Source: OJ L, 2025/295, 13.2.2025
ENRTS on harmonisation for oversight conduct
Commission Delegated Regulation (EU) 2025/295
of 24 October 2024
supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council
with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011(1)OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj., and in particular Article 41(2), second subparagraph, thereof,
Whereas:
Recital 1 Union oversight framework for critical ICT third-party service providers
The framework on digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; for the financial sector established by Regulation (EU) 2022/2554 introduces a Union oversight framework for the information and communication technology (ICT) third-party service providers to the financial sector designated as critical in accordance with Article 31 of that Regulation.
Recital 2 Voluntary designation as critical
An ICT third-party service provider means an undertaking providing ICT services; which decides to submit a voluntary request to be designated as critical should provide the receiving European Supervisory Authority (ESAEuropean Supervisory Authority) with all the necessary information to demonstrate its criticality according to the principles and criteria set out in Regulation (EU) 2022/2554. For this reason, the information to be included in the voluntary request application should be sufficiently detailed and complete to enable a clear and complete assessment of criticality under Article 31(11) of that Regulation. The relevant ESAEuropean Supervisory Authority should reject any incomplete application and request the missing information.
Recital 3 Legal identification of critical ICT third-party service providers
The legal identification of ICT third-party service providers means an undertaking providing ICT services; within the scope of this Regulatory Technical Standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). should be aligned with the identification code set out in Commission Implementing Regulation adopted in accordance with Article 28(9) from Regulation (EU) 2022/2554.
Recital 4 Follow-up of Lead Overseer's recommendations
As a follow-up to the recommendations issued by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should monitor critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;’ compliance with the recommendations. With a view to ensure efficient and effective monitoring of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; in relation to these recommendations, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should be able to require the reports referred to in Article 35(1), point (c), of Regulation (EU) 2022/2554, which should be intended as interim progress reports and final reports.
Recital 5 Lead Overseer's assessment of remediation plans
For the purpose of the assessment specified in Article 42(1) of Regulation (EU) 2022/2554, according to which Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; is obliged to evaluate whether the explanation provided by critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; is sufficient, the notification to the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; of its intention to follow the recommendations received should be complemented by a description of the actions and measures that have been taken to mitigate the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; outlined in the recommendations, along with their respective deadlines. Such explanation should take the form of a remediation plan.
Recital 6 Template for subcontracting arrangements
As the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; is expected to assess the subcontracting arrangements of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, a template needs to be developed for providing information on those arrangements. The template should take into account the fact that the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; have different structures than financial entitiesas defined in Article 2, points (a) to (t).
Recital 7 Information sharing after issuing recommendations
Once the recommendations to a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; are issued by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, and competent authoritiesas defined in Article 46 have informed the relevant financial entitiesas defined in Article 2, points (a) to (t) of the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in that recommendations, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should monitor and assess the implementation by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; of the actions and remedies to comply with the recommendations. Competent authoritiesas defined in Article 46 should monitor and assess the extent to which the financial entitiesas defined in Article 2, points (a) to (t) are exposed to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in these recommendations. With a view to maintain a level playing field while carrying out their respective tasks, particularly when the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations are severe and shared among a large number of financial entitiesas defined in Article 2, points (a) to (t) in multiple Member States, both the competent authoritiesas defined in Article 46 and the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should share among each other any relevant findings which are necessary for them to carry out their respective tasks. The objective of the information sharing is to ensure that the feedback of the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; in relation to the actions and remedies the latter is implementing takes into account the impact on the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of the financial entitiesas defined in Article 2, points (a) to (t), and that the supervisory activities performed by the competent authoritiesas defined in Article 46 are informed by the assessment carried out by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;.
Recital 8 Risk assessments by competent authorities
To allow for an efficient and effective sharing of information, the competent authoritiesas defined in Article 46 should assess, as part of their supervisory activities, the extent to which the financial entitiesas defined in Article 2, points (a) to (t) supervised by them are exposed to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the recommendations. This assessment should be carried out in a proportionate and risk-based manner. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should request the competent authoritiesas defined in Article 46 to share the results of this assessment in the specific cases when the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the recommendations are severe and shared among a large number of financial entitiesas defined in Article 2, points (a) to (t) in multiple Member States. To make the best use of the resources of the competent authoritiesas defined in Article 46, when asking to provide the results of this assessment, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should always take into account that the objective of these requests is to evaluate the implementation of actions and remedies of the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;.
Recital 9 Processing of personal data
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(2)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). and delivered an opinion on 22 July 2024.
Recital 10 Draft regulatory technical standards from ESAs
This Regulation is based on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). submitted to the Commission by the ESAsEuropean Supervisory Authority.
Recital 11 Open public consultations
The Joint Committee means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; of the ESAsEuropean Supervisory Authority has conducted open public consultations on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). upon which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council(3)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., the Insurance and Reinsurance Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the Occupational Pensions Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council(4)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj)., and the Securities and Markets Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(5)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).,
HAS ADOPTED THIS REGULATION:
- Article 1Information to be provided by ICT third-party service provider in the application to be designated as critical
- Article 2Content, structure and format of the information to be submitted, disclosed or reported by critical ICT third-party service providers
- Article 3Information from critical ICT third-party service providers after the issuance of recommendations
- Article 4Structure and format of information provided by critical ICT third-party service providers
- Article 5Template for providing information on subcontracting arrangements
- Article 6Competent authorities’ assessment of the risks addressed in the recommendations of the Lead Overseer
- Article 7Entry into force
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 24 October 2024.
For the Commission
The President
Ursula VON DER LEYEN