Article 36: Exercise of the powers of the Lead Overseer outside the Union

Article 36 requires you to be prepared for the DORA Lead Overseer to conduct oversight activities on third-country premises of a critical ICT third-party service provider when EU-based access and the required EU subsidiary interaction are not enough. Operationally, you must contract for cross-border audit/inspection access, maintain a regulator-response playbook, and retain evidence that overseas locations supporting EU financial entities can be examined. (Regulation (EU) 2022/2554, Article 36)

Key takeaways:

• Build contractual and operational “outside-the-Union access” into critical ICT third-party arrangements from day one. (Regulation (EU) 2022/2554, Article 36)
• Treat overseas data centers, SOCs, engineering hubs, and support sites as in-scope premises if they support services to EU financial entities. (Regulation (EU) 2022/2554, Article 36)
• Run readiness drills and keep a tight evidence pack so you can respond fast to oversight requests that involve third-country sites. (Regulation (EU) 2022/2554, Article 36)

“Article 36: exercise of the powers of the lead overseer outside the Union requirement” is a practical cross-border access obligation that shows up when you depend on a critical ICT third-party service provider with operations outside the EU. The core idea is simple: if the Lead Overseer cannot meet its oversight objectives through (a) interacting with the provider’s EU subsidiary set up for DORA oversight purposes or (b) conducting oversight on premises located in the Union, then the Lead Overseer may exercise its powers on relevant premises located in a third country that are owned or used by the critical ICT third-party service provider to deliver services to Union financial entities. (Regulation (EU) 2022/2554, Article 36)

For a Compliance Officer, CCO, or GRC lead, the fastest path to operationalization is not legal debate. It is execution: identify the third-country premises that matter, make sure your contracts and operating model allow access and cooperation, and set up a regulator-response workflow that can coordinate Legal, Security, Procurement, and the third party under pressure. This page gives you a requirement-level implementation blueprint you can put into your third-party risk management and DORA oversight readiness program with minimal translation.

Regulatory text

Excerpt (provided): “When oversight objectives cannot be attained by means of interacting with the subsidiary set up for the purpose of Article 31(12), or by exercising oversight activities on premises located in the Union, the Lead Overseer may exercise the powers … on any premises located in a third-country which is owned, or used in any way, for the purposes of providing services to Union financial entities, by a critical ICT third-party service provider …” (Regulation (EU) 2022/2554, Article 36)

Plain-English interpretation

• If an ICT third party is designated “critical” under DORA, regulators are not limited to EU locations to perform oversight. When EU-based routes are insufficient, the Lead Overseer can extend oversight activity to third-country premises used to provide services to EU financial entities. (Regulation (EU) 2022/2554, Article 36)
• “Premises” is broader than “data center.” In practice, assume it can include offices and facilities that materially support delivery: operations centers, SOCs, SRE/engineering hubs, service desks, and third-party subcontractor sites when they are used to deliver the service. Align this assumption to your contract scope and your internal definition of service delivery locations. (Regulation (EU) 2022/2554, Article 36)
• Your job is to remove friction. If oversight must happen outside the EU, you need pre-agreed access rights, a clear response process, and retained evidence that demonstrates control operation and cooperation capacity. (Regulation (EU) 2022/2554, Article 36)

Who it applies to

Entities in scope (directly and indirectly)

• Critical ICT third-party service providers (CTPPs): Directly impacted, because their third-country premises may be subject to Lead Overseer powers when EU-based oversight is insufficient. (Regulation (EU) 2022/2554, Article 36)
• Union financial entities that rely on CTPPs: Indirectly impacted, because your outsourcing/third-party governance must not create blockers to the provider cooperating with the Lead Overseer outside the Union. You will be asked how your contracting, governance, and monitoring support that outcome. (Regulation (EU) 2022/2554)

Operational contexts that trigger attention

Treat Article 36 as “high likelihood” when:

• The service is delivered from a global footprint (non-EU primary hosting, non-EU SOC, non-EU engineering/on-call).
• The provider’s EU subsidiary exists but has limited operational control (common with large cloud/SaaS structures).
• Key records, staff, tooling, or logs needed for oversight are managed outside the EU. (Regulation (EU) 2022/2554, Article 36)

What you actually need to do (step-by-step)

1) Identify and document “third-country premises supporting EU services”

Create a premises register for each critical ICT third party that includes:

• Site type (data center, SOC, NOC, service desk, engineering hub, backup/DR site).
• What service components are delivered from there.
• What data, logs, and admin functions reside there.
• Whether the premises are owned by the third party or “used in any way” (leased space, shared facilities, key subcontractors). (Regulation (EU) 2022/2554, Article 36)

Operator tip: If you can’t get a facility list from the provider, start from architecture diagrams, support operating model documents, and incident postmortems. Those documents usually reveal the real “premises that matter.”

2) Build Article 36 access and cooperation into contracting and governance

Your contract set (MSA + DPA + security addendum + audit/assurance terms) should clearly support:

• Cooperation with competent authorities/Lead Overseer oversight where legally permitted.
• Audit/inspection support for in-scope premises used to deliver services to EU financial entities, including those outside the Union, when oversight objectives cannot otherwise be met. (Regulation (EU) 2022/2554, Article 36)

Where providers resist “physical access,” negotiate practical equivalents that still meet oversight objectives: structured evidence production, independent certifications plus scoped supporting evidence, secure virtual walkthroughs, and named points of contact for regulator engagement. Keep the emphasis on outcomes: enable oversight to happen without delay.

3) Implement a regulator/Lead Overseer response workflow

Stand up a documented workflow that covers:

• Intake channels (who receives formal requests; how they are logged).
• Triage and scope confirmation (what is being requested; which premises; which service line).
• Legal and compliance review (confidentiality, privilege, local law conflicts).
• Third-party engagement (single-threaded communications; escalation contacts).
• Evidence production and quality control (version control, redaction rules, translation needs).
• Remediation tracking when findings are issued (ownership, deadlines, validation evidence). (Regulation (EU) 2022/2554, Article 36)

Daydream fit: Many teams fail on coordination, not intent. Daydream can act as the operating layer for a single register that maps Article 36 to owners, controls, and evidence artifacts, and for a regulator-response workflow with approvals and audit trails.

4) Run readiness drills focused on “outside-the-Union” scenarios

Design tabletop exercises that specifically test:

• A request for an overseas SOC walkthrough and proof of monitoring coverage.
• A request for records/logs that are generated and stored outside the EU.
• A request that involves a subcontractor premise used for service delivery. (Regulation (EU) 2022/2554, Article 36)

Make the drill output concrete: gap list, remediation tasks, and evidence pack improvements.

5) Maintain a living evidence pack per critical ICT third party

Keep a curated, exportable pack that covers:

• Premises register and service-delivery mapping.
• Most recent assurance reports/certifications the provider can share.
• Security and resilience documentation (incident processes, BCP/DR overview, monitoring and logging overview).
• Contact list and escalation tree for cross-border oversight coordination.
• Prior oversight requests and how they were fulfilled (with dates, scope, artifacts). (Regulation (EU) 2022/2554, Article 36)

Required evidence and artifacts to retain

Use this as your minimum evidence checklist (tailor per provider criticality):

Evidence artifact	What auditors/examiners look for	Owner
Third-country premises register tied to EU services	Proof you know which overseas locations are in scope under Article 36	TPRM / IT / Security
Contract clauses supporting cooperation and oversight	No contractual blockers to Lead Overseer actions outside the Union	Legal / Procurement
Regulator-response SOP + RACI	Clear accountability across Compliance, Legal, Security, and vendor owners	Compliance
Evidence production log (requests, responses, approvals)	Traceability and control of sensitive disclosures	Compliance / Legal
Remediation tracker for oversight findings	Closure discipline with validation evidence	IT Risk / Security
Drill records (agenda, attendees, gaps, actions)	Proof the workflow works under time pressure	GRC / BCM

Common exam/audit questions and hangups

Expect questions like:

• “Which non-EU premises support your critical ICT services to EU financial entities, and how do you know?” (Regulation (EU) 2022/2554, Article 36)
• “Show us contract language that allows the provider to cooperate with the Lead Overseer for overseas premises.” (Regulation (EU) 2022/2554, Article 36)
• “Walk through your process for handling an oversight request that involves a third-country data center or SOC.” (Regulation (EU) 2022/2554, Article 36)
• “How do you manage local law conflicts (state secrecy, labor rules, site access restrictions) without blocking oversight objectives?” (Regulation (EU) 2022/2554, Article 36)

Typical hangup: teams rely on generic “right to audit” clauses that only contemplate customer audits, not regulator/Lead Overseer activity, and not overseas premises.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating the EU subsidiary as the full control plane.
   Fix: Document where operational control actually sits (people, logs, tooling) and align your premises register to reality. (Regulation (EU) 2022/2554, Article 36)

2. Mistake: Assuming “premises” means “owned data centers only.”
   Fix: Include leased sites and key subcontractor facilities used to deliver the service. Use the “used in any way” language as your scoping trigger. (Regulation (EU) 2022/2554, Article 36)

3. Mistake: No repeatable evidence production process.
   Fix: Create an evidence log, approval checkpoints, and a standard index of artifacts. Run drills to test it. (Regulation (EU) 2022/2554, Article 36)

4. Mistake: Overpromising access you cannot actually get.
   Fix: Validate contract rights against the provider’s real operating model. If physical entry is unrealistic, negotiate oversight-friendly alternatives and document how oversight objectives will be met. (Regulation (EU) 2022/2554, Article 36)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific article, so this page does not summarize cases. (Regulation (EU) 2022/2554)

Risk implications you should plan for anyway:

• Regulatory friction risk: If oversight cannot be executed efficiently because your third-party arrangements block access to third-country premises, your institution can face supervisory escalation, remediation actions, and potential restrictions on the arrangement depending on broader DORA oversight outcomes. Keep your posture cooperative and documentable. (Regulation (EU) 2022/2554, Article 36)
• Operational concentration risk: Global providers concentrate critical functions in a small number of non-EU sites. Treat those sites as high priority in resilience, incident response integration, and evidence readiness. (Regulation (EU) 2022/2554)

Practical execution plan (30/60/90-day)

Time-boxing is guidance to create momentum. Adjust based on your contracting cycle and provider responsiveness.

First 30 days (Immediate)

• Name accountable owners: TPRM lead, Legal, Security, ICT risk, and business/service owner for each critical ICT third party.
• Build the first version of the third-country premises register for your top critical ICT third parties.
• Draft the regulator-response SOP, including intake, approvals, evidence handling, and escalation paths. (Regulation (EU) 2022/2554, Article 36)

By 60 days (Near-term)

• Close contracting gaps for new deals and renewals: cooperation language, regulator engagement support, and clarity on overseas premises in scope.
• Create an “evidence index” per provider (what exists, where stored, who can export it).
• Run one drill focused on a third-country SOC or data center request; track remediations to closure. (Regulation (EU) 2022/2554, Article 36)

By 90 days (Operationalize)

• Expand premises mapping to subcontractors that materially support the service.
• Implement a standing cadence with critical ICT third parties to refresh premises lists and operating model changes.
• Put the Article 36 mapping, owners, and evidence artifacts into a single control register (Daydream can centralize this), and test retrieval speed under simulated oversight conditions. (Regulation (EU) 2022/2554, Article 36)

Frequently Asked Questions

Does Article 36 apply to every third party we use?

No. It is written for situations involving a critical ICT third-party service provider and the Lead Overseer’s oversight objectives. Your operational response still matters because your third-party governance can either enable or block cooperation. (Regulation (EU) 2022/2554, Article 36)

What counts as “premises” outside the Union?

Article 36 covers any premises in a third country that are owned or “used in any way” to provide services to Union financial entities. Treat operational hubs (SOCs, service desks, engineering on-call locations) as candidates, not just data centers. (Regulation (EU) 2022/2554, Article 36)

Our provider says regulators can’t visit non-EU sites. What do we do?

Don’t accept a dead end. Escalate through Legal and Procurement to negotiate oversight-friendly mechanisms that still meet oversight objectives, and document the agreed approach in contractual terms and operating procedures. (Regulation (EU) 2022/2554, Article 36)

Do we need a separate policy just for Article 36?

Usually no. Most teams fold Article 36 into third-party risk management, contracting standards, and the regulator-response process. The non-negotiable is having clear ownership, a tested workflow, and an evidence pack tied to third-country premises. (Regulation (EU) 2022/2554, Article 36)

What evidence should we be able to produce quickly?

Start with the premises register linked to EU service delivery, contract language that supports cooperation, and a tracked log of prior requests/drills and remediation closure. Examiners focus on proof of execution, not slideware. (Regulation (EU) 2022/2554, Article 36)

How should we operationalize this in a GRC tool?

Map Article 36 to discrete controls (premises mapping, contracting clauses, response workflow, drills, evidence retention) with named owners and a single evidence index per critical ICT third party. Daydream works well when you need that mapping plus an auditable regulator-response workflow in one place. (Regulation (EU) 2022/2554, Article 36)