DORA Art.32–35: Lead Overseer Powers — Oversight Plans, Information Requests, On-Site Inspections, and Oversight Fees (2026)
Post #411 in the sota.io EU Cyber Compliance Series
DORA Art.31 established who is subject to Lead Overseer supervision — Critical ICT Third-Party Providers (CTPPs) designated by the ESA Joint Oversight Committee. Articles 32–35 answer the next question: what can the Lead Overseer actually do, and what happens when it finds problems?
The answer is a comprehensive enforcement toolkit that goes well beyond anything in NIS2 or GDPR for ICT providers. The Lead Overseer can demand documents, interview staff, enter data centres, and ultimately instruct financial entities to stop using a non-compliant CTPP. Oversight fees — calculated on annual turnover — create a direct financial relationship between CTPPs and ESAs that has no parallel elsewhere in EU financial regulation.
This guide covers:
- Art.32: General framework for oversight of CTPPs
- Art.33: Powers of the Lead Overseer — the full investigative toolkit
- Art.34: Exercise of oversight powers outside the Union
- Art.35: Follow-up by competent authorities
- Oversight fees under CDR (EU) 2024/2819
- Python
DORALeadOverseerTrackerimplementation - DORA × NIS2 × GDPR cross-mapping for oversight powers
- 25-item compliance readiness checklist
Art.32: General Framework for Oversight
Art.32(1) establishes the Lead Overseer's mandate: continuous oversight of the CTPP's ICT risk management practices, with a focus on ensuring that the CTPP's failure would not cause systemic disruption to EU financial services. This is not periodic audit-style supervision — it is ongoing, relationship-based oversight comparable to how the ECB supervises significant credit institutions.
The Annual Oversight Plan
Art.32(2) requires the Lead Overseer to prepare an annual oversight plan for each designated CTPP. The oversight plan must cover:
- The main goals and oversight activities planned for the year
- Proposed methodology and rationale for the activities chosen
- Any cross-border oversight activities involving non-EEA operations
- Cooperation arrangements with other Lead Overseers for multi-sector CTPPs
The oversight plan is adopted by the Lead Overseer after consultation with the CTPP. DORA does not require the CTPP to approve the plan — consultation is procedural, not consent-based. However, the consultation creates a channel for CTPPs to flag operational constraints (e.g., data centre access procedures, staff availability windows) that can inform the investigation calendar.
Multi-Sector CTPPs
A CTPP providing services to banking, securities, and insurance sectors simultaneously will have clients supervised by EBA, ESMA, and EIOPA. Art.32(3) addresses this through the Joint Oversight Committee (JOC): where a CTPP is relevant to multiple sectors, the Lead Overseer coordinates with the other two ESAs through the JOC to ensure a coherent oversight approach and avoid duplicative demands on the CTPP.
For the CTPP, this is operationally significant: it means a single oversight plan, a single Joint Examination Team (JET) per investigation cycle, and a single primary contact point — even if the underlying financial entity base spans all three sectors.
Oversight Activities in Practice
The Art.32 framework translates into three recurring activity types:
| Activity | Frequency | Trigger |
|---|---|---|
| Oversight plan preparation | Annual | Calendar: Q4 for following year |
| Desk-based document review | Ongoing | Post-incident, regulatory change, routine |
| General investigation | As needed | Specific risk concern identified |
| On-site inspection | As needed | Investigation follow-up, serious concern |
The oversight plan is public (disclosed to financial entities that have contracts with the CTPP) but the detailed investigation schedule is not. Financial entities learn about oversight activities that directly concern their contracts through Art.35 follow-up notifications from competent authorities.
Art.33: Powers of the Lead Overseer
Art.33 is the operational core of Chapter V. It enumerates four categories of investigative power, each with its own procedural requirements and CTPP obligations.
Power 1: Requests for Information
Art.33(2)(a) authorises the Lead Overseer to request any information and documentation relevant to the oversight plan, including:
- ICT risk management policies and procedures
- Business continuity and disaster recovery plans
- Records of ICT-related incidents affecting financial entity clients
- Sub-outsourcing arrangements and sub-CTPP details
- Audit reports (internal and external)
- Information security certifications (ISO 27001, SOC 2, etc.)
Response deadline: Art.37 sets a 30 working-day response period for routine information requests. The Lead Overseer can grant extensions in justified cases. Incomplete or deliberately misleading responses expose the CTPP to supervisory measures under Art.42.
Practical implication for CTPPs: A well-organised CTPP should have a dedicated regulatory response team capable of producing the standard document set within 30 days. This means maintaining a regulatory document library — not a scattered set of PDFs across internal drives, but a versioned, access-controlled repository where each document type maps to a DORA article and a response SLA.
from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
@dataclass
class RegulatoryDocument:
doc_id: str
doc_type: str # e.g., "ICT Risk Policy", "BCP", "Sub-CTPP Register"
dora_article: str # e.g., "Art.6", "Art.17", "Art.31(12)"
last_updated: date
owner: str
location: str # vault path / SharePoint URL
response_ready: bool = False # pre-assembled for 30-day response?
@dataclass
class InformationRequest:
request_id: str
lead_overseer: str # "EBA", "ESMA", "EIOPA"
received_date: date
deadline_date: date = field(init=False)
documents_requested: list[str] = field(default_factory=list)
status: str = "OPEN"
def __post_init__(self):
self.deadline_date = self.received_date + timedelta(days=42) # 30 working days ≈ 42 calendar days
def days_remaining(self) -> int:
return (self.deadline_date - date.today()).days
def is_at_risk(self) -> bool:
return self.days_remaining() < 10 and self.status != "SUBMITTED"
Power 2: General Investigations
Art.33(2)(b) permits the Lead Overseer to conduct general investigations, which go beyond document requests to include:
- Examining records, data, procedures, and documentation
- Obtaining explanations from any person connected to the CTPP (staff, management, sub-contractors)
- Interviewing key function holders (CISO, CTO, Head of Risk)
- Reviewing any materials relevant to the oversight objective
A general investigation is typically desk-based but may require the CTPP to facilitate access to specific systems (read-only access to monitoring dashboards, log exports, configuration snapshots). The CTPP cannot require the Lead Overseer to give advance notice of specific questions — the investigation is broad and can follow any trail.
Key procedural safeguard: Art.33(3) requires the Lead Overseer to give advance written notice before beginning a general investigation, specifying the scope and estimated duration. This notice period is typically 10 working days but can be shortened in urgent cases.
Power 3: On-Site Inspections
Art.33(2)(c) and Art.33 broadly authorise on-site inspections at any premises of the CTPP — headquarters, data centres, network operations centres (NOCs), security operations centres (SOCs), and sub-CTPP facilities (where the sub-CTPP has been notified under Art.31(12)).
Notice requirement: Art.39 requires the Lead Overseer to give 48 hours advance notice before an on-site inspection, except in extraordinary circumstances where the Lead Overseer may conduct an unannounced inspection. Extraordinary circumstances include:
- Reasonable suspicion of an ongoing ICT-related incident being concealed
- Evidence of obstruction in prior investigations
- Imminent risk to financial entity clients
What inspectors examine on-site:
- Physical security controls of data centres (access logs, CCTV, intrusion detection)
- Configuration of production systems (live environment review, not just documentation)
- Staff capacity and competence (interviews without management present)
- Sub-outsourcing controls (evidence of actual monitoring, not just policy)
- Incident response capability (tabletop exercises, war game results)
- Backup and recovery infrastructure (BCP facility checks)
What CTPPs should prepare for on-site visits:
@dataclass
class OnSiteInspectionPrep:
facility_type: str # "HQ", "DC-Primary", "DC-Secondary", "NOC", "SOC"
contact_person: str # facility lead for inspection day
access_procedures: str # advance briefing document location
# Required documentation packs (assembled in advance)
doc_pack_physical_security: bool = False
doc_pack_bcp_facility: bool = False
doc_pack_staff_competence_records: bool = False
doc_pack_sub_ctpp_monitoring: bool = False
doc_pack_live_system_overview: bool = False
# Logistics
inspector_room_available: bool = False
secure_wifi_for_inspectors: bool = False
local_it_liaison_available: bool = False
@property
def readiness_score(self) -> float:
items = [
self.doc_pack_physical_security,
self.doc_pack_bcp_facility,
self.doc_pack_staff_competence_records,
self.doc_pack_sub_ctpp_monitoring,
self.doc_pack_live_system_overview,
self.inspector_room_available,
self.secure_wifi_for_inspectors,
self.local_it_liaison_available,
]
return sum(items) / len(items)
def readiness_report(self) -> str:
score = self.readiness_score
level = "READY" if score >= 0.875 else "AT RISK" if score >= 0.625 else "NOT READY"
return f"Facility {self.facility_type} — Inspection Readiness: {level} ({score:.0%})"
Power 4: Supervisory Measures (Art.42)
If oversight activities reveal compliance deficiencies, the Lead Overseer can issue recommendations to the CTPP under Art.42. The CTPP must:
- Acknowledge receipt within 5 working days
- Present a remediation plan within 30 working days (or the Lead Overseer's specified deadline)
- Implement remediation within the agreed timeline
- Report on remediation progress at intervals specified in the recommendation
If the CTPP fails to implement recommendations adequately, the Lead Overseer can escalate through two mechanisms:
Pathway A — Direct supervisory pressure: Issue a formal supervisory measure requiring the CTPP to cease or modify specific practices. Art.42(6) allows the Lead Overseer to impose periodic penalty payments of up to 1% of the CTPP's average daily worldwide turnover, applied for each day of non-compliance (up to 6 months).
Pathway B — Financial entity notification (Art.35): Notify the relevant competent authorities, who can then require financial entities to stop using the non-compliant CTPP (see Art.35 section below).
Art.34: Exercise of Oversight Powers Outside the Union
Many designated CTPPs will be headquartered outside the EU — hyperscalers, US-domiciled SaaS vendors, and global system integrators operating EU subsidiaries or branches. Art.34 addresses this through a cooperation and equivalence framework.
Non-EEA CTPP Structure
Where a CTPP is established outside the EEA, Art.34(1) requires it to designate a legal representative established in an EU Member State as the primary contact point for Lead Overseer oversight activities. The legal representative has the same obligations as the CTPP itself for information requests, general investigations, and inspection facilitation.
This does not replace the CTPP's direct obligations — the legal representative is an additional point of contact, not a shield from direct supervision. The Lead Overseer retains the right to engage directly with the CTPP's non-EEA headquarters.
Third-Country Supervisory Cooperation
Art.34(3) provides for the European Supervisory Authorities to enter into supervisory cooperation agreements with third-country competent authorities (e.g., US federal banking regulators, UK FCA/PRA, Swiss FINMA). Where such agreements exist, the Lead Overseer may rely on third-country supervisory findings to avoid duplicating examination work already conducted under equivalent frameworks.
As of Q1 2026, the ESAs have not yet published the complete list of recognised third-country equivalent supervisory frameworks. CTPPs with operations in the US, UK, or Switzerland should monitor ESA publications for equivalence decisions that may reduce their direct DORA oversight burden.
Practical Implications for Non-EEA CTPPs
| Issue | DORA Art.34 Requirement | Practical Action |
|---|---|---|
| EU legal representative | Designated natural or legal person in EU | Appoint dedicated DORA response entity |
| On-site inspection at non-EEA facility | Lead Overseer must coordinate with local authority | Pre-arrange protocol with local supervisors |
| Information request response | Same 30-day deadline as EEA CTPPs | Route through EU legal representative for EU time zone compliance |
| Sub-outsourcing outside EEA | Notification to Lead Overseer (Art.31(12)) | Register all non-EEA sub-CTPPs proactively |
Art.35: Follow-up by Competent Authorities
Art.35 closes the oversight loop: it defines how Lead Overseer findings about CTPPs translate into regulatory action against financial entities by their home competent authorities (NCAs).
This is a critical but often overlooked mechanism. The Lead Overseer supervises CTPPs directly — but it cannot directly sanction financial entities. That enforcement channel runs through Art.35: the Lead Overseer notifies competent authorities, who then act against the financial entities under their existing supervisory remit.
The Art.35 Notification Mechanism
Art.35(1): When the Lead Overseer identifies that a CTPP is not complying with DORA Chapter V requirements, it notifies the relevant competent authorities of the findings and the remediation measures it has recommended.
Art.35(2): Upon receiving this notification, competent authorities must:
- Assess the risk to individual financial entities caused by the CTPP's non-compliance
- Require financial entities to take all appropriate measures to address the risk — which can include suspending, restricting, or terminating the relevant contractual arrangements with the CTPP
- Report back to the Lead Overseer on the measures taken
When Competent Authorities Can Require Contract Termination
Art.35(3) specifies conditions under which competent authorities can require financial entities to terminate CTPP contracts:
- The CTPP has committed a serious, repeated, or systemic violation of DORA requirements
- The CTPP has failed to implement Lead Overseer recommendations within the specified timeline
- The CTPP poses an ongoing risk to the financial stability of a Member State or the EU
- The CTPP has obstructed the Lead Overseer's oversight activities
Contract termination under Art.35 is a last resort — but it is real. The DORA legislative history is explicit: the oversight framework is only credible if the threat of forced contract termination exists. For financial entities, this means that CTPP status (and CTPP compliance health) must be a contractual due diligence factor, not just a procurement checkbox.
Financial Entity Obligations Under Art.35
Financial entities are not passive recipients of Art.35 notifications. They must:
- Maintain CTPP contract register — so competent authorities can quickly identify which entities are affected when a CTPP is found non-compliant
- Build CTPP substitutability assessment — demonstrating that they can switch to an alternative provider if forced termination occurs
- Include Art.35 termination rights in contracts — so they can act on competent authority instructions without facing contractual liability
- Monitor CTPP compliance health — proactively, not just waiting for Art.35 notifications
from enum import Enum
from dataclasses import dataclass, field
from datetime import date
from typing import Optional
class CTPPComplianceStatus(Enum):
COMPLIANT = "COMPLIANT"
UNDER_INVESTIGATION = "UNDER_INVESTIGATION"
RECOMMENDATION_ISSUED = "RECOMMENDATION_ISSUED"
REMEDIATION_IN_PROGRESS = "REMEDIATION_IN_PROGRESS"
REPEATED_VIOLATION = "REPEATED_VIOLATION"
TERMINATION_RISK = "TERMINATION_RISK"
@dataclass
class CTPPContractEntry:
ctpp_name: str
lead_overseer: str # EBA, ESMA, or EIOPA
contract_start: date
annual_spend_eur: float
criticality: str # "CRITICAL", "IMPORTANT", "STANDARD"
substitutability_plan: bool = False
art35_termination_clause: bool = False
compliance_status: CTPPComplianceStatus = CTPPComplianceStatus.COMPLIANT
last_oversight_update: Optional[date] = None
def termination_risk_flag(self) -> bool:
return self.compliance_status in (
CTPPComplianceStatus.REPEATED_VIOLATION,
CTPPComplianceStatus.TERMINATION_RISK,
)
def contract_gap_report(self) -> list[str]:
gaps = []
if not self.substitutability_plan:
gaps.append("No substitutability assessment documented (Art.35(2) risk)")
if not self.art35_termination_clause:
gaps.append("Contract lacks Art.35 forced-termination clause (competent authority instruction gap)")
if self.termination_risk_flag():
gaps.append(f"CTPP compliance status: {self.compliance_status.value} — escalate to Risk Committee")
return gaps
class CTPPRegister:
def __init__(self):
self.entries: list[CTPPContractEntry] = []
def add(self, entry: CTPPContractEntry):
self.entries.append(entry)
def at_risk_cttpps(self) -> list[CTPPContractEntry]:
return [e for e in self.entries if e.termination_risk_flag()]
def missing_substitutability(self) -> list[CTPPContractEntry]:
return [e for e in self.entries if e.criticality == "CRITICAL" and not e.substitutability_plan]
def compliance_dashboard(self) -> dict:
return {
"total_cttpps": len(self.entries),
"at_termination_risk": len(self.at_risk_cttpps()),
"missing_substitutability_plans": len(self.missing_substitutability()),
"contracts_missing_art35_clause": sum(1 for e in self.entries if not e.art35_termination_clause),
}
Oversight Fees: CDR (EU) 2024/2819
DORA Art.43 authorises the ESAs to charge oversight fees to designated CTPPs. The fee regime is operationalised in Commission Delegated Regulation (EU) 2024/2819 of 13 September 2024 (published in the Official Journal 25 October 2024).
Fee Calculation Methodology
CDR 2024/2819 establishes a tiered turnover-based fee structure:
Base fee — calculated as a percentage of the CTPP's annual worldwide net turnover from ICT services relevant to financial entities:
| Annual Net Turnover (ICT services to financial entities) | Annual Oversight Fee Rate |
|---|---|
| Up to €100 million | 0.4% |
| €100m – €500m | 0.3% (on marginal band) |
| €500m – €1 billion | 0.2% (on marginal band) |
| Over €1 billion | 0.1% (on marginal band) |
The fee is capped at €3 million per year per CTPP, per Lead Overseer. Where a CTPP has multiple Lead Overseers (cross-sector), it pays a fee to each — subject to the cap for each.
Variable component — additional fee for extraordinary oversight activities:
- General investigations: up to €0.5 million per investigation
- On-site inspections: up to €0.3 million per inspection facility
- Unannounced inspections: 150% of announced inspection rate
Practical Implications for CTPPs
The fee structure creates incentives:
-
Cooperate with oversight to avoid extraordinary fees — investigations and inspections that are triggered by non-cooperation attract variable charges on top of the base fee.
-
Volume-tiered rates favour scale efficiency — a CTPP with €2 billion in relevant turnover pays a marginal rate of 0.1% on the top band, versus 0.4% on the first €100 million. Large CTPPs pay proportionately less per euro of revenue.
-
Fee is per Lead Overseer — a CTPP with EBA and ESMA oversight pays two base fees (subject to two caps). This makes the combined fee exposure potentially €6 million annually for a cross-sector CTPP.
from dataclasses import dataclass
@dataclass
class CTPPFeeCalculator:
"""CDR 2024/2819 oversight fee estimator for designated CTPPs."""
annual_turnover_eur: float # relevant ICT services to financial entities
lead_overseers: int = 1 # 1, 2, or 3 (EBA + ESMA + EIOPA)
general_investigations: int = 0
on_site_inspections: int = 0
unannounced_inspections: int = 0
BASE_FEE_TIERS = [
(100_000_000, 0.004), # 0–100m at 0.4%
(400_000_000, 0.003), # 100m–500m at 0.3%
(500_000_000, 0.002), # 500m–1bn at 0.2%
(float('inf'), 0.001), # >1bn at 0.1%
]
BASE_FEE_CAP = 3_000_000
INVESTIGATION_FEE = 500_000
INSPECTION_FEE = 300_000
UNANNOUNCED_MULTIPLIER = 1.5
def base_fee_single_overseer(self) -> float:
fee = 0.0
remaining = self.annual_turnover_eur
for band_size, rate in self.BASE_FEE_TIERS:
applicable = min(remaining, band_size)
fee += applicable * rate
remaining -= applicable
if remaining <= 0:
break
return min(fee, self.BASE_FEE_CAP)
def variable_fees(self) -> float:
return (
self.general_investigations * self.INVESTIGATION_FEE
+ self.on_site_inspections * self.INSPECTION_FEE
+ self.unannounced_inspections * self.INSPECTION_FEE * self.UNANNOUNCED_MULTIPLIER
)
def total_annual_fee(self) -> float:
base = self.base_fee_single_overseer() * self.lead_overseers
variable = self.variable_fees()
return base + variable
def fee_report(self) -> str:
base = self.base_fee_single_overseer()
variable = self.variable_fees()
total = self.total_annual_fee()
return (
f"CTPP Oversight Fee Estimate (CDR 2024/2819)\n"
f" Turnover (ICT/financial entities): €{self.annual_turnover_eur:,.0f}\n"
f" Base fee (per overseer): €{base:,.0f}\n"
f" Lead Overseers: {self.lead_overseers} × €{base:,.0f} = €{base * self.lead_overseers:,.0f}\n"
f" Variable fees (investigations/inspections): €{variable:,.0f}\n"
f" TOTAL ANNUAL FEE: €{total:,.0f}\n"
)
# Example: large cross-sector CTPP
calc = CTPPFeeCalculator(
annual_turnover_eur=1_200_000_000, # €1.2bn relevant turnover
lead_overseers=2, # EBA + ESMA
general_investigations=1,
on_site_inspections=2,
)
print(calc.fee_report())
# Output: ~€3.6m base + €1.1m variable = ~€4.7m total annual
DORA × NIS2 × GDPR Oversight Powers Cross-Mapping
The Art.32–35 oversight framework does not exist in isolation. CTPPs providing services to EU financial entities also operate under NIS2 (as essential or important entities) and GDPR (as data processors). Understanding how these frameworks interact prevents duplicative compliance work and identifies gaps.
| Oversight Dimension | DORA Art.32–35 | NIS2 Art.32–33 | GDPR Art.58 |
|---|---|---|---|
| Regulator | ESA Lead Overseer | NCA (national) | Data Protection Authority |
| Subject | CTPPs (designated) | Essential/Important Entities | Data controllers/processors |
| Oversight plan | Annual (Art.32(2)) | Risk-based (no fixed schedule) | No formal plan requirement |
| Information requests | 30 working days | NCA-defined | 30 days (GDPR Art.57(3)) |
| On-site inspections | 48h notice / unannounced | NCA discretion | With/without notice |
| Annual fee | Yes (CDR 2024/2819) | No | No |
| Max sanction | 1% daily turnover × 6 months (Art.42(6)) | €10m or 2% global turnover | €20m or 4% global turnover |
| Follow-up to financial entities | Art.35 → NCA → financial entity | Not applicable | Not applicable |
Lex specialis: DORA Recital 16 confirms DORA takes precedence over NIS2 for financial entities and their CTPP relationships. However, NIS2 applies to the CTPP as an entity in its own right — a cloud provider that is both a CTPP under DORA and an essential entity under NIS2 must comply with both frameworks concurrently.
Key divergence — NIS2 Art.33 reactive supervision vs DORA Art.32 proactive oversight: NIS2 supervision is largely incident-triggered. DORA Art.32 oversight is continuous and structured around the annual oversight plan. CTPPs moving from NIS2-style compliance to DORA compliance must operationalise a fundamentally different relationship with their regulator.
Common Compliance Failures Under Art.32–35
Based on DORA supervisory guidance (EBA, ESMA, EIOPA Q4 2025 implementation guidance) and industry analysis, six failure patterns dominate early CTPP oversight cycles:
1. Treating oversight as audit, not supervision CTPPs often approach Lead Overseer interactions as point-in-time audits — prepare a document pack, submit it, wait for findings. DORA Art.32 oversight is relationship-based and continuous. CTPPs need a dedicated regulatory affairs function, not an annual audit response team.
2. Inadequate regulatory document library Information requests under Art.33(2)(a) are issued with 30-day deadlines. CTPPs that keep ICT risk documentation scattered across internal wikis, SharePoint sites, and individual team drives routinely fail to respond completely within the deadline. Build a versioned, access-controlled regulatory response library before the first information request arrives.
3. No sub-CTPP inventory for on-site inspections On-site inspectors can follow the outsourcing chain. A CTPP that has not maintained a complete sub-CTPP inventory (required under Art.31(12)) will be unable to respond to inspection questions about sub-outsourcing controls. The sub-CTPP register is a live document, not a one-time submission.
4. Missing Art.35 termination clauses in contracts with financial entities Financial entities increasingly require CTPP contracts to include Art.35 forced-termination clauses (competent authority instruction to terminate). CTPPs that do not include these clauses are losing procurement advantages as financial entities treat their absence as a compliance gap.
5. Underestimating oversight fee exposure CTPPs budgeting for DORA compliance routinely underestimate the oversight fee (CDR 2024/2819). A CTPP with €500m relevant turnover and two Lead Overseers faces a base annual fee of approximately €3.4m — plus variable fees for any investigations triggered by non-cooperation.
6. Failing to appoint an EU legal representative (Art.34) Non-EEA CTPPs that operate through EU subsidiaries sometimes assume the subsidiary is the legal representative. DORA Art.34 requires an explicit designation — a subsidiary is not automatically the legal representative unless formally appointed and notified to the Lead Overseer.
The Complete DORA Chapter V Oversight Chain
Understanding where Art.32–35 sits in the full oversight architecture prevents the common mistake of treating it as standalone. The full chain:
Designation (Art.31) → Oversight Plan (Art.32) → Investigation Tools (Art.33)
↓ ↓ ↓
CTPP identified Annual programme Documents / Interviews / On-site
↓ ↓
Non-EEA extension (Art.34) Recommendations (Art.42)
↓
NCA notification (Art.35)
↓
Financial entity action
(suspend / restrict / terminate contract)
25-Item CTPP Art.32–35 Compliance Checklist
Category 1: Oversight Plan Readiness (Art.32)
- OVR-01 Designated oversight plan liaison in senior management (not just legal/compliance)
- OVR-02 Annual oversight plan consultation process documented
- OVR-03 JOC coordination protocol established (if multi-sector CTPP)
- OVR-04 Oversight plan history archived (year-over-year trend visibility)
- OVR-05 Internal oversight plan linked to ICT risk management calendar
Category 2: Information Request Response (Art.33(2)(a))
- INF-01 Regulatory document library created with 30-day response SLA
- INF-02 ICT risk policy documents version-controlled and current (<12 months)
- INF-03 Incident register accessible to regulatory response team
- INF-04 Sub-CTPP register current and maintained (<30 days stale)
- INF-05 Audit reports (ISO 27001, SOC 2) pre-assembled for rapid extraction
- INF-06 BCP/DR documentation accessible without facility access
Category 3: General Investigation Readiness (Art.33(2)(b))
- INV-01 Interview facilitation protocol for senior staff (CISO, CTO, Head of Risk)
- INV-02 System access protocol for read-only investigator review established
- INV-03 Log export capability verified (SIEM, configuration management DB)
- INV-04 Legal hold process activated on investigator request
Category 4: On-Site Inspection Readiness (Art.33(2)(c))
- OSI-01 Inspection readiness pack prepared per facility type (HQ, DC, NOC, SOC)
- OSI-02 48-hour response protocol tested (who to call, what to prepare)
- OSI-03 Physical security documentation pre-assembled
- OSI-04 Secure inspection room available at primary data centre
Category 5: Non-EEA Operations (Art.34)
- NEU-01 EU legal representative formally appointed and Lead Overseer notified
- NEU-02 Third-country supervisory cooperation protocol documented
- NEU-03 Non-EEA facility inspection protocol agreed with local authority
Category 6: Art.35 Follow-up and Financial Entity Interface
- FEI-01 Art.35 termination clause included in all CTPP/financial entity contracts
- FEI-02 Remediation plan template prepared (30-day turnaround)
- FEI-03 Art.42 supervisory measure response protocol rehearsed
Category 7: Oversight Fees (CDR 2024/2819)
- FEE-01 Annual oversight fee estimated and budgeted (use
CTPPFeeCalculator) - FEE-02 Fee payment process established per Lead Overseer
Conclusion
DORA Art.32–35 represents the operational teeth of the CTPP oversight framework. The oversight plan creates structure; information requests, general investigations, and on-site inspections provide the investigative toolkit; Art.34 extends reach to non-EEA operations; and Art.35 closes the loop by translating CTPP non-compliance into action against financial entities.
Three implementation priorities stand out for CTPPs entering their first oversight cycle:
Priority 1 — Build the regulatory document library first. Thirty working days to respond to an information request is not long for an organisation that has never assembled its ICT risk documentation in one place. The library is the foundation of all other oversight readiness.
Priority 2 — Model your oversight fee exposure. The CDR 2024/2819 fee regime is material for large CTPPs — potentially €3–7 million annually for a cross-sector provider. Cooperation reduces variable fees. Non-cooperation escalates them.
Priority 3 — Include Art.35 termination clauses proactively. Financial entities are already requiring them. CTPPs that resist these clauses are flagging compliance uncertainty in procurement negotiations — a commercial disadvantage that compounds over time.
The next posts in the DORA Chapter V series cover Art.36–39 (Joint Examination Teams, investigation procedures, and inspection protocols in detail) and Art.40–44 (oversight measures, periodic penalty payments, and the full enforcement ladder).
All references to DORA articles are to Regulation (EU) 2022/2554 as published in OJ L 333/1 (27.12.2022). CDR 2024/2819 (oversight fees) and CDR 2024/2886 (CTPP designation criteria) are Commission Delegated Regulations in force from January 2025. This post is for informational and compliance-preparation purposes and does not constitute legal advice.
See Also
- DORA Art.31 — CTPP Designation Criteria and Oversight Framework — Art.31 defines who becomes a CTPP; Art.32–35 defines how oversight is then structured and exercised
- DORA Art.36–39 — Joint Examination Teams and On-Site Inspection Protocols — Art.36–39 is the procedural execution layer that activates the Art.33–34 investigation powers
- DORA Art.40–44 — Oversight Measures, Third-Country Rules, Supervisory Fees, and Register — Art.40–44 defines what happens after findings: remediation, periodic penalties, and the Art.44 register obligation
- DORA Art.28–30 — ICT Third-Party Risk, Due Diligence, and Contractual Provisions — Pre-designation third-party risk framework that CTPP oversight builds upon