DORA ESA On-Site Inspection: What to Prepare For

General DORA audit preparation covers the internal audit and competent authority inspection that financial entities face as regulated firms. ESA on-site inspections of critical ICT third-party providers operate under a different legal basis, targeting a different subject. The financial entity plays a secondary role in the inspection process, though the findings land directly in its governance obligations.

The investigation and inspection powers sit in Chapter V, Section II of DORA. Article 35 sets out the Lead Overseer's general powers, including the authority to conduct general investigations under Article 38 and on-site inspections under Article 39. Article 36 covers the follow-up process after oversight activities. Article 42 establishes how national competent authorities respond when a Lead Overseer issues recommendations to a critical ICT TPP.

As at the date of publication, the ESAs have published their Guide on oversight activities for critical ICT third-party providers and designated the first cohort of CTPPs. Financial entities with critical ICT dependencies should treat on-site inspections as an active, ongoing governance obligation requiring continuous preparation.

Under DORA Article 39, the Lead Overseer can conduct on-site inspections at any business premises of the critical ICT TPP, including offices, data centres, and outsourced facilities, with or without prior notice. In practice, the ESAs have indicated that advance notice is standard procedure. Unannounced inspections are reserved for specific circumstances, such as concerns about evidence preservation or cooperative conduct.

The trigger for an on-site inspection is not prescribed by DORA as a specific threshold event. The Lead Overseer has discretion to conduct inspections as part of regular oversight, in response to concerns raised by the Joint Oversight Network (JON), following analysis of information requests under Article 37, or in response to an ICT incident affecting multiple financial entities. Financial entities should assume that inspections will become a periodic feature of oversight for designated critical TPPs rather than a one-time onboarding event.

Before an inspection, the Lead Overseer issues a formal decision specifying the legal basis, the inspection's objectives, and the scope. For financial entities, this notice is significant. It signals which governance areas the ESA will examine in depth and provides a window to verify that contractual obligations are being met, the register of information is current, and internal oversight documentation is coherent.

Under Article 39(6), the formal decision must also specify the date the inspection will begin, the periodic penalty payments applicable under Article 35(6) if the CTPP does not cooperate, the legal remedies available to the CTPP, and its right to have the decision reviewed by the Court of Justice. Financial entities should seek sight of any inspection decision relating to a critical provider they depend on, as it defines the full scope and timeline of the examination and signals the enforcement consequences available to the Lead Overseer. 

An on-site inspection uses direct access to systems, staff, and physical infrastructure to verify whether information provided through off-site channels is accurate and complete. Under Article 39(4), inspections shall cover the full range of relevant ICT systems, networks, devices, information, and data either used for, or contributing to, the provision of ICT services to financial entities.

ICT Infrastructure and System Access

Inspectors can examine the physical and logical infrastructure through which the critical TPP delivers services to financial entities. This includes data centre architecture, network segmentation controls, access management systems, change management processes, and backup and recovery infrastructure. The inspection extends beyond documentation: inspectors can observe live system configurations and request demonstrations of controls.

For financial entities, the controls described in contractual agreements with the provider must reflect what the inspection team will actually observe. Where contracts include performance or security obligations, institutions should verify, through their own audit rights under Article 30(3)(e), that those obligations are being met before an ESA inspection identifies a gap.

Business Continuity and Resilience Testing

Article 39 permits inspectors to examine the critical TPP's business continuity plans and the results of resilience testing. This includes threat-led penetration testing (TLPT) participation records where relevant, recovery time objectives (RTOs) and recovery point objectives (RPOs) tested against actual recovery capabilities, and the results of scenario-based exercises.

Where financial entities have participated in TLPT exercises under DORA Article 26 that involved the critical TPP as a material system, the inspection team may examine the TPP's TLPT records in parallel with the financial entity's own test documentation. The two sets of evidence should be consistent.

Sub-Outsourcing Chain

Article 39 permits inspection of the premises and records of subcontractors used by the critical TPP to deliver services to financial entities, where those subcontractors are material to the service. The ESA is not limited to what the critical TPP holds itself. It can follow the supply chain.

For financial entities, the contractual chain must flow through. Article 30(3) requires financial entities to ensure their contracts with ICT TPPs include sub-outsourcing provisions. Where a critical TPP's material subcontractor has no DORA-aligned contractual relationship with the TPP, the inspection is likely to surface it as a finding, and the financial entity will be expected to address the gap in its own governance of the relationship.

Under DORA Article 38, the Lead Overseer's general investigation powers include the power to summon representatives of the critical ICT TPP for oral or written explanations, and to interview other persons who consent. Summons of TPP representatives are compulsory; interviews of other individuals require their consent. In practice, inspections focus on personnel with functional responsibility for the services provided to financial entities: the service delivery and operations leadership, the CISO and security architecture team, the business continuity manager, and key relationship managers who interface with regulated client entities.

For Critical ICT TPP Personnel

Inspection interviews assess whether the personnel who own ICT risk and resilience functions understand the regulatory framework applying to the services they deliver, and whether their understanding matches the documentation the ESA has received. Common interview themes include: how the critical TPP identifies, classifies, and escalates ICT incidents affecting financial entity clients; what the business continuity testing programme looks like in practice; how the sub-outsourcing chain is governed and monitored; and what infrastructure or service changes have occurred since the last information request.

Personnel should be briefed that interview answers will be assessed for consistency with documented policies and prior submissions to the Lead Overseer. Inconsistency between what documentation says and what staff describe is itself a finding.

Management Body Accountability Under Direct Examination

The inspection framework extends to direct examination of the management body of the critical ICT TPP. This is the aspect of ESA on-site inspections that most surprises large institution governance teams. Management body members are expected to demonstrate personal familiarity with the entity's DORA obligations, understanding of the material ICT risk profile across its financial entity client base, awareness of open findings from prior oversight activities, and the governance structure through which they oversee ICT risk. Delegation to technical staff does not satisfy a direct question to the management body.

For financial entities, the parallel is direct. DORA Article 5 places equivalent accountability on the management body of the financial entity itself. If the critical TPP's management is examined on their oversight of ICT risk, financial entity management bodies should expect equivalent examination from their own competent authorities on how they oversee critical ICT dependencies.

See our guide to DORA management body obligations for the full governance framework.

Following an on-site inspection, the Lead Overseer issues a findings report to the critical ICT TPP under Article 36. The distinction between a major finding and an observation or recommendation matters significantly for how financial entities using that provider must respond.

What Constitutes a Major Finding

DORA leaves major finding without a precise statutory threshold. The regulatory technical standards and ESA oversight guidance identify a consistent set of patterns: material non-compliance with Article 30 contractual obligations (for instance, audit rights that are contractually described but operationally obstructed); significant gaps in business continuity or recovery capabilities that create systemic risk for financial entity clients; sub-outsourcing arrangements that are undisclosed, ungoverned, or involve providers in jurisdictions creating data sovereignty risks; or incidents and vulnerabilities the critical TPP failed to report to affected financial entities in line with contractual obligations.

A major finding triggers the Lead Overseer's recommendation power under Article 35(1)(d). Remediation deadlines and interim measures are governed under Article 36. The ESA Guide JC 2025 29 confirms that CTPPs are given 60 days to notify their intention to follow recommendations or provide reasoned explanations for non-compliance. Article 42 creates the mechanism through which competent authorities can hold financial entities accountable for failing to act on Lead Overseer oversight findings and recommendations.

Observations and Recommendations

Observations and recommendations carry less immediate legal weight but should be treated as substantive risk signals. They mark areas where the ESA has concerns that do not yet meet the threshold for a formal finding. Financial entities should treat observations from an ESA inspection of a critical provider as an early warning. Where the ESA is noting a pattern of concern in one direction, addressing that pattern before it becomes a formal finding is materially better than a reactive response after classification.

The inspection cycle does not end when the inspection team leaves the critical TPP's premises. The post-inspection phase creates governance obligations for financial entities that must be managed actively.

Where a major finding is issued, financial entities must review their contractual relationship with the critical TPP to determine whether the finding reveals a gap in contractual protections, monitoring processes, or internal governance. The register of information required under Article 28(3) should be updated to reflect inspection outcomes. Where the finding relates to a service supporting a critical or important function, the management body must be informed and a remediation response documented.

Where remediation by the critical TPP is incomplete at the deadline set by the Lead Overseer, Article 35(6) provides for periodic penalty payments against the CTPP. Under Article 42(6), as a measure of last resort, competent authorities can require financial entities to suspend or terminate the relevant contractual arrangements. Financial entities should factor an enforcement scenario into their concentration risk assessments: a critical TPP under active enforcement is a risk management event requiring documented response.

The following checklist is structured for financial entities preparing for an ESA on-site inspection of a critical ICT provider on which they depend. The inspection is of the provider, but the financial entity's governance response starts before the inspection team arrives.

1. Confirm your register of information under Article 28(3) is current and accurately reflects all services provided by the critical TPP and any material subcontractors.
2. Review contractual arrangements against Article 30 requirements, including audit rights under Article 30(3)(e), sub-outsourcing provisions under Article 30(3), and exit rights. Verify these are operationally effective.
3. Obtain or review the most recent audit results from any Article 30(3)(e) exercise of audit rights with the provider. Identify any gaps between contractual obligations and actual observed controls.
4. Confirm your records of TLPT exercises involving the critical TPP as a material system are current and consistent with the TPP's own test records.
5. Verify that your internal governance documentation reflects the ICT risk profile of this provider at management body level, including any open issues from prior oversight cycles.
6. Confirm you have a process to monitor lead overseer publications and ESA communications relating to designated critical TPPs you use.
7. Ensure your contractual relationship with the critical TPP includes an obligation for the provider to notify you of material supervisory events