Article 39: Inspections

Article 39 sits inside DORA’s oversight regime for critical ICT third-party service providers. The text is short, but the operational implication is big: supervisors can show up (or request information remotely) and expect access to relevant premises and operational proof points. If your organization relies on ICT third parties, this requirement becomes real the moment a provider is under oversight and your services depend on that provider’s environments, processes, and controls. (Regulation (EU) 2022/2554, Article 39)

For a CCO, GRC lead, or Compliance Officer, the fastest path to readiness is to translate “may conduct onsite and off-site inspections” into three concrete capabilities: (1) contractual and practical access paths to the third party, (2) an internal regulatory-response workflow that can coordinate Legal, Procurement, Security, and the business, and (3) a maintained set of evidence artifacts that demonstrates how ICT risk is managed and how issues are remediated. (Regulation (EU) 2022/2554, Article 39)

This page gives you requirement-level guidance you can execute: what the rule requires, who it hits, how to set up the workflow, what evidence to retain, and where teams routinely fail during supervisory interactions.

Regulatory text

Excerpt (provided): “In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the joint examination teams referred to in Article 40(1), may enter in, and conduct all necessary onsite inspections on, any business premises, land or property of the ICT third-party service providers, such as head offices, operation centres, secondary premises, as well as to conduct off-site inspections.” (Regulation (EU) 2022/2554, Article 39)

Operator interpretation (what you must be able to do):

• Ensure your ICT third-party service providers can accommodate onsite inspections across relevant locations and can support off-site inspections (document requests, interviews, evidence production). (Regulation (EU) 2022/2554, Article 39)
• Ensure you can cooperate quickly and consistently, because inspection timing and scope are driven by supervisory need, not by your internal calendar. (Regulation (EU) 2022/2554, Article 39)

This article grants supervisory authority and access rights. Your operational duty is to remove friction: contract terms, access logistics, evidence availability, and coordinated response.

Plain-English interpretation of the article 39: inspections requirement

Supervisors (the Lead Overseer and joint examination teams) can inspect ICT third-party service providers onsite (physically) and off-site (remotely). They can inspect business premises and other property such as operations centers and secondary sites. (Regulation (EU) 2022/2554, Article 39)

For you, this translates to: if a key ICT provider is in scope for oversight, your governance and contracting must not block inspection access, and your third-party oversight must produce coherent evidence on demand.

Who it applies to (entity and operational context)

Directly applies to:

• ICT third-party service providers that may be subject to the Lead Overseer’s duties and inspections. (Regulation (EU) 2022/2554, Article 39)

Operationally affects (indirect but practical impact):

• Regulated financial entities that depend on those ICT third parties. Your outsourcing, third-party risk management, and service ownership functions need to ensure inspection readiness is possible without renegotiation under pressure. (Regulation (EU) 2022/2554, Article 39)

Where this shows up in real work:

• Cloud and hosting arrangements, managed security services, core banking/market infrastructure software hosting, critical SaaS platforms, and any provider where service continuity and security controls are material to your ICT risk profile. (Regulation (EU) 2022/2554, Article 39)

What you actually need to do (step-by-step)

1) Identify the inspection-relevant third parties and services

Create and maintain a shortlist of ICT third parties where an inspection could matter operationally: critical services, sensitive data processing, or operational dependency. Tie each third party to: service owner, contract owner, and GRC owner.

Minimum output: an “inspection-relevant third parties” register that points to contracts, sites, and evidence owners.

2) Contract for access and cooperation (before you need it)

For each inspection-relevant third party, confirm the contract (or addendum) supports:

• Cooperation with onsite inspections of relevant premises and operational locations. (Regulation (EU) 2022/2554, Article 39)
• Cooperation with off-site inspections, including document production and interviews. (Regulation (EU) 2022/2554, Article 39)
• Practical logistics: visitor access process, security escorting rules, permitted devices, and rules for copying/exporting evidence.

Hangup to address early: providers often allow “audit reports” but resist “onsite inspections.” Article 39 language is about supervisory inspections at the provider. If your contract has restrictive audit language, you may end up with a compliance commitment you cannot execute in practice. (Regulation (EU) 2022/2554, Article 39)

3) Build a regulatory-response workflow for inspections

Stand up a workflow that works under time pressure:

• Intake channel: where inspection notices / requests arrive (Compliance inbox, GRC tool queue).
• Triage: classify onsite vs off-site inspection, impacted services, and stakeholders. (Regulation (EU) 2022/2554, Article 39)
• RACI: who approves what (Legal for communications, Security for evidence scope, Procurement for third-party coordination, Business owner for operational access).
• Response SLAs (internal): define “same-day acknowledgment” and “tracked delivery dates” as internal commitments (don’t promise timelines to the supervisor until Legal approves).
• Single source of truth: all requests, responses, evidence submissions, and follow-ups logged in one place.

Daydream fit (earned mention): teams often fail because evidence and ownership are fragmented across Security, Procurement, and service teams. A system like Daydream becomes useful when it acts as the request tracker plus the evidence index, so you can answer “what did we provide, when, approved by whom” without stitching emails together.

4) Prepare an inspection-ready evidence pack (and keep it current)

Build an evidence pack per critical third party and per critical service. Keep it “audit ready,” meaning: versioned, dated, owner-identified, and retrievable quickly.

Include (at minimum):

• Service description and architecture overview (high level, but accurate).
• Control mapping to your ICT risk expectations and contractual commitments.
• Incident management interface: how incidents are reported, escalated, and closed with the third party.
• Testing and assurance: what was tested, issues found, remediation status, validation proof.
• Subcontractor/chain dependencies (if you track them as part of service delivery).

This aligns with the practical expectation in DORA oversight: demonstrable operation and remediation discipline, not just policy statements. (Regulation (EU) 2022/2554, Article 39)

5) Run readiness drills and fix gaps through tracked remediation

Do tabletop drills that simulate:

• An onsite inspection request at a named third party location. (Regulation (EU) 2022/2554, Article 39)
• An off-site document request with short turnaround. (Regulation (EU) 2022/2554, Article 39)

Track findings as corrective actions with owners, due dates, and closure evidence. Keep closure evidence (screenshots, tickets, retest results) attached to the action item.

Required evidence and artifacts to retain

Keep artifacts that prove you can enable and manage inspections end-to-end:

Governance & ownership

• Inspection readiness policy/standard or procedure (internal).
• RACI for inspection response and third-party coordination.
• Contact lists: internal SMEs and third-party points of contact.

Contracting & access

• Executed contracts/addenda with inspection cooperation language aligned to onsite/off-site needs. (Regulation (EU) 2022/2554, Article 39)
• Site access process documentation (badging, escorts, visitor rules) from the third party.

Operational proof

• Evidence index (a catalog of artifacts, with owners and refresh cadence).
• Prior assurance artifacts you rely on (reports, attestations) and your review notes.
• Incident records and post-incident actions involving the third party.
• Remediation tracking log and validation evidence.

Response management

• Inspection request log (requests received, triage notes, submissions, approvals).
• Communication approval record (Legal sign-off and final submitted package).

Common exam/audit questions and hangups

Expect these themes:

1. “Show me you can support an onsite inspection.”
   Auditors will look for contract language plus a tested access process at the provider. (Regulation (EU) 2022/2554, Article 39)

2. “Who owns the relationship and who can produce evidence?”
   If Procurement “owns the contract” but Security “owns the controls,” missing RACI causes delays.

3. “What did you test, what failed, what did you fix?”
   A pile of reports is not a remediation program. Keep corrective action tracking and closure evidence.

4. “How do you control messaging and privilege?”
   Legal will want a defined review process so you do not disclose inconsistent statements or privileged material by accident.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating inspections as a pure third-party clause negotiation.
  Fix: pair contract language with site access runbooks and named operational contacts at the provider.

• Mistake: Evidence scattered across shared drives, tickets, and inboxes.
  Fix: maintain a single evidence index with owners and “last updated” fields; store the authoritative copy in one controlled repository.

• Mistake: No rehearsal.
  Fix: run a drill that includes Procurement (to reach the provider), Security (to assemble evidence), Legal (to approve), and the service owner (to explain operations).

• Mistake: Confusing “our premises” readiness with “provider premises” readiness.
  Fix: document provider locations that matter (HQ, operations centers, secondary sites) and the access steps for each. (Regulation (EU) 2022/2554, Article 39)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific actions.

Risk still concentrates in predictable places: inability to grant access, inability to produce coherent evidence quickly, and inconsistent communications across teams. These failures can escalate supervisory scrutiny, trigger follow-up requests, and create operational disruption during already stressful events.

Practical 30/60/90-day execution plan

First 30 days (foundation)

• Assign an Inspection Readiness Owner in Compliance/GRC and confirm Legal and Procurement counterparts.
• Build the inspection-relevant third-party shortlist and map each to service/contract/control owners.
• Review top contracts for onsite/off-site inspection cooperation and access logistics. (Regulation (EU) 2022/2554, Article 39)
• Stand up the inspection request log and workflow (even if it starts as a controlled spreadsheet + ticket queue).

Days 31–60 (operationalize)

• Draft and approve an inspection response runbook: intake, triage, evidence assembly, approvals, submission, and follow-ups.
• Build evidence packs for the highest-dependency services first; create the evidence index and owner assignments.
• Start remediating contract gaps through addenda playbooks and renewal triggers.

Days 61–90 (prove it works)

• Run at least one readiness drill for an off-site inspection request and one for an onsite scenario at a named provider site. (Regulation (EU) 2022/2554, Article 39)
• Convert drill findings into corrective actions and close the highest-risk items with validation evidence.
• Move from “documents exist” to “documents are governed”: versioning, refresh cadence, and approval checkpoints.

Frequently Asked Questions

Does Article 39 require my financial entity to host supervisors onsite?

Article 39 addresses inspections of ICT third-party service providers’ premises and also off-site inspections. Your operational obligation is to ensure your third-party arrangements do not prevent that access in practice. (Regulation (EU) 2022/2554, Article 39)

What’s the difference between an onsite and off-site inspection for planning purposes?

Onsite inspections require physical access logistics at the provider (badging, escorts, room access, site rules). Off-site inspections concentrate on fast, accurate evidence production, interviews, and controlled communications. (Regulation (EU) 2022/2554, Article 39)

Our provider says they only support “remote audits.” Is that enough?

Article 39 explicitly contemplates onsite inspections of provider premises, plus off-site inspections. Treat “remote-only” as a contracting and operational risk to address through addenda, escalation, or provider selection. (Regulation (EU) 2022/2554, Article 39)

What evidence should I prioritize if I can only build one inspection pack quickly?

Start with: service scope and architecture overview, security/control responsibilities, incident and escalation workflow, and a remediation tracker that shows issues close with proof. Those items answer most first-round supervisory questions.

Who should be the single point of contact during an inspection?

Name a Compliance/GRC coordinator for intake and tracking, with Legal as approval authority for external communications and Security as owner for technical evidence. Publish the RACI so requests do not bounce between teams.

How does Daydream help with Article 39 inspection readiness?

Use Daydream to maintain a single register that maps Article 39 expectations to named control owners and required evidence artifacts, then run the inspection-response workflow in one place so you can show request-to-response traceability under pressure.