Art. 6 Competent authorities’ assessment of the risks addressed in the recommendations of the Lead Overseer | RTS on harmonisation for oversight conduct | DORA

This article sits at the intersection of two layers of oversight: the Lead Overseer's supervision of critical ICT third-party service providers, and competent authorities' supervision of the financial entities that use them.

It establishes a duty for competent authorities to assess how the measures taken by critical ICT third-party service providers — following Lead Overseer recommendations — actually impact the financial entities under their supervision.

The article outlines what factors must inform that assessment, and creates a feedback loop whereby competent authorities must share their findings with the Lead Overseer upon request.

Important points:

Competent authorities are required to assess the downstream impact on financial entities of measures taken by critical ICT third-party service providers in response to Lead Overseer recommendations.
Competent authorities must factor in the Lead Overseer's own compliance assessment of the critical ICT third-party service provider, the views of other consulted competent authorities, and the adequacy of corrective measures implemented by the financial entities themselves.
Competent authorities are required to share the results of this assessment with the Lead Overseer upon request, and may request relevant information from financial entities to carry it out.

1. As part of their supervision of financial entities, the competent authority shall assess the impact on the financial entities of the measures taken by the critical ICT third-party service provider based on the recommendations of the Lead Overseer in accordance with the principle of proportionality.
1. When conducting the assessment referred to in paragraph 1, the competent authority shall take into account all of the following:
  1. the adequacy and the coherence of the corrective and remedial measures implemented by the financial entities to mitigate the risks identified in the recommendations;
  2. the assessment made by the Lead Overseer of the compliance of the critical ICT third-party service provider with the measures and actions included in the report where it has impacts on the exposure of the financial entities under its remit to the risks identified in the recommendations;
  3. the view of any other competent authorities who have been consulted in accordance with Article 42(5) of Regulation (EU) 2022/2554;
  4. whether the Lead Overseer has considered the actions and remedies implemented by the critical ICT third-party service provider as adequate to mitigate the exposure of the financial entities under its remit to the risks identified in the recommendations.
1. Upon request from the Lead Overseer, the competent authority shall provide in reasonable time the results of the assessment set out in paragraph 1. When requesting the results of this assessment, the Lead Overseer shall consider the principle of proportionality and the magnitude of risks associated with the recommendations, including the cross-border impacts of these risks when impacting financial entities operating in more than one Member State.
1. Where relevant, the competent authority shall request financial entities to provide any information necessary to carry out the assessment referred to in paragraph 1.