Beta

Source: OJ L 333, 27.12.2022, p. 1–79

EN

Article 36 Exercise of the powers of the Lead Overseer outside the Union

    1. When oversight objectives cannot be attained by means of interacting with the subsidiary means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU; set up for the purpose of Article 31(12), or by exercising oversight activities on premises located in the Union, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; may exercise the powers, referred to in the following provisions, on any premises located in a third-country which is owned, or used in any way, for the purposes of providing services to Union financial entitiesas defined in Article 2, points (a) to (t), by a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, in connection with its business operations, functions or services, including any administrative, business or operational offices, premises, lands, buildings or other properties:

    2. The powers referred to in the first subparagraph may be exercised subject to all of the following conditions:

      1. the conduct of an inspection in a third-country is deemed necessary by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to allow it to fully and effectively perform its duties under this Regulation;

      2. the inspection in a third-country is directly related to the provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t) in the Union;

      3. the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; concerned consents to the conduct of an inspection in a third-country; and

      4. the relevant authority of the third-country concerned has been officially notified by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and raised no objection thereto.

    1. Without prejudice to the respective competences of the Union institutions and of Member States, for the purposes of paragraph 1, EBA, ESMA or EIOPA shall conclude administrative cooperation arrangements with the relevant authority of the third country in order to enable the smooth conduct of inspections in the third country concerned by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and its designated team for its mission in that third country. Those cooperation arrangements shall not create legal obligations in respect of the Union and its Member States nor shall they prevent Member States and their competent authoritiesas defined in Article 46 from concluding bilateral or multilateral arrangements with those third countries and their relevant authorities.

    2. Those cooperation arrangements shall specify at least the following elements:

      1. the procedures for the coordination of oversight activities carried out under this Regulation and any analogous monitoring of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; in the financial sector exercised by the relevant authority of the third country concerned, including details for transmitting the agreement of the latter to allow the conduct, by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and its designated team, of general investigations and on-site inspections as referred to in paragraph 1, first subparagraph, on the territory under its jurisdiction;

      2. the mechanism for the transmission of any relevant information between EBA, ESMA or EIOPA and the relevant authority of the third country concerned, in particular in connection with information that may be requested by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; pursuant to Article 37;

      3. the mechanisms for the prompt notification by the relevant authority of the third-country concerned to EBA, ESMA or EIOPA of cases where an ICT third-party service provider established in a third country means an ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services; and designated as critical in accordance with Article 31(1), point (a), is deemed to have infringed the requirements to which it is obliged to adhere pursuant to the applicable law of the third country concerned when providing services to financial institutions in that third country, as well as the remedies and penalties applied;

      4. the regular transmission of updates on regulatory or supervisory developments on the monitoring of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; of financial institutions in the third country concerned;

      5. the details for allowing, if needed, the participation of one representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; of the relevant third-country authority in the inspections conducted by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and the designated team.

    1. When the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; is not able to conduct oversight activities outside the Union, referred to in paragraphs 1 and 2, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall:

      1. exercise its powers under Article 35 on the basis of all facts and documents available to it;

      2. document and explain any consequence of its inability to conduct the envisaged oversight activities as referred to in this Article.

    2. The potential consequences referred to in point (b) of this paragraph shall be taken into consideration in the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;’s recommendations issued pursuant to Article 35(1), point (d).

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod