Follow-up by competent authorities

Within 60 calendar days of the receipt of the recommendations issued by the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation pursuant to Article 35(1), point (d), critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 shall either notify the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation of their intention to follow the recommendations or provide a reasoned explanation for not following such recommendations. The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall immediately transmit this information to the competent authoritiesas defined in Article 46 of the financial entitiesas defined in Article 2, points (a) to (t) concerned.

The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall publicly disclose where a critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 fails to notify the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation in accordance with paragraph 1 or where the explanation provided by the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 is not deemed sufficient. The information published shall disclose the identity of the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 as well as information on the type and nature of the non-compliance. Such information shall be limited to what is relevant and proportionate for the purpose of ensuring public awareness, unless such publication would cause disproportionate damage to the parties involved or could seriously jeopardise the orderly functioning and integrity of financial markets or the stability of the whole or part of the financial system of the Union.

The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall notify the ICT third-party service provideran undertaking providing ICT services of that public disclosure.

Competent authoritiesas defined in Article 46 shall inform the relevant financial entitiesas defined in Article 2, points (a) to (t) of the risks identified in the recommendations addressed to critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 in accordance with Article 35(1), point (d).

When managing ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements, financial entitiesas defined in Article 2, points (a) to (t) shall take into account the risks referred to in the first subparagraph.

Where a competent authorityas defined in Article 46 deems that a financial entity fails to take into account or to sufficiently address within its management of ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements the specific risks identified in the recommendations, it shall notify the financial entity of the possibility of a decision being taken, within 60 calendar days of the receipt of such notification, pursuant to paragraph 6, in the absence of appropriate contractual arrangements aiming to address such risks.

Upon receiving the reports referred to in Article 35(1), point (c), and prior to taking a decision as referred to in paragraph 6 of this Article, competent authoritiesas defined in Article 46 may, on a voluntary basis, consult the competent authoritiesas defined in Article 46 designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31.

Competent authoritiesas defined in Article 46 may, as a measure of last resort, following the notification and, if appropriate, the consultation as set out in paragraph 4 and 5 of this Article, in accordance with Article 50, take a decision requiring financial entitiesas defined in Article 2, points (a) to (t) to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third- party service provider until the risks identified in the recommendations addressed to critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 have been addressed. Where necessary, they may require financial entitiesas defined in Article 2, points (a) to (t) to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31.

Where a critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 refuses to endorse recommendations, based on a divergent approach from the one advised by the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation, and such a divergent approach may adversely impact a large number of financial entitiesas defined in Article 2, points (a) to (t), or a significant part of the financial sector, and individual warnings issued by competent authoritiesas defined in Article 46 have not resulted in consistent approaches mitigating the potential risk to financial stability, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation may, after consulting the Oversight Forum, issue non-binding and non-public opinions to competent authoritiesas defined in Article 46, in order to promote consistent and convergent supervisory follow-up measures, as appropriate.

Upon receiving the reports referred to in Article 35(1), point (c), competent authoritiesas defined in Article 46, when taking a decision as referred to in paragraph 6 of this Article, shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31, as well as the seriousness of the non-compliance, having regard to the following criteria:

1. the gravity and the duration of the non-compliance;

2. whether the non-compliance has revealed serious weaknesses in the critical ICT third-party service provider’s procedures, management systems, risk management and internal controls;

3. whether a financial crime was facilitated, occasioned or is otherwise attributable to the non-compliance;

4. whether the non-compliance has been intentional or negligent;

5. whether the suspension or termination of the contractual arrangements introduces a risk for continuity of the financial entity’s business operations notwithstanding the financial entity’s efforts to avoid disruption in the provision of its services;

6. where applicable, the opinion of the competent authoritiesas defined in Article 46 designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31, requested on a voluntary basis in accordance with paragraph 5 of this Article.

Competent authoritiesas defined in Article 46 shall grant financial entitiesas defined in Article 2, points (a) to (t) the necessary period of time to enable them to adjust the contractual arrangements with critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 in order to avoid detrimental effects on their digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions and to allow them to deploy exit strategies and transition plans as referred to in Article 28.

The decision referred to in paragraph 6 of this Article shall be notified to the members of the Oversight Forum referred to in Article 32(4), points (a), (b) and (c), and to the JONJoint Oversight Network .

The critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 affected by the decisions provided for in paragraph 6 shall fully cooperate with the financial entitiesas defined in Article 2, points (a) to (t) impacted, in particular in the context of the process of suspension or termination of their contractual arrangements.

Competent authoritiesas defined in Article 46 shall regularly inform the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation on the approaches and measures taken in their supervisory tasks in relation to financial entitiesas defined in Article 2, points (a) to (t) as well as on the contractual arrangements concluded by financial entitiesas defined in Article 2, points (a) to (t) where critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 have not endorsed in part or entirely recommendations addressed to them by the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation.

The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation may, upon request, provide further clarifications on the recommendations issued to guide the competent authoritiesas defined in Article 46 on the follow-up measures.