Chapter V — Managing of ICT third-party risk
Section II — Oversight framework for critical ICT third-party service providers
Inspections
Summary
Grants the Lead Overseer the power to conduct on-site inspections at any business premises, data centres, or operational sites of critical ICT third-party providers. Inspections may be announced or unannounced, and providers must grant full access to premises, systems, and data.
Key Requirements
- 1
Lead Overseer may inspect any premises, data centres, or operational sites
- 2
Inspections may be announced or unannounced
- 3
Full access to premises, systems, records, and data must be granted
- 4
Inspection team may include national authority officials and external experts
- 5
Providers must facilitate inspection including IT system demonstrations
Detailed Analysis
Article 39 establishes the Lead Overseer's most intrusive oversight power: the ability to conduct on-site inspections at any business premises, data centres, or operational sites of a critical ICT third-party service provider. This power reflects the recognition that certain aspects of a provider's ICT risk management — physical security, data centre infrastructure, operational procedures, and staff competency — can only be effectively assessed through direct observation.
Inspections may be announced or unannounced. Announced inspections allow the provider to prepare documentation and ensure relevant personnel are available, which generally leads to more productive visits. Unannounced inspections, while more disruptive, are essential for assessing day-to-day operational realities rather than curated presentations. The decision between announced and unannounced inspections typically depends on the specific risk concerns driving the inspection.
The provider must grant the inspection team full access to all relevant premises, systems, records, and data. This includes physical access to data centres and operational facilities, logical access to IT systems for demonstration purposes, and access to personnel for interviews. The inspection team may include Lead Overseer staff, officials from national competent authorities, and qualified external experts brought in for specialized technical assessments.
Procedural safeguards protect the provider's legitimate interests. The inspection decision must specify the subject matter and purpose, the inspection team composition, and the anticipated duration. The provider has the right to have legal counsel present and to make representations about the inspection process. However, these safeguards cannot be used to obstruct or unreasonably delay the inspection. Financial entities should note that the ability of their regulators to inspect critical providers' premises strengthens the overall assurance environment, potentially reducing entities' own audit burden under Article 30.
Ready to automate compliance with Article 39?
Valendir maps every DORA requirement to actionable controls, evidence, and workflows.