Powers of the Lead Overseer


Lead Overseersthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation should be granted the necessary powers to conduct investigations, to carry out onsite and offsite inspections at the premises and locations of critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 and to obtain complete and updated information. Those powers should enable the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation to acquire real insight into the type, dimension and impact of the ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements posed to financial entitiesas defined in Article 2, points (a) to (t) and ultimately to the Union’s financial system. Entrusting the ESAsEuropean Supervisory Authority with the lead oversight role is a prerequisite for understanding and addressing the systemic dimension of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment in finance. The impact of critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 on the Union financial sector and the potential issues caused by the ICT concentration riskan exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole entailed call for taking a collective approach at Union level. The simultaneous carrying out of multiple audits and access rights, performed separately by numerous competent authoritiesas defined in Article 46, with little or no coordination among them, would prevent financial supervisors from obtaining a complete and comprehensive overview of ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements in the Union, while also creating redundancy, burden and complexity for critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 if they were subject to numerous monitoring and inspection requests.