General investigations

Article 38 equips the Lead Overseer with general investigation powers that go beyond passive information requests. Where document-based oversight (Article 37) is insufficient, the Lead Overseer can initiate a formal investigation, enabling active examination of a critical provider's operations, controls, and governance arrangements.

The investigation toolkit is comprehensive. The Lead Overseer may examine books, records, data, and documentation in any form. It may require written or oral explanations from any relevant person — including the provider's management, technical staff, compliance officers, and external auditors. Interviews may be conducted either at the Lead Overseer's premises or at the provider's offices, and the results are formally recorded.

A key feature of Article 38 is the ability to delegate investigation activities to national competent authorities. This is practically important because critical providers often have operations across multiple EU Member States, and national authorities have both the local presence and the language capabilities to conduct effective investigations in their jurisdictions. The Lead Overseer retains overall direction of the investigation while leveraging the distributed capacity of national supervisors.

Investigation findings are not standalone outputs — they feed into the Lead Overseer's formal risk assessment of the critical provider and inform the recommendations issued under Article 33. A well-documented investigation creates the evidentiary basis for enforceable recommendations and, if necessary, for the escalation measures available under Article 42. Critical providers should ensure their internal governance, documentation, and staff training enable cooperative and effective engagement with investigations, as obstruction or poor record-keeping signals governance weaknesses that intensify supervisory scrutiny.