Beta

Source: OJ L, 2025/295, 13.2.2025

EN

Article 3 Information from critical ICT third-party service providers after the issuance of recommendations

    1. The critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; shall provide to the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; a report containing a remediation plan in relation to the recommendations and remedies that the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; plans to implement in order to mitigate the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations referred to in Article 35(1), point (d) of Regulation (EU) 2022/2254. The report shall be consistent with the timeline set by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; for each recommendation.

    1. To enable the monitoring of the implementation of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; in relation to the recommendations received, the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; shall share with the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; upon request:

      1. interim progress reports and related supporting documents specifying the progress of the implementation of the actions and measures set out in the report provided by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; to the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; within the timeline defined by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;;

      2. final reports and related supporting documents specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; in order to mitigate the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations received.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod