Source: OJ L, 2025/295, 13.2.2025

Current language: EN

Article 3 Information from critical ICT third-party service providers after the issuance of recommendations


Summary What does Article 3 of the RTS on harmonisation for oversight conduct say?

This article establishes the follow-through mechanism after the Lead Overseer issues recommendations to a critical ICT third-party service provider.

It builds directly on the oversight process by requiring providers to translate those recommendations into a formal remediation plan and then demonstrate ongoing and final compliance with it.

The article creates a structured reporting loop between the critical ICT third-party service provider and the Lead Overseer, covering both the initial plan and subsequent evidence of its execution.

Important points:

  • Critical ICT third-party service providers must submit a remediation plan to the Lead Overseer, aligned with the timelines the Lead Overseer sets for each recommendation.
  • Upon request, provide interim progress reports with supporting documents showing how implementation is advancing within the defined timeline.
  • Upon request, provide a final report with supporting documents confirming the actions taken or remedies implemented in response to the recommendations received.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The critical ICT third-party service provider shall provide to the Lead Overseer a report containing a remediation plan in relation to the recommendations and remedies that the critical ICT third-party service provider plans to implement in order to mitigate the risks identified in the recommendations referred to in Article 35(1), point (d) of Regulation (EU) 2022/2254. The report shall be consistent with the timeline set by the Lead Overseer for each recommendation.

    1. To enable the monitoring of the implementation of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider in relation to the recommendations received, the critical ICT third-party service provider shall share with the Lead Overseer upon request:

      1. interim progress reports and related supporting documents specifying the progress of the implementation of the actions and measures set out in the report provided by the critical ICT third-party service provider to the Lead Overseer within the timeline defined by the Lead Overseer;

      2. final reports and related supporting documents specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider in order to mitigate the risks identified in the recommendations received.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod