Beta

Source: OJ L 333, 27.12.2022, p. 1–79

EN

Article 42 Follow-up by competent authorities

    1. Within 60 calendar days of the receipt of the recommendations issued by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; pursuant to Article 35(1), point (d), critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; shall either notify the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; of their intention to follow the recommendations or provide a reasoned explanation for not following such recommendations. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall immediately transmit this information to the competent authoritiesas defined in Article 46 of the financial entitiesas defined in Article 2, points (a) to (t) concerned.

    1. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall publicly disclose where a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; fails to notify the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; in accordance with paragraph 1 or where the explanation provided by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; is not deemed sufficient. The information published shall disclose the identity of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; as well as information on the type and nature of the non-compliance. Such information shall be limited to what is relevant and proportionate for the purpose of ensuring public awareness, unless such publication would cause disproportionate damage to the parties involved or could seriously jeopardise the orderly functioning and integrity of financial markets or the stability of the whole or part of the financial system of the Union.

    2. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall notify the ICT third-party service provider means an undertaking providing ICT services; of that public disclosure.

    1. Competent authoritiesas defined in Article 46 shall inform the relevant financial entitiesas defined in Article 2, points (a) to (t) of the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations addressed to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; in accordance with Article 35(1), point (d).

    2. When managing ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;, financial entitiesas defined in Article 2, points (a) to (t) shall take into account the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; referred to in the first subparagraph.

    1. Where a competent authorityas defined in Article 46 deems that a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; fails to take into account or to sufficiently address within its management of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; the specific risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations, it shall notify the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; of the possibility of a decision being taken, within 60 calendar days of the receipt of such notification, pursuant to paragraph 6, in the absence of appropriate contractual arrangements aiming to address such risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

    1. Upon receiving the reports referred to in Article 35(1), point (c), and prior to taking a decision as referred to in paragraph 6 of this Article, competent authoritiesas defined in Article 46 may, on a voluntary basis, consult the competent authoritiesas defined in Article 46 designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; subject to that Directive, which has been designated as a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;.

    1. Competent authoritiesas defined in Article 46 may, as a measure of last resort, following the notification and, if appropriate, the consultation as set out in paragraph 4 and 5 of this Article, in accordance with Article 50, take a decision requiring financial entitiesas defined in Article 2, points (a) to (t) to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; until the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations addressed to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; have been addressed. Where necessary, they may require financial entitiesas defined in Article 2, points (a) to (t) to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;.

    1. Where a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; refuses to endorse recommendations, based on a divergent approach from the one advised by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, and such a divergent approach may adversely impact a large number of financial entitiesas defined in Article 2, points (a) to (t), or a significant part of the financial sector, and individual warnings issued by competent authoritiesas defined in Article 46 have not resulted in consistent approaches mitigating the potential risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to financial stability, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; may, after consulting the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors, issue non-binding and non-public opinions to competent authoritiesas defined in Article 46, in order to promote consistent and convergent supervisory follow-up measures, as appropriate.

    1. Upon receiving the reports referred to in Article 35(1), point (c), competent authoritiesas defined in Article 46, when taking a decision as referred to in paragraph 6 of this Article, shall take into account the type and magnitude of risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; that is not addressed by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, as well as the seriousness of the non-compliance, having regard to the following criteria:

      1. the gravity and the duration of the non-compliance;

      2. whether the non-compliance has revealed serious weaknesses in the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;’s procedures, management systems, risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management and internal controls;

      3. whether a financial crime was facilitated, occasioned or is otherwise attributable to the non-compliance;

      4. whether the non-compliance has been intentional or negligent;

      5. whether the suspension or termination of the contractual arrangements introduces a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; for continuity of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s business operations notwithstanding the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s efforts to avoid disruption in the provision of its services;

      6. where applicable, the opinion of the competent authoritiesas defined in Article 46 designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; subject to that Directive, which has been designated as a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, requested on a voluntary basis in accordance with paragraph 5 of this Article.

    2. Competent authoritiesas defined in Article 46 shall grant financial entitiesas defined in Article 2, points (a) to (t) the necessary period of time to enable them to adjust the contractual arrangements with critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; in order to avoid detrimental effects on their digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; and to allow them to deploy exit strategies and transition plans as referred to in Article 28.

    1. The decision referred to in paragraph 6 of this Article shall be notified to the members of the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors referred to in Article 32(4), points (a), (b) and (c), and to the JONJoint Oversight Network .

    2. The critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; affected by the decisions provided for in paragraph 6 shall fully cooperate with the financial entitiesas defined in Article 2, points (a) to (t) impacted, in particular in the context of the process of suspension or termination of their contractual arrangements.

    1. Competent authoritiesas defined in Article 46 shall regularly inform the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; on the approaches and measures taken in their supervisory tasks in relation to financial entitiesas defined in Article 2, points (a) to (t) as well as on the contractual arrangements concluded by financial entitiesas defined in Article 2, points (a) to (t) where critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; have not endorsed in part or entirely recommendations addressed to them by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;.

    1. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; may, upon request, provide further clarifications on the recommendations issued to guide the competent authoritiesas defined in Article 46 on the follow-up measures.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod