Beta

Source: OJ L 333, 27.12.2022, p. 1–79

EN

Article 33 Tasks of the Lead Overseer

    1. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, appointed in accordance with Article 31(1), point (b), shall conduct the oversight of the assigned critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; and shall be, for the purposes of all matters related to the oversight, the primary point of contact for those critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;.

    1. For the purposes of paragraph 1, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall assess whether each critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; which it may pose to financial entitiesas defined in Article 2, points (a) to (t).

    2. The assessment referred to in the first subparagraph shall focus mainly on ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; supporting the critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of financial entitiesas defined in Article 2, points (a) to (t). Where necessary to address all relevant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, that assessment shall extend to ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting functions other than those that are critical or important.

    COIF Paragraph has special considerations for 'critical or important functions' as defined by Article 3 point 22.

    1. The assessment referred to in paragraph 2 shall cover:

      1. ICT requirements to ensure, in particular, the security, availability, continuity, scalability and quality of services which the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; provides to financial entitiesas defined in Article 2, points (a) to (t), as well as the ability to maintain at all times high standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). of availability, authenticity, integrity or confidentiality of data;

      2. the physical security contributing to ensuring the ICT security, including the security of premises, facilities, data centres;

      3. the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management processes, including ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management policies, ICT business continuity policy and ICT response and recovery plans;

      4. the governance arrangements, including an organisational structure with clear, transparent and consistent lines of responsibility and accountability rules enabling effective ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management;

      5. the identification, monitoring and prompt reporting of material ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; to financial entitiesas defined in Article 2, points (a) to (t), the management and resolution of those incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, in particular cyber-attacks means a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset;;

      6. the mechanisms for data portability, application portability and interoperability, which ensure an effective exercise of termination rights by the financial entitiesas defined in Article 2, points (a) to (t);

      7. the testing of ICT systems, infrastructure and controls;

      8. the ICT audits;

      9. the use of relevant national and international standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). applicable to the provision of its ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to the financial entitiesas defined in Article 2, points (a) to (t).

    1. Based on the assessment referred to in paragraph 2, and in coordination with the Joint Oversight Network (JONJoint Oversight Network ) referred to in Article 34(1), the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall adopt a clear, detailed and reasoned individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;. That plan shall be communicated yearly to the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;.

    2. Prior to the adoption of the oversight plan, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall communicate the draft oversight plan to the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;.

    3. Upon receipt of the draft oversight plan, the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; may submit a reasoned statement within 15 calendar days evidencing the expected impact on customers which are entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling outside of the scope of this Regulation and where appropriate, formulating solutions to mitigate risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

    1. Once the annual oversight plans referred to in paragraph 4 have been adopted and notified to the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, competent authoritiesas defined in Article 46 may take measures concerning such critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; only in agreement with the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod