Beta

Source: OJ L, 2025/295, 13.2.2025

EN

Article 6 Competent authorities’ assessment of the risks addressed in the recommendations of the Lead Overseer

    1. As part of their supervision of financial entitiesas defined in Article 2, points (a) to (t), the competent authorityas defined in Article 46 shall assess the impact on the financial entitiesas defined in Article 2, points (a) to (t) of the measures taken by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; based on the recommendations of the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; in accordance with the principle of proportionality.

    1. When conducting the assessment referred to in paragraph 1, the competent authorityas defined in Article 46 shall take into account all of the following:

      1. the adequacy and the coherence of the corrective and remedial measures implemented by the financial entitiesas defined in Article 2, points (a) to (t) to mitigate the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations;

      2. the assessment made by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; of the compliance of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; with the measures and actions included in the report where it has impacts on the exposure of the financial entitiesas defined in Article 2, points (a) to (t) under its remit to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations;

      3. the view of any other competent authoritiesas defined in Article 46 who have been consulted in accordance with Article 42(5) of Regulation (EU) 2022/2554;

      4. whether the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; has considered the actions and remedies implemented by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; as adequate to mitigate the exposure of the financial entitiesas defined in Article 2, points (a) to (t) under its remit to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations.

    1. Upon request from the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, the competent authorityas defined in Article 46 shall provide in reasonable time the results of the assessment set out in paragraph 1. When requesting the results of this assessment, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; shall consider the principle of proportionality and the magnitude of risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the recommendations, including the cross-border impacts of these risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; when impacting financial entitiesas defined in Article 2, points (a) to (t) operating in more than one Member State.

    1. Where relevant, the competent authorityas defined in Article 46 shall request financial entitiesas defined in Article 2, points (a) to (t) to provide any information necessary to carry out the assessment referred to in paragraph 1.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod