(fra kommisjonsforordningen)

(1) The framework on digital operational resilience for the financial sector established by Regulation (EU) 2022/2554 introduces a Union oversight framework for the information and communication technology (ICT) third-party service providers to the financial sector designated as critical in accordance with Article 31 of that Regulation. 

(2) An ICT third-party service provider which decides to submit a voluntary request to be designated as critical should provide the receiving European Supervisory Authority (ESA) with all the necessary information to demonstrate its criticality according to the principles and criteria set out in Regulation (EU) 2022/2554. For this reason, the information to be included in the voluntary request application should be sufficiently detailed and complete to enable a clear and complete assessment of criticality under Article 31(11) of that Regulation. The relevant ESA should reject any incomplete application and request the missing information. 

(3) The legal identification of ICT third-party service providers within the scope of this Regulatory Technical Standard should be aligned with the identification code set out in Commission Implementing Regulation adopted in accordance with Article 28(9) from Regulation (EU) 2022/2554. 

(4) As a follow-up to the recommendations issued by the Lead Overseer to critical ICT third-party service providers, the Lead Overseer should monitor critical ICT thirdparty service providers’ compliance with the recommendations. With a view to ensure efficient and effective monitoring of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service providers in relation to these recommendations, the Lead Overseer should be able to require the reports referred to in Article 35(1), point (c), of Regulation (EU) 2022/2554, which should be intended as interim progress reports and final reports. 

(5) For the purpose of the assessment specified in Article 42(1) of Regulation (EU) 2022/2554, according to which Lead Overseer is obliged to evaluate whether the explanation provided by critical ICT third-party service provider is sufficient, the notification to the Lead Overseer by the critical ICT third-party service provider of its intention to follow the recommendations received should be complemented by a description of the actions and measures that have been taken to mitigate the risks outlined in the recommendations, along with their respective deadlines. Such explanation should take the form of a remediation plan. 

(6) As the Lead Overseer is expected to assess the subcontracting arrangements of the critical ICT third-party service provider, a template needs to be developed for providing information on those arrangements. The template should take into account the fact that the critical ICT third-party service providers have different structures than financial entities. 

(7) Once the recommendations to a critical ICT third-party service provider are issued by the Lead Overseer, and competent authorities have informed the relevant financial entities of the risks identified in that recommendations, the Lead Overseer should monitor and assess the implementation by the critical ICT third-party service provider of the actions and remedies to comply with the recommendations. Competent authorities should monitor and assess the extent to which the financial entities are exposed to the risks identified in these recommendations. With a view to maintain a level playing field while carrying out their respective tasks, particularly when the risks identified in the recommendations are severe and shared among a large number of financial entities in multiple Member States, both the competent authorities and the Lead Overseer should share among each other any relevant findings which are necessary for them to carry out their respective tasks. The objective of the information sharing is to ensure that the feedback of the Lead Overseer to the critical ICT thirdparty service provider in relation to the actions and remedies the latter is implementing takes into account the impact on the risks of the financial entities, and that the supervisory activities performed by the competent authorities are informed by the assessment carried out by the Lead Overseer. 

(8) To allow for an efficient and effective sharing of information, the competent authorities should assess, as part of their supervisory activities, the extent to which the financial entities supervised by them are exposed to the risks identified in the recommendations. This assessment should be carried out in a proportionate and riskbased manner. The Lead Overseer should request the competent authorities to share the results of this assessment in the specific cases when the risks associated with the recommendations are severe and shared among a large number of financial entities in multiple Member States. To make the best use of the resources of the competent authorities, when asking to provide the results of this assessment, the Lead Overseer should always take into account that the objective of these requests is to evaluate the implementation of actions and remedies of the critical ICT third-party service providers. 

(9) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on 22 July 2024. 

(10) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the ESAs. 

(11) The Joint Committee of the ESAs has conducted open public consultations on the draft regulatory technical standards upon which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council, the Insurance and Reinsurance Stakeholder Group and the Occupational Pensions Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council, and the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council,