Information from critical ICT third-party providers after the issuance of recommendations


  1. In accordance with Article 35(1), point (c), of Regulation (EU) 2022/2554 and as part of the notification to the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation of its intention to comply with the recommendations pursuant to Article 42(1) of that Regulation, the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 shall provide to the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation a remediation plan outlining the actions and remedies that the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 plans to implement in order to mitigate the risks identified in the recommendations. The remediation plan shall be consistent with the timeline set by the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation for each recommendation.

  2. To enable the monitoring of the implementation of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 in relation to the recommendations received, the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 shall share with the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation upon request:

    1. interim progress reports and related supporting documents specifying the progress of the implementation of the actions and measures set out in the remediation plan provided by the critical ICT third party provider to the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation within the timeline defined by the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;

    2. final reports and related supporting documents specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 in order to mitigate the risks identified in the recommendations received.