Source: OJ L, 2025/295, 13.2.2025Current language: EN
- Digital operational resilience in the financial sector
Oversight framework
- RTS on harmonisation for oversight conduct
Article 3 Information from critical ICT third-party service providers after the issuance of recommendations
Summary What does Article 3 of the RTS on harmonisation for oversight conduct say?
This article establishes the follow-through mechanism after the Lead Overseer issues recommendations to a critical ICT third-party service provider.
It builds directly on the oversight process by requiring providers to translate those recommendations into a formal remediation plan and then demonstrate ongoing and final compliance with it.
The article creates a structured reporting loop between the critical ICT third-party service provider and the Lead Overseer, covering both the initial plan and subsequent evidence of its execution.
Important points:
- Critical ICT third-party service providers must submit a remediation plan to the Lead Overseer, aligned with the timelines the Lead Overseer sets for each recommendation.
- Upon request, provide interim progress reports with supporting documents showing how implementation is advancing within the defined timeline.
- Upon request, provide a final report with supporting documents confirming the actions taken or remedies implemented in response to the recommendations received.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The critical ICT third-party service provider shall provide to the Lead Overseer a report containing a remediation plan in relation to the recommendations and remedies that the critical ICT third-party service provider plans to implement in order to mitigate the risks identified in the recommendations referred to in Article 35(1), point (d) of Regulation (EU) 2022/2254. The report shall be consistent with the timeline set by the Lead Overseer for each recommendation.
To enable the monitoring of the implementation of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider in relation to the recommendations received, the critical ICT third-party service provider shall share with the Lead Overseer upon request:
interim progress reports and related supporting documents specifying the progress of the implementation of the actions and measures set out in the report provided by the critical ICT third-party service provider to the Lead Overseer within the timeline defined by the Lead Overseer;
final reports and related supporting documents specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider in order to mitigate the risks identified in the recommendations received.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
critical ICT third-party service provider
Definition
ICT services
Definition
Lead Overseer