Article 7Note: This article is based on the final draft from the ESAs and is not yet adopted. Competent authorities’ assessment of the risks addressed in the recommendations of the Lead Overseer
-
As part of their supervision of financial entitiesas defined in Article 2, points (a) to (t), competent authoritiesas defined in Article 46 shall assess the impact on the financial entitiesas defined in Article 2, points (a) to (t) of the measures taken by critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 based on the recommendations of the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation. This assessment shall reflect a risk-based approach and the principle of proportionality.
-
When conducting the assessment referred to in paragraph 1, competent authoritiesas defined in Article 46 shall take into account all of the following:
-
the adequacy and the coherence of the corrective and remedial measures implemented by the financial entitiesas defined in Article 2, points (a) to (t) under their remit to mitigate those risks, if any;
-
the assessment made by the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation of the compliance with the measures and actions included in the remediation plan by the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 where it has impacts on the exposure of the financial entitiesas defined in Article 2, points (a) to (t) under their remit to the risks identified in the recommendations;
-
the view of competent authoritiesas defined in Article 46 designated or established in accordance with Directive (EU) 2022/2555, where those competent authoritiesas defined in Article 46 have been consulted in accordance with Article 42(5) of Regulation (EU) 2022/2554;
-
whether the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation has considered the actions and remedies implemented by the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 as adequate to mitigate the exposure of the financial entitiesas defined in Article 2, points (a) to (t) under their remit to the risks identified in the in recommendations.
-
-
Upon request from the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation, the competent authorityas defined in Article 46 shall provide in reasonable time the results of the assessment set out in paragraph 1. When requesting the results of this assessment, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall consider the principle of proportionality and the magnitude of risks associated with the recommendation, including the cross-border impacts of these risks when impacting financial entitiesas defined in Article 2, points (a) to (t) operating in more than one Member State.
-
Where relevant, competent authoritiesas defined in Article 46 shall request to financial entitiesas defined in Article 2, points (a) to (t) any information necessary to carry out the assessment specified in paragraph 1.