Harmonization of conduct activities

Preamble (Recitals 1 – 14)

Recitals

Chapter I (Articles 1 – 2)

Information to be provided by ICT third-party service providers in the application for a voluntary request to be designed as critical

Article 1

Information to be provided by ICT third-party service provider in the application for a voluntary request to be designated as critical

Article 2

Assessment of completeness of application

Chapter II (Articles 3 – 6)

Information from critical ICT third-party service providers to the lead overseer

Article 3

Content of information provided by critical ICT third-party service providers

Article 4

Information from critical ICT third-party providers after the issuance of recommendations

Article 5

Structure and format of information provided by critical ICT third-party service providers

Article 6

Information on subcontracting arrangements provided by critical ICT third-party service providers

Chapter III (Article 7)

Competent authorities’ assessment of the measures taken by critical ICT third-party service providers based on recommendations of the lead overseer

Article 7

Competent authorities’ assessment of the risks addressed in the recommendations of the Lead Overseer

Chapter IV (Article 8)

Final provisions

Article 8

Entry into force

HCA Recitals

Recital 1

The framework on digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; for the financial sector established by Regulation (EU) 2022/2554 introduces a Union oversight framework for the information and communication technology (ICT) third-party service providers to the financial sector designated as critical in accordance with Article 31 of that Regulation.

Recital 2

Considering that Article 31(11) of Regulation (EU) 2022/2554 grants a limited time period of 6 months from the receipt of the application, it is crucial that the European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority (collectively European Supervisory Authorities or ESAsEuropean Supervisory Authority), receive a voluntary request to be designated as critical from a ICT third-party service providermeans an undertaking providing ICT services;, that is complete. In case the application submitted is not complete, the relevant ESAEuropean Supervisory Authority should reject the application and request the missing information.

Recital 3

Regulation (EU) 2022/2554 mandates the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to carry out a comprehensive assessment of the ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; that ICT third party service providers pose to financial entitiesas defined in Article 2, points (a) to (t). In order to carry out this assessment, Regulation (EU) 2022/2554 equips the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; with power to request information covering areas directly or indirectly related to the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; the critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; provide to the financial entitiesas defined in Article 2, points (a) to (t).

Recital 4

The request to critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; to transmit to the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; information that is necessary to carry out its duties, including the one on subcontracting arrangements, should be done considering the second subparagraph of Article 33(2) of Regulation (EU) 2022/2554.

Recital 5

The legal identification of ICT third-party service providersmeans an undertaking providing ICT services; within the scope of this Regulatory Technical Standards should be aligned with the identification code set out in Commission Implementing Regulation adopted in accordance with Article 28(9) from Regulation (EU) 2022/2554.

Recital 6

As a follow-up to the recommendations issued by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to critical ICT third-party providers, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should monitor critical ICT third party service providers’ compliance with the recommendations. With a view to ensure a level playing field and an efficient and effective monitoring of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; in relation to these recommendations, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should be able to require the reports referred to in Article 35(1), point (c), of Regulation (EU) 2022/2554, which should be intended as interim progress reports and final reports.

Recital 7

Also for the purpose of assessment specified in Article 42(2) of Regulation (EU) 2022/2554, according to which Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; is obliged to evaluate whether explanation provided by critical ICT third-party provider is sufficient, the notification to the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; by the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; of its intention to follow the recommendations received should be complemented by such explanation in the form of a remediation plan. In such remediation plan the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; describes the actions and the measures planned to mitigate the risks of the recommendations, along with their respective timelines.

Recital 8

As the information submitted to the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; by critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; may be of confidential nature, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should provide the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; with secure electronic channels for information submission.

Recital 9

The critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; should always provide information in a clear, concise and complete manner. Considering the unified nature of the European oversight framework, information should be submitted, disclosed or reported by the ICT third-party service providersmeans an undertaking providing ICT services; pursuant to Article 35(1) in English.

Recital 10

As the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; is expected to assess the subcontracting arrangements of the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31;, a template needs to be developed for providing information on those arrangements. The template should take into account the fact that the critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; have different structures than financial entitiesas defined in Article 2, points (a) to (t). The templates should therefore not fully mirror the templates of the register of information referred to in Article 28(3) of Regulation (EU) 2022/2554.

Recital 11

Once the recommendations to a critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; are issued by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, and competent authoritiesas defined in Article 46 have informed the relevant financial entitiesas defined in Article 2, points (a) to (t) of the risks identified in that recommendations, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should monitor and assess the implementation by the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; of the actions and remedies to comply with the recommendations. Competent authoritiesas defined in Article 46 should monitor and assess the extent to which the financial entitiesas defined in Article 2, points (a) to (t) are exposed to the risks identified in these recommendations. With a view to maintain a level playing field while carrying out their respective tasks, particularly when the risks identified in the recommendations are severe and shared among a large number of financial entitiesas defined in Article 2, points (a) to (t) in multiple Member States, both the competent authoritiesas defined in Article 46 and the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should share among each other relevant findings which are necessary for them to carry out their respective tasks. The objective of the information sharing is to ensure that the feedback of the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to the critical ICT third-party provider in relation to the actions and remedies the latter is implementing takes into account the impact on the risks of the financial entitiesas defined in Article 2, points (a) to (t), and that the supervisory activities performed by the competent authoritiesas defined in Article 46 are informed by the assessment carried out by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;.

Recital 12

To allow for an efficient and effective sharing of information, the competent authoritiesas defined in Article 46 should assess, as part of their supervisory activities, the extent to which the financial entitiesas defined in Article 2, points (a) to (t) supervised by them are exposed to the risks identified in the recommendations. This assessment should be carried out in a proportionate and risk-based manner. Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should request the competent authoritiesas defined in Article 46 to share the results of this assessment in the specific cases when the risks associated with the recommendations are severe and shared among a large number of financial entitiesas defined in Article 2, points (a) to (t) in multiple Member States. To make the best use of the resources of the competent authoritiesas defined in Article 46, when asking to provide the results of this assessment, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should always take into account that the objective of these requests is to evaluate the actions and remedies of the critical ICT third-party providers.

Recital 13

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Supervisory Authorities.

Recital 14

The Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; of the European Supervisory Authorities has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council(2)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12)., the Insurance and Reinsurance Stakeholder Groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the Occupational Pensions Stakeholder Groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council(3)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48)., and the Securities and Markets Stakeholder Groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84)..