Enforceability of penalties for ICT third-party service providers
Against this background, the need of the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation to impose penalty payments to compel critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 to comply with the transparency and access-related obligations set out in this Regulation should not be jeopardised by difficulties raised by the enforcement of those penalty payments in relation to critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 established in third countries. In order to ensure the enforceability of such penalties, and to allow a swift roll out of procedures upholding the critical ICT third-party service providers’ rights of defence in the context of the designation mechanism and the issuance of recommendations, those critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31, providing services to financial entitiesas defined in Article 2, points (a) to (t) that affect the supply of financial services, should be required to maintain an adequate business presence in the Union. Due to the nature of the oversight, and the absence of comparable arrangements in other jurisdictions, there are no suitable alternative mechanisms ensuring this objective by way of effective cooperation with financial supervisors in third countries in relation to the monitoring of the impact of digital operational risks posed by systemic ICT third-party service providersan undertaking providing ICT services, qualifying as critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 established in third countries. Therefore, in order to continue its provision of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services to financial entitiesas defined in Article 2, points (a) to (t) in the Union, an ICT third-party service provider established in a third countryan ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services which has been designated as critical in accordance with this Regulation should undertake, within 12 months of such designation, all necessary arrangements to ensure its incorporation within the Union, by means of establishing a subsidiarya subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU, as defined throughout the Union acquis, namely in Directive 2013/34/EU of the European Parliament and of the Council (21)Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (OJ L 182, 29.6.2013, p. 19)..