent and proportionate. Requests must be made in writing, clearly stating the scope of information sought, the regulatory basis for the request, the purpose for which it will be used, and the deadline for response. These requirements protect providers from open-ended or overly burdensome requests while giving the Lead Overseer the flexibility to obtain the information it needs.

Critical providers must respond fully, accurately, and within the specified deadline. Incomplete, misleading, or late responses constitute non-cooperation and may trigger escalation under Article 42, where competent authorities can take action at the entity level. In practice, repeated information requests with unsatisfactory responses are often the first indicator that a provider has systemic governance deficiencies.

For institutions managing their third-party risk, Article 37's information-gathering power has an indirect benefit: it strengthens the information environment around critical providers. Financial entities may find that information previously difficult to obtain from dominant providers — about subcontracting arrangements, security incident histories, or business continuity test results — becomes more readily available once the provider is subject to regulatory information requests. Entities should coordinate their own contractual information rights (Article 30) with the regulatory information flows generated under this article.