Powers of the Lead Overseer

For the purposes of carrying out the duties laid down in this Section, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall have the following powers in respect of the critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31:

1. to request all relevant information and documentation in accordance with Article 37;

2. to conduct general investigations and inspections in accordance with, respectively, Articles 38 and 39;

3. to request, after the completion of the oversight activities, reports specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 in relation to the recommendations referred to in point (d) of this paragraph;

4. to issue recommendations on the areas referred to in Article 33(3), in particular concerning the following:

   1. the use of specific ICT security and quality requirements or processes, in particular in relation to the roll-out of patches, updates, encryption and other security measures which the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation deems relevant for ensuring the ICT security of services provided to financial entitiesas defined in Article 2, points (a) to (t);

   2. the use of conditions and terms, including their technical implementation, under which the critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 provide ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services to financial entitiesas defined in Article 2, points (a) to (t), which the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation deems relevant for preventing the generation of single points of failure, the amplification thereof, or for minimising the possible systemic impact across the Union’s financial sector in the event of ICT concentration riskan exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole;

   3. any planned subcontracting, where the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation deems that further subcontracting, including subcontracting arrangements which the critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 plan to enter into with ICT third-party service providersan undertaking providing ICT services or with ICT subcontractors established in a third countryan ICT subcontractor that is a legal person established in a third-country and that has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third country, may trigger risks for the provision of services by the financial entity, or risks to the financial stability, based on the examination of the information gathered in accordance with Articles 37 and 38;

   4. refraining from entering into a further subcontracting arrangement, where the following cumulative conditions are met:

      1. the envisaged subcontractor is an ICT third-party service provideran undertaking providing ICT services or an ICT subcontractor established in a third countryan ICT subcontractor that is a legal person established in a third-country and that has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third country;

      2. the subcontracting concerns critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of the financial entity; and

      3. the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation deems that the use of such subcontracting poses a clear and serious risk to the financial stability of the Union or to financial entitiesas defined in Article 2, points (a) to (t), including to the ability of financial entitiesas defined in Article 2, points (a) to (t) to comply with supervisory requirements.

   For the purpose of point (iv) of this point, ICT third-party service providersan undertaking providing ICT services shall, using the template referred to in Article 41(1), point (b), transmit the information regarding subcontracting to the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation.

When exercising the powers referred to in this Article, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall:

1. ensure regular coordination within the JONJoint Oversight Network , and in particular shall seek consistent approaches, as appropriate, with regard to the oversight of critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31;

2. take due account of the framework established by Directive (EU) 2022/2555 and, where necessary, consult the relevant competent authoritiesas defined in Article 46 designated or established in accordance with that Directive, in order to avoid duplication of technical and organisational measures that might apply to critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 pursuant to that Directive;

3. seek to minimise, to the extent possible, the risk of disruption to services provided by critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 to customers that are entities falling outside the scope of this Regulation.

The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall consult the Oversight Forum before exercising the powers referred to in paragraph 1.

Before issuing recommendations in accordance with paragraph 1, point (d), the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall give the opportunity to the ICT third-party service provideran undertaking providing ICT services to provide, within 30 calendar days, relevant information evidencing the expected impact on customers that are entities falling outside the scope of this Regulation and, where appropriate, formulating solutions to mitigate risks.

The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall inform the JONJoint Oversight Network of the outcome of the exercise of the powers referred to in paragraph 1, points (a) and (b). The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall, without undue delay, transmit the reports referred to in paragraph 1, point (c), to the JONJoint Oversight Network and to the competent authoritiesas defined in Article 46 of the financial entitiesas defined in Article 2, points (a) to (t) using the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services of that critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31.

Critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 shall cooperate in good faith with the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation, and assist it in the fulfilment of its tasks.

In the event of whole or partial non-compliance with the measures required to be taken pursuant to the exercise of the powers under paragraph 1, points (a), (b) and (c), and after the expiry of a period of at least 30 calendar days from the date on which the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 received notification of the respective measures, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall adopt a decision imposing a periodic penalty payment to compel the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 to comply with those measures.

The periodic penalty payment referred to in paragraph 6 shall be imposed on a daily basis until compliance is achieved and for no more than a period of six months following the notification of the decision to impose a periodic penalty payment to the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31.

The amount of the periodic penalty payment, calculated from the date stipulated in the decision imposing the periodic penalty payment, shall be up to 1 % of the average daily worldwide turnover of the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 in the preceding business year. When determining the amount of the penalty payment, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall take into account the following criteria regarding non-compliance with the measures referred to in paragraph 6:

1. the gravity and the duration of non-compliance;

2. whether non-compliance has been committed intentionally or negligently;

3. the level of cooperation of the ICT third-party service provideran undertaking providing ICT services with the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation.

For the purposes of the first subparagraph, in order to ensure a consistent approach, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall engage in consultation within the JONJoint Oversight Network .

Penalty payments shall be of an administrative nature and shall be enforceable. Enforcement shall be governed by the rules of civil procedure in force in the Member State on the territory of which inspections and access shall be carried out. Courts of the Member State concerned shall have jurisdiction over complaints related to irregular conduct of enforcement. The amounts of the penalty payments shall be allocated to the general budget of the European Union.

The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall disclose to the public every periodic penalty payment that has been imposed, unless such disclosure would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.

Before imposing a periodic penalty payment under paragraph 6, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall give the representatives of the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 subject to the proceedings the opportunity to be heard on the findings and shall base its decisions only on findings on which the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 subject to the proceedings has had an opportunity to comment.

The rights of the defence of the persons subject to the proceedings shall be fully respected in the proceedings. The critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 subject to the proceedings shall be entitled to have access to the file, subject to the legitimate interest of other persons in the protection of their business secrets. The right of access to the file shall not extend to confidential information or to the Lead Overseer’s internal preparatory documents.