Preamble Recitals

---

The oversight framework established by Regulation (EU) 2022/2554 should be built on a structured and continuous cooperation between the European Supervisory Authorities (ESAsEuropean Supervisory Authority) and the competent authoritiesas defined in Article 46 through the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors and the joint examination teams.

The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 should ensure that their staff members that are to be appointed as members of the joint examination team referred to in Article 40(1) of that Regulation has the technical expertise required in the profiles needed in the joint examination teams. The demonstration that an authority does not have staff meeting the specific technical expertise needed in the joint examination teams should be considered by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; as a justification to discharge, at that point in time, the authorities of their obligation to nominate staff members to the joint examination teams. In that case, the authority should nevertheless commit on the best effort basis to address that shortfall of expertise and try to reinforce its capabilities to contribute to the joint examination teams in the context of the next exercise.

Staff members of the authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 that are designated as members of a joint examination team as referred to in Article 40(1) of that Regulation should continue to be employees of the nominating authority and therefore subject to working hours and permanent location of work as included in their employment contracts.

To ensure the most effective use of resources in the execution of oversight activities, members of joint examination teams should be able to be part of several joint examination teams and to oversee multiple critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;. The number of the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; to be assigned to a specific member of joint examination team, and overall staffing needs of the joint examination teams, should take into account the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile of the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; and the envisaged level of intensity of oversight activities. That possibility to oversee multiple critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; is taken into account in the strategic multi-annual oversight plan, updated annually by the Lead Overseers means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to the extent necessary, and reflected into the individual annual oversight plan. To ensure the reliability of the planned and ongoing commitment of resource staffing of the joint examination teams by the nominating authorities, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should consult both the Joint Oversight Network and the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors on the strategic multi-annual oversight plan.

The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should apply a combination of criteria and principles when identifying the number of staff members in each joint examination team and the resulting composition. Given the diverse technological and geographical footprint and the use made by various financial entitiesas defined in Article 2, points (a) to (t) of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, those criteria and principles should take into account the technical nature of the oversight tasks, the different grade of dependency of financial entitiesas defined in Article 2, points (a) to (t) on the services provided by the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, the geographical distribution, the size and the number of financial entitiesas defined in Article 2, points (a) to (t) relying on those services and, where possible, a proportionate cross-sectoral representation. In performing that task, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should rely on the information provided by the competent authoritiesas defined in Article 46 in the context of the designation of the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, including information needed for all the sub-criteria as laid down in Commission Delegated Regulation (EU) 2024/1502 (²)Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities (OJ L, 2024/1502, 30.5.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1502/oj). and consider the criticality of the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; for the provisioning of specific financial services both at Member State and Union level.

To ensure that the structure and the composition of the joint examination teams are fit for purpose and to ensure the efficiency and effectiveness of the Oversight Framework continuously, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and the members of the joint examination teams should periodically assess the achievements of the joint examination teams. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and the nominating authorities should use those assessments to verify whether the members of the joint examination teams are still fit for performing their tasks and make changes to the membership of the joint examination teams, where appropriate.

In order to ensure that the members of the joint examination teams work as a single team and oversight activities are conducted in a consistent manner, the ESAsEuropean Supervisory Authority should specify the oversight procedures to be followed by the members of the joint examination teams and the Lead Overseer coordinatordefined in-line in the performance of their duties.

Since the oversight tasks involve the processing of confidential information, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should grant members of the joint examination team access to such information and to the relating IT (including tools, applications and datasets) and non-IT (including policy, procedures and documentation) resources on a need-to-know basis and within the specified scope of their assignments if that is necessary for members of the joint examination team to assist the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; in the fulfilment of its statutory functions or tasks. When laying down arrangements between the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and the competent authoritiesas defined in Article 46 to implement this Regulation, consistent with Commission Delegated Regulation (EU) 2024/1505 (³)Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid (OJ L, 2024/1505, 30.5.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1505/oj)., to ensure the proper financing of the costs associated to the resources provided by the nominating authorities, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should include in such arrangements a section detailing the procedure of reimbursement of the direct and indirect costs of all nominating authorities involved in the joint examination teams. Furthermore, to ensure a transparent and trustworthy execution of the oversight activities, those arrangements should also ensure that the members of the joint examination teams are free from any conflict of interests while performing their duties.

This Regulation is based on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). submitted to the European Commission by the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority.

The Joint Committee means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; of the European Supervisory Authorities referred to in Article 54 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (⁴)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., in Article 54 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (⁵)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj). and in Article 54 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (⁶)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj). has conducted open public consultations on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). on which this Regulation is based, analysed the potential costs and benefits of the proposed standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). and requested advice of the Banking Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010, the Insurance and Reinsurance Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the Occupational Pensions Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1094/2010, and the Securities and Markets Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1095/2010,