Article 42 Follow-up by competent authorities

Within 60 calendar days of the receipt of the recommendations issued by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; pursuant to Article 35(1), point (d), critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; shall either notify the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; of their intention to follow the recommendations or provide a reasoned explanation for not following such recommendations. The Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall immediately transmit this information to the competent authorities of the financial entities concerned.

The Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall publicly disclose where a critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; fails to notify the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; in accordance with paragraph 1 or where the explanation provided by the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; is not deemed sufficient. The information published shall disclose the identity of the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; as well as information on the type and nature of the non-compliance. Such information shall be limited to what is relevant and proportionate for the purpose of ensuring public awareness, unless such publication would cause disproportionate damage to the parties involved or could seriously jeopardise the orderly functioning and integrity of financial markets or the stability of the whole or part of the financial system of the Union.

The Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall notify the ICT third-party service providermeans an undertaking providing ICT services; of that public disclosure.

Competent authorities shall inform the relevant financial entities of the risks identified in the recommendations addressed to critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; in accordance with Article 35(1), point (d).

When managing ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;, financial entities shall take into account the risks referred to in the first subparagraph.

Where a competent authority deems that a financial entity fails to take into account or to sufficiently address within its management of ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; the specific risks identified in the recommendations, it shall notify the financial entity of the possibility of a decision being taken, within 60 calendar days of the receipt of such notification, pursuant to paragraph 6, in the absence of appropriate contractual arrangements aiming to address such risks.

Upon receiving the reports referred to in Article 35(1), point (c), and prior to taking a decision as referred to in paragraph 6 of this Article, competent authorities may, on a voluntary basis, consult the competent authorities designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31;.

Competent authorities may, as a measure of last resort, following the notification and, if appropriate, the consultation as set out in paragraph 4 and 5 of this Article, in accordance with Article 50, take a decision requiring financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; until the risks identified in the recommendations addressed to critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31;.

Where a critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31; refuses to endorse recommendations, based on a divergent approach from the one advised by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, and such a divergent approach may adversely impact a large number of financial entities, or a significant part of the financial sector, and individual warnings issued by competent authorities have not resulted in consistent approaches mitigating the potential risk to financial stability, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; may, after consulting the Oversight Forum, issue non-binding and non-public opinions to competent authorities, in order to promote consistent and convergent supervisory follow-up measures, as appropriate.

1. the gravity and the duration of the non-compliance;

2. whether the non-compliance has revealed serious weaknesses in the critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31;’s procedures, management systems, risk management and internal controls;

3. whether a financial crime was facilitated, occasioned or is otherwise attributable to the non-compliance;

4. whether the non-compliance has been intentional or negligent;

5. whether the suspension or termination of the contractual arrangements introduces a risk for continuity of the financial entity’s business operations notwithstanding the financial entity’s efforts to avoid disruption in the provision of its services;

6. where applicable, the opinion of the competent authorities designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service providermeans an ICT third-party service provider designated as critical in accordance with Article 31;, requested on a voluntary basis in accordance with paragraph 5 of this Article.

Competent authorities shall grant financial entities the necessary period of time to enable them to adjust the contractual arrangements with critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; in order to avoid detrimental effects on their digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; and to allow them to deploy exit strategies and transition plans as referred to in Article 28.

The decision referred to in paragraph 6 of this Article shall be notified to the members of the Oversight Forum referred to in Article 32(4), points (a), (b) and (c), and to the JON.

The critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; affected by the decisions provided for in paragraph 6 shall fully cooperate with the financial entities impacted, in particular in the context of the process of suspension or termination of their contractual arrangements.

Competent authorities shall regularly inform the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; on the approaches and measures taken in their supervisory tasks in relation to financial entities as well as on the contractual arrangements concluded by financial entities where critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; have not endorsed in part or entirely recommendations addressed to them by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;.

The Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; may, upon request, provide further clarifications on the recommendations issued to guide the competent authorities on the follow-up measures.