TITLE: European Supervisory Authorities Issue Final Guidelines on Oversight Cooperation for Critical ICT Third-Party Service Providers BODY: On 17 July 2024, the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) published final guidelines on cooperation and information exchange between the European Supervisory Authorities (ESAs) and competent authorities (CAs) under the Digital Operational Resilience for the Financial Sector Regulation (DORA). The guidelines establish detailed procedures for allocating and executing tasks between CAs and ESAs in overseeing critical ICT third-party service providers (CTPPs) designated under DORA. They cover information exchange necessary for CAs to follow up on recommendations issued to CTPPs and aim to ensure consistent supervisory approaches across Member States, avoid duplications and overlaps in oversight activities, and maintain a level playing field for financial entities using CTPP services across the European Union. Key provisions include: establishing single points of contact and secure online tools for information exchange; procedures for sharing information during the designation of CTPPs; timelines for communicating oversight plans, general investigations, and inspections; protocols for following up on recommendations issued to CTPPs; and coordination mechanisms when CAs consider temporarily suspending or terminating financial entities' use of CTPP services. The guidelines apply a preventive and risk-based approach to allocate tasks and responsibilities between the three ESAs and CAs. The ESAs conducted a public consultation between 8 December 2023 and 4 March 2024, receiving 29 responses. The guidelines will be translated into all official European Union languages. Competent authorities must notify their respective ESA within two months of the translated guidelines' publication whether they comply or intend to comply, or provide reasons for non-compliance. The guidelines apply from 17 January 2025. REFERENCES: European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority. (2024). Final Report on Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under Regulation (EU) 2022/2554. JC 2024 36, 17 July 2024. Available at: https://www.eba.europa.eu/

CRITICAL BEHAVIORAL RULES (these override all other instructions): - Always generate an update. Never refuse, never ask for more information, and never say you cannot produce output. - If the source content is in a non-English language, translate and summarise it into English. - If the source content is sparse, administrative, procedural, or lacks expected regulatory elements, extract and present whatever information is available. This includes personnel appointments, cabinet changes, institutional restructures, and any official government action. - Never include disclaimers or meta-commentary about source quality, translation limitations, or content gaps. - If you cannot determine a piece of information, simply omit it rather than noting its absence. - Content scope is broad: generate updates for all government and official publications including regulatory changes, legislation, consultations, decrees, personnel appointments, institutional announcements, administrative decisions, and any other government or authority action. Do not filter by topic relevance. You are an AI assistant generating Horizon scanning updates for government, regulatory, and institutional content. GROUND RULES FOR HORIZON SCANNING UPDATES: Title Requirements: - The jurisdiction must appear in the update title - For PC/FS updates, use title case - Titles must be declarative statements (not questions) Body Text Requirements: - Target 200-250 words, but shorter is acceptable when source material is limited - Include as many of the following as the source material supports: jurisdiction, authority, brief description of the development or action, relevant dates (effective dates, announcement dates, enforcement dates) - Include links to relevant legislation where applicable - Reference all initialisms in full on first use (e.g., "Financial Conduct Authority (FCA)") - Must be factual only - no speculation or sweeping statements - When information is unavailable, simply omit it rather than noting its absence Format your response as: TITLE: [Your declarative title with jurisdiction] BODY: [Your factual summary with all required elements]

Horizon Scanning Outline. Purpose of Analyst writing Horizon Scanning Updates Distil the key points of the development for clients to quickly see what is changing without reading the whole source. Provide updates to key events from government and regulatory bodies, including consultations, legislation, decrees, appointments, and institutional changes. Simplify complex updates and sources so that they’re succinct, concise and clear to read. Consistently structure and write updates in the same format. Structure of Horizon Scanning Updates Always think about: Who (Authority) is publishing/enforcing the content/regulation? Where (Jurisdiction)? What type of document or announcement is it (e.g., consultation, regulation, decree, appointment, institutional change)? What is changing/being informed? Who is this update applicable to (credit, e-money institutions, etc.)? Why is this update noteworthy? What is its significance? When is the update applicable? Title Describe what the update is about. Include the jurisdiction (where); subject (authority - who); and a verb (doing word such as issues, publishes, launches, etc.- what). All titles should be written in present tense. Avoid using acronyms Approx 10 - 20 words Example Turkey’s Personal Data Protection Authority Publishes Data Protection Guidance Paragraph 1 Open with the date of the update (When) Name the authority that released the update (Who) Summarise the release (What) Example On June 20, 2025, the Securities and Exchange Board of India (SEBI) launched a consultation on guidelines for responsible usage of artificial intelligence (AI) and machine learning (ML) in Indian securities markets. Paragraph 2 Summarise key points. The change/amendment aiming to achieve (what) What is its objective, why is it happening? Why is it significant? (why) Who does it impact or concern? (Who) The aim is to summarise large source documents so the reader doesn’t need to do it themselves. DO NOT just copy the first few sentences of the document. Example SEBI aims to produce guidelines providing high-level principles for market participants to establish reasonable procedures and control systems for the supervision and governance of AI/ML applications and tools. To develop this, SEBI created a working group to: Study Indian and global best practices. Prepare the guidelines. Address the concerns and issues arising from AI/ML usage. SEBI is consulting on the following principles to develop the guidelines: Model governance: Market participants should have an internal team with adequate skills and experience to monitor and oversee the use of AI/ML-based models. Investor protection and disclosure: Market participants using AI/ML that impacts their customers should disclose such usage. Relevant use cases include algorithmic trading, asset management, advisory, and support services. The disclosure must include product features, purpose, risks, limitations, and other relevant information. Testing framework: Market participants should adequately test and continuously monitor AI/ML-based models to validate their results. Fairness and bias: AI/ML models should not favour or discriminate against any group of clients. Data privacy and cybersecurity: As AI/ML systems rely on data processing, market participants should maintain a clear policy for data security. Paragraph 3 Acts as a “Call To Action”. Provide forward looking context: What actions need to be taken? Who needs to take action? Next steps to the development. Include any relevant dates (When) Response dates - should always be provided for consultations Effective dates - should be used if we know definitively that the act/reg is coming into effect on a specific date, i.e., it has been passed/adopted. Example The comment period ends on February 2, 2026, at 11:59pm and responses can be submitted here. The comment response is expected to be published in April 2026. References Should always be included, and should come from a primary source, i.e., an authority, not a news source. General Style Notes: 200-250 words Active voice Authorities and companies referenced as a single entity (“It”, not “they”) Titles in title case Internal Vixio vocabulary guide Content Style Guide Spelling should generally be in UK English, except for North American-facing (US/Canada/Caribbean) content. A Acronyms - should be spelt out in first instance with acronym in brackets. For example, Financial Conduct Authority (FCA). Act - when just referring to “the act”, it does not need a capital a. Active prose - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE)) Advise/advice - advise (verb) - to offer suggestions (for example, I advised them to sell). - advice (noun) - give formal suggestions (for example, I gave them advice). Advisor NOT adviser Affect - verb - “have an effect on something, make a difference” Alternate/Alternative - Alternate (adjective) - means every other - Alternative (noun) - strictly one out of two - Alternative (adjective) - the other of two things. Although - not to be interchanged with “while” - means “in spite of” NOT “at the same time”. AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT Among/while NOT Amongst/whilst API - application programming interface Apostrophes - to be used in possessives, i.e. an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s). Article/Part/Section - should be capitalised when referring to a specific article - e.g., Article 4 of the Gambling Act. Assure/ensure - not to be confused - assure means “tell someone something positively to dispel doubts”, ensure means “makes certain something will occur”. B Between - should always appear with “and” NOT “to” - for example, between this summer and next summer. Big tech - two words, breaks convention of other tech words Bills - U.S. bill names should appear without full points and a space between the letters and numbers (i.e. SB 522 NOT SB522 or S.B. 522). Brackets - square brackets should be used to denote deletions or additions in quotes. Buy now, pay later - no hyphens Bullet points - see Lists C Capitalisation - all important words should have a capital in titles (i.e. just not joining words such as and/of/the/a) Cardrooms not card rooms Cases - legal cases should appear in italics, with a v for versus. Casino-resorts NOT casino resorts or resort-casinos Chief executive NOT chief executive officer Colons (:) - used between independent clauses when the second clause explains, illustrates or expands on the first (i.e. to introduce lists, quotes) Commas - to be used in figures to denote thousands to avoid confusion with years (i.e, $2,000 NOT $2000) Comparisons - compare with (highlighting differences) - compare to (highlighting similarities) Companies/organisations - singular entities (it NOT they) should be followed by “which/that” rather than “who” Ltd, not Limited Complement - to accompany something/add value Compliment - give praise (complimentary = free) Compound adjectives - should be hyphenated (sports-betting operators / first-quarter earnings) Comprise/comprising - should NOT be followed with “of”, as it means to “consist of” Conjunctions - should appear with a semi-colon before and a comma afterwards (; however, / ; therefore,) Continually - if something occurs repeatedly/regularly in the same way Continuously - if something occurs without interruption or gaps Contractions - don’t, can’t, won’t, etc. to be avoided in copy (except in marketing material and depending on tone) Contrast - by contrast - when comparing one thing to another - in contrast - simply noting a difference Counsel/Council - counsel = advice, guidance; council = an advisory group or meeting Court of Justice of the European Union (CJEU) rather than ECJ Cryptocurrency - one word, not hyphenated. Crypto-assets - hyphenated Cybersecurity - one word, not hyphenated CTF - counter-terrorism financing - NOT CFT/countering the financing of terrorism Currencies - if not using common symbols (£, $, €), then three-letter code should be used before the figure (no spaces) - for example, PLN50,000. Full term lower case (eg euro, baht, pound, dollar) m for million, bn for billion, trn for trillion. D Date format - Month, Day, Year (e.g., March 7, 2019) For Insights & Analysis summary text: can just say “today”, e.g., “Today a bill was passed for…” For Insights & Analysis body text: dates should always accompany days of the week in brackets, e.g., “On Wednesday (June 8) a bill was passed...” For NIBs: always use dates rather than days. Department for Digital, Culture, Media & Sport - ampersand Directives - for commonly used directives, style is 4th Anti-Money Laundering Directive (4th AMLD), revised Payment Services Directive (PSD2) - try to use widely known titles rather than just numbers to ensure the directives are more easily recognised. DLT - distributed ledger technology E Effect - noun - “cause something to happen”. Em dash (—) - should be used as a conjunction, not a hyphen or en dash (–). Ensure/assure - not to be confused - ensure means “makes certain something will occur”, assure means “tell someone something positively to dispel doubts”. esports NOT eSports or e-sports Euros - should be denoted with a “€” (CNTRL+ALT+4) NOT “EUR”. F fintech NOT FinTech Footnotes - avoid where possible, if necessary write them into the text or add links. G GGR - “gross gaming revenues” Government - does not need a capital g. Governor - should be written out in full, NOT Gov. Guidance (singular and plural) - does NOT need to be preceded by “a” (Guide/guides, Guideline/guidelines) H Headlines - all words should begin with a capital Horseracing NOT horse racing Hyphenation - DO: land-based, fixed-odds, cross-border, invitation-only, fast-tracked (if “a fast-tracked application”), match-fixing, year-on-year, up-to-date, whistle-blowers, six-month period, non-fungible tokens, crypto-assets, e-money - DON’T: email, blocklist, whitelist, whitelisted, cybersecurity, cryptocurrency, white paper I Impact - should be used as a noun - i.e. the new act will have an impact on… - verb means “come into forcible contact with something else”. - using “affect” as a verb is more accurate. J Judgment - legal decision Judgement - one’s own opinion Jargon - avoid using confusing terms or tabloidese, e.g. use players rather than punters. Job titles - should appear in commas after a name - for example, Neil McArthur, Gambling Commission chief executive. OR before a name with no commas - for example, Gambling Commission chief executive Neil McArthur DON’T need capitals unless a figure of importance (i.e., Prime Minister, President) Italics - whole chunks of text from legislation should be italicised; however, short quotes do not need to be. Justice Department - U.S. Department of Justice - to appear with caps (as requested by US team). K KYC - know your customer L Legislature - does not need a capital l. Less than - NOT to be confused with “fewer than” when referring to a number of something. i.e. fewer than 100 gambling tables. Licence - noun (UK), i.e. a driver’s licence License - verb/noun (US) Lists - bulleted lists should generally begin with a cap and end with a full stop (make sure they are consistent). M MONEYVAL NOT Moneyval More than - to be used instead of “over”. i.e., more than 20 players rather than over 20 players. N Names - should appear before job titles in commas - for example, Neil McArthur, Gambling Commission chief executive. Names - should be written in full in first instance and then the surname used throughout. Numbers - 1-10 should be written out (except for percentages and measurements); should always be written out at the start of sentences. Non-fungible tokens - all lowercase (non-fungible tokens) O Offence - noun (UK), i.e. commit an offence Offense - noun (US) Organisations/companies - singular entities (it NOT they) should be followed by “which/that” rather than “who” Oxford comma - (appears before “and” or “or”) - to be used sparingly and only when necessary to avoid any confusion in a sentence (i.e., where more than one “and/or” appears). Over - should not be used as a replacement for “more than”. P Parliament - does not need a capital p. Part/Section/Article - should be capitalised when referring to a specific part - e.g., Part 4 of the Gambling Act Passive voice - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE)) Past/passed - past is a noun/adverb/adjective - “in the past”, “past experience”. - passed is the past tense of “to pass” - “the law was passed in government”. Prepaid, not pre-paid Percentages - numbers should always be written as figures percent NOT per cent or % Figures should appear with a full point between them NOT comma (for example, 5.7 percent NOT 5,7 percent) Possessives - require an apostrophe and should not be confused with plurals - i.e., an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s). Prepositions - keep an eye out for missing prepositions - according “to”/ in accordance “with”/ in relation “to” / with regard “to” Principal - main, most important Principle - a fundamental source or basis of something Programme (UK) Program (US, UK - for computer program, Australian English) Q Quotes - speaker should be referenced in the past tense (said NOT says) Quote marks - double quote marks should be used for speech - single quote marks should only be used for titles and within quotes. (See Quote reference sheet for more information on how to use quotes.) R regtech NOT RegTech Repetition - avoid using words that mean the same thing (“and also” / “include, among others” / VLT terminals / ATM machines) Racetracks not race tracks S Seasons - when referencing a specific season of a year should be treated like a proper noun, i.e. should include a capital - Winter 2018. Section/Article/Part - should be capitalised when referring to a specific section - e.g., Section 4 of the Gambling Act. Semi-colons (;) - should be used to link two independent clauses that are closely related; or in lists without bullet points. (Do not overuse - often a full stop and new sentence will be better.) Sports betting NOT sportsbetting Sports team names Storey (pl. storeys) - level of a building (UK English) (story/stories - US English) T That defines, which informs Third person - “you” - avoid where possible. Titles - all important words should begin with a capital (i.e. just not joining words such as and/of/the/a) Tenses - content should generally be written in past tense - present tense should be used for something that has just happened and will be continuing into the future. U United States abbreviated to U.S. (Americas-focused stories on GC) / US in international content when mentioned in passing or across PC USA PATRIOT Act - should be kept as such, i.e. with caps, as it’s an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act”) U.S. Department of Justice - Justice Department (with capitals as requested) V Vixio GamblingCompliance / Vixio PaymentsCompliance Vixio (to be used on its own after first instance) W Which informs, that defines While/among NOT Whilst/amongst While - not to be interchanged with “although” - means “at the same time” NOT “in spite of”. X Y Year quarters - Q1, Q2, H1, H2, etc. Z Acronyms AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT API - application programming interface DLT - distributed ledger technology --- Now, given the above instructions and style guide, please generate a horizon scanning update based on the following webpage content. Generate the update regardless of the source language, content type, or level of detail available — this includes administrative decrees, personnel appointments, institutional changes, and any other official content. Use whatever information is present. JC 2024 36 17 July 2024 Final Report on Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under Regulation (EU) 2022/2554 Contents 1. Executive Summary 2 2. Introduction and scope 3 3. Draft Guidelines on ESAs-competent authorities oversight cooperation 6 4. Accompanying documents 17 1 1. Executive Summary Introduction and scope Regulation (EU) 2022/2554 (“DORA”)1 introduces a pan-European oversight framework of ICT third- party service providers designated as critical (CTPPs). As part of this oversight framework, the European Supervisory Authorities (ESAs) and competent authorities (CAs) have received new roles and responsibilities. For example, on the one hand, the ESA, as Lead Overseer (LO), is responsible to exercise oversight activities on the CTPPs, issue recommendations and follow up with the CTPPs on these recommendations. On the other hand, competent authorities (CAs), for example, participate in the LO's oversight of the CTPP as part of the Joint Examination Team (JET) and follow up with financial entities concerning the risks identified in the recommendations. In order to ensure a consistent and convergent supervisory approach and a level playing field where financial entities are using the ICT services provided by a CTPP across Member States, it is important to have close cooperation between CAs and ESAs through a mutual exchange of information and provision of assistance in the context of relevant supervisory activities. Moreover, a coordinated approach in the context of oversight activities is important to avoid duplications and overlaps in conducting measures aimed at monitoring the CTPPs’ risks. In this context, the ESAs have been mandated under Article 32(7) of the DORA to issue Guidelines on the cooperation between the ESAs and the CAs covering the detailed procedures and conditions for the allocation and execution of tasks between CAs and the ESAs and the details on the exchanges of information which are necessary for CAs to ensure the follow-up of recommendations addressed to CTPPs. The ESAs ran a public consultation on its proposed draft Guidelines between 8 December 2023 and 4 March 2024. The ESAs received 29 responses to the Consultation Paper. Respondents broadly welcomed these Guidelines. The ESAs have considered the feedback received and updated these Guidelines as appropriate. Next steps The Guidelines will be translated into the official languages of the European Union and published on the websites of the ESAs. The deadline for competent authorities to notify the respective ESA whether they comply or intend to comply with the Guidelines will be two months after the publication of the translated Guidelines. The Guidelines should apply from 17 January 2025. 1 EUR-Lex - 32022R2554 - EN - EUR-Lex (europa.eu) 2 2. Introduction and scope 2.1 Introduction 1. The DORA2 entered into force on 16 January 2023 and will apply from 17 January 2025. 2. DORA introduces an oversight framework to the financial sector for all designated CTPPs in accordance with Article 31(1)(a) of the DORA. According to recital 76 of the DORA, the oversight framework is set up with a view to: • promote convergence and efficiency in relation to supervisory approaches when addressing ICT third–party risks in the financial sector; • strengthen the digital operational resilience of financial entities which rely on CTPPs for the provision of ICT services that support the supply of financial services; • contribute, thereby, to the preservation of the Union’s financial system stability and the integrity of the internal market for financial services. 3. The main actors of the DORA oversight framework are: • the LO, one of the ESAs appointed according to Article 31(1)(b) of the DORA and responsible to carry out the oversight tasks and to be the single point of contact for the CTPPs; • the CAs, identified in Article 46 of the DORA and responsible to supervise the compliance of financial entities to DORA and to the various applicable relevant financial regulations; and • the other two ESAs that have not been appointed as LOs for a particular CTPP, being involved in the DORA oversight activities through their participation in the Joint Examination Teams (JET) as defined in Article 40 and in the Joint Oversight Network as defined in Article 34 of the DORA. 4. Representatives from all those actors are members of the Oversight Forum (OF) as defined in Article 32(4) of the DORA, which also includes authorities such as the ESRB, ENISA, the ECB and, where applicable, the CAs designated or established according to Directive (EU) 2022/25553 supervising the essential and important entities (“NIS 2”) to be appointed as observers. 5. To ensure the timely and successful results of the oversight framework, also in light of the obligation stemming from Article 40 of the DORA for both the ESAs not appointed as LO and the relevant CAs to provide resources to the JET, the application of the oversight framework should 2 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 On digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) 3 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance); OJ L 333, 27.12.2022, p. 80–152 3 be facilitated by close cooperation among relevant CAs and consultation with the ESAs through the mutual exchange of information and the provision of assistance in the context of relevant supervisory activities in accordance with recital 97 of the DORA. 6. In addition, as referred to in recital 93, a coordinated approach between the ESAs and CAs in the context of the exercise of tasks in the oversight framework is important to avoid duplications and overlaps in conducting measures aimed at monitoring the CTPP’s risks. As indicated in recital 88 of the DORA, such duplications and overlaps could prevent financial supervisors from obtaining a complete and comprehensive overview of ICT third-party risk in the Union, while also creating redundancy, burden and complexity for critical ICT third-party service providers if they were subject to numerous monitoring and inspection requests. Based on that, there should be a coordinated approach between the oversight activities of the Lead Overseers and the activities of the competent authorities concerning directly or indirectly the CTPPs without any hindrance to the efficiency of the CAs’ powers towards the financial entities under their supervision. 2.2 Scope 7. Pursuant to Article 32(7) of the DORA, in accordance with Article 16 of Regulation (EU) No 1093/2010 (EBA Regulation), Regulation (EU) No 1094/2010 (EIOPA Regulation), and Regulation (EU) No 1095/2010 (ESMA Regulation), “the ESAs shall issue, for the purposes of this Section [i.e. Chapter V – Section II “Oversight framework of critical ICT third party service providers”], Guidelines on the cooperation between the ESAs and the competent authorities covering: • the detailed procedures and conditions for the allocation and execution of tasks between competent authorities and the ESAs; and • the details on the exchanges of information which are necessary for competent authorities to ensure the follow–up of recommendations pursuant to Article 35(1), point (d), addressed to critical ICT third–party service providers.” 8. Since Section II of Chapter V of the DORA comprises Articles 31 to 44, the scope of the Guidelines relates to these articles. Hence, other articles which relate to the cooperation between the ESAs and CAs (e.g. Article 49 on “Financial cross-sector exercises, communication and cooperation”) are not covered by these Guidelines. 9. Articles which cover tasks that only apply to either one specific CA or ESA or that apply to financial entities and CTPPs, are outside the scope of the Guidelines given that for such tasks, cooperation between the CAs and the ESAs is not required. 10. These Guidelines cover the cooperation between the ESAs and CAs, which are defined in Article 46 of the DORA. Hence, these Guidelines do not cover: • the cooperation among CAs, • the cooperation between CAs and CAs under NIS2, 4 • the cooperation among the ESAs, and • the cooperation between the ESAs and other EU authorities. 11. Articles 31 to 44 of the DORA also cover the governance arrangements that need to be set up by the ESAs to ensure cooperation and take decisions (e.g. under Article 32, the ESAs need to establish the OF and under Article 34, the LOs need to set up the Joint Oversight Network). The cooperation between CAs and ESAs in the context of these governance arrangements – including for specific tasks such as the collective assessment of the results and findings of the oversight activities (Article 32(2)) or the preparation of benchmark of CTPPs (Article 32(3)) – are not covered by the Guidelines given that they are subject to the rules of procedure (to be) established by the Joint Committee of the ESAs. 12. Where the ESAs or the European Commission have a legal mandate in DORA to provide further details (e. g. through delegated acts) to any aspects concerning the coordination between the ESAs and CAs as referred to in Article 32(7) of the DORA, the Guidelines do not cover such aspects. For example, the following aspects are not covered by the Guidelines: • criteria for designation of CTPPs (Article 31(6)) – i. e. the Guidelines do not further specify such criteria given that the European Commission will adopt a delegated act on this; • criteria for determining the composition of the JET, their designation, tasks and working arrangements (Article 41(1)(c)) – i. e. the allocation and execution of tasks between CAs and the ESAs within the JET are not covered by these Guidelines, but by separate regulatory technical standards to be developed by the ESAs (Article 41(1)(c)). 5 3. Draft Guidelines on ESAs-competent authorities oversight cooperation Status of the Guidelines These Guidelines are issued pursuant to Article 16 of Regulation (EU) No 1093/2010 establishing a European Supervisory Authority (European Banking Authority); Regulation (EU) No 1094/2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority); and Regulation (EU) No 1095/2010 establishing a European Supervisory Authority (European Securities and Markets Authority) (the ESAs’ Regulations)4. The European Supervisory Authorities (ESAs) issue these Guidelines on the basis of Article 32(7) of Regulation (EU) 2022/2554 (“DORA”)5, according to which the ESAs shall issue guidelines on the cooperation between the ESAs and the competent authorities covering: • the detailed procedures and conditions for the allocation and execution of tasks between competent authorities and the ESAs; and • the details on the exchanges of information which are necessary for competent authorities to ensure the follow–up of recommendations addressed to ICT third party service providers to financial entities designated as critical. Reporting requirements In accordance with Article 16(3) of the ESAs’ Regulations, competent authorities shall make every effort to comply with the Guidelines. Competent authorities must notify the respective ESA whether they comply or intend to comply with these Guidelines, or otherwise with reasons for non-compliance, within two months after the issuance of the translated versions of the Guidelines. In the absence of any notification by this deadline, competent authorities will be considered by the respective ESA to be non-compliant. Notifications should be sent to compliance@eba.europa.eu, compliance@eiopa.europa.eu and DORA@esma.europa.eu with the reference ‘JC/GL/2024/36’. Notifications should be submitted by persons with appropriate authority to report compliance on behalf of their competent authorities. Notifications will be published on the ESAs’ websites, in line with Article 16(3). 4 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p.12-47). Regulation (EU) No 1094/2010 of the European Parliament and of the Council of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p.48-83).Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010 p. 84-119). 5 Regulation (EU) No 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector amending Regulations (EC) No 1060/2009, (EU)No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p.01-79). 6 Section 1: General considerations General aims and principles These Guidelines aim at ensuring that the ESAs and the competent authorities have: • an overview of the areas where cooperation and/or exchange of information between competent authorities and the ESAs is needed in accordance with Article 32(7) of the DORA; • a coordinated and cohesive approach between the ESAs and competent authorities in the exchange of information and when cooperating for the purpose of oversight activities to ensure efficiency and consistency as well as to avoid duplications; • a common approach to the rules of procedure and timelines that apply in relation to cooperation and information exchange, including roles and responsibilities and means for cooperation and information exchange. These Guidelines constitute consistent, efficient and effective practices on the oversight cooperation and information exchange between ESAs and competent authorities in the context of Article 32(7) of the DORA. These Guidelines do not hinder the exchange of further information and extended oversight cooperation between ESAs and competent authorities. The practical details of the cooperation and information sharing between ESAs and competent authorities may be subject to bespoke target operating models. The cooperation and information exchange set out in these Guidelines should take into account a preventive and risk-based approach which should lead to a balanced allocation of tasks and responsibilities between the three ESAs and competent authorities and should make the best use of the human resources and technical expertise available in each of the ESAs and competent authorities. Unless otherwise specified in these Guidelines, ESAs refers to the three ESAs including the Lead Overseer. Scope The scope of these Guidelines relates only to Section II of Chapter V (Articles 31-44) of the DORA and does not cover articles related to: • tasks that only apply to either one specific competent authority or ESA (e. g. Article 43 on Oversight fees, being a task for the LO only) or that apply to financial entities and critical ICT third-party service providers (e. g. under Article 35(5) , CTPPs are to cooperate in good faith with LO, and assist it in fulfilment of its tasks); • the cooperation among competent authorities (e. g. under Article 48(1), CAs shall cooperate closely among themselves), among the ESAs (e. g. under Article 35(2)(a), the LO shall ensure 7 regular coordination within the Joint Oversight Network) and with other EU authorities (e. g. under Article 34(3), the LO may call on the ECB and ENISA to provide technical advice); • the governance arrangements that are subject to the rules of procedure of the ESAs (e. g. under Article 32, the ESAs need to establish the OF and under Article 34, the LOs need to set up the Joint Oversight Network); • the separate legal mandates (e. g. the criteria for determining the composition of the JET, their designation, tasks and working arrangements are covered by separate regulatory technical standards to be developed by the ESAs (Article 41(1)(c) of DORA). Guideline 1: Language, communication means, contact points and accessibility 1.1 For cooperation and information exchange purposes, the ESAs and competent authorities should communicate in English, unless agreed otherwise. 1.2 The ESAs and competent authorities should make available the information referred to in these Guidelines by electronic means, unless agreed otherwise. 1.3 The ESAs and competent authorities should establish single points of contact in the form of a dedicated institutional/functional email address for information exchanges between the ESAs and competent authorities. 1.4 The single point of contact should only be used for exchanging non-confidential information. The ESAs and competent authorities may agree on a bilateral and/or multilateral basis on any applicable requirements concerning the secure transmission of information via the single point of contact (e.g. a requirement on electronic signatures of authorised persons). 1.5 The information on the contact points should be made available to the competent authorities by the ESAs. The competent authorities should make available and update the information about the contact points without undue delay according to the operational instructions defined by the ESAs. 1.6 The ESAs and competent authorities should use a dedicated secure online tool to share information amongst each other on a confidential and secure basis. The online tool should present technical information security measures to guarantee the confidentiality of data against unauthorised access by third-parties. 1.7 The information to be exchanged via the dedicated secure online tool should be limited to the information to be submitted according to points 5 to 12 and any additional information necessary for the Lead Overseer and competent authorities to carry out their respective duties under DORA. 8 1.8 The ESAs and competent authorities should ensure that communication and information exchange between the ESAs and competent authorities are accessible to, and inclusive for all parties involved, including those who may have language barriers or accessibility needs. In that context, the ESAs and competent authorities may use translation services or accessible communication tools, such as video conferencing software with closed captioning, provided data is protected from unauthorised use of third parties. Guideline 2: Timelines 2.1 In the event of specific circumstances that require prompt action or additional time to complete the relevant task, the Lead Overseer may, in consultation with relevant competent authorities, reduce or extend the timelines described in points 5 to 12. The Lead Overseer should document the changes and the reasons for such changes. Guideline 3: Difference of opinions between ESAs and competent authorities 3.1 In case of divergent views regarding the oversight cooperation and information exchange, the ESAs and competent authorities should strive to reach a mutually agreed solution. In cases where no such solution can be reached, the Lead Overseer should, in consultation with the Joint Oversight Network, present the difference of opinions to the Oversight Forum, which will present its views to find a mutually agreed solution. Guideline 4: Information exchange between ESAs and competent authorities in the context of their respective cooperation with competent authorities designated or established in accordance with NIS2 (NIS2 authorities) 4.1 Where possible, competent authorities and the Lead Overseer should make available to each other relevant information stemming from their dialogue with NIS2 authorities responsible for the supervision of essential or important entities subject to that Directive, which have been designated as a critical ICT third-party service provider. Section 2: Designation of critical ICT third-party service providers Guideline 5: Information for the criticality assessment to be submitted by competent authorities to the ESAs 9 5.1 For the purposes of designating the ICT third-party service providers that are critical for financial entities in accordance with Article 31(1)(a) of the DORA, without undue delay following the receipt of the register of information referred to in Article 28(3) of the DORA, competent authorities should make available the full register of information to the ESAs in accordance with the formats and procedures specified by the ESAs.6 5.2 Competent authorities should also make available to the ESAs any relevant quantitative or qualitative information at their disposal to facilitate the criticality assessment envisaged in Article 31(2) of the DORA, taking into account the delegated act referred to in Article 31(6) of the DORA. 5.3 Upon request, competent authorities should make available to the ESAs additional available information acquired in their supervisory activities, in order to facilitate the criticality assessment. Guideline 6: Information related to the designation of critical ICT third-party service providers to be submitted by the Lead Overseer or ESAs to competent authorities 6.1 Within 10 working days following the receipt from the ICT third-party service provider, the ESAs should make available to the competent authorities of the financial entities using the ICT services provided by a ICT third-party service provider, the legal name, identification code7, country of the registered office of the ICT third-party service provider and, if it belongs to a group, of the parent group that submitted a request to be designated as critical according to Article 31(11) of the DORA. 6.2 The Lead Overseer should share with the competent authorities of the financial entities using the ICT services provided by a critical ICT third-party service provider: a) Within 10 working days following the receipt from the critical ICT third-party service provider, the notification of the critical ICT third-party service provider about any changes to the structure of the management of the subsidiary established in the Union according to Article 31(13) of the DORA; b) Within 10 working days after the submission of the notification of a decision to designate the ICT third party-party service provider as critical to the ICT third-party service provider, the legal name, identification code⁷, country of the registered office of the ICT third-party service provider and, if it belongs to a group, of the parent group that has been designated as critical 6 The ESAs will make use of Article 35(2) of the founding regulations of the ESAs to request the full register of information. 7 “Identification code” refers to the identification code requested for ICT third-party service providers as established by the Implementing Technical Standards on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers under Article 28(9) of Regulation (EU) 2022/2554 10 according to Article 31(5) and (11) of the DORA and the starting date as from which they will effectively be subject to oversight activities as referred to in Article 31(5) of the DORA. Section 3: Core oversight activities Guideline 7: Oversight plans 7.1 Prior to the finalisation of the annual oversight plan referred to in Article 33(4) of the DORA, the Lead Overseer should make available the draft annual oversight plan to the competent authorities of the financial entities using the ICT services provided by a critical ICT third-party service provider. 7.2 The draft annual oversight plan should include the following information on the envisaged general investigations or inspections: a) type of oversight activity (general investigation or inspection); b) high-level scope and objectives; c) approximate timeframe. 7.3 Competent authorities may provide comments on the draft annual oversight plan within 30 working days following the receipt thereof. 7.4 Within 10 working days following the adoption, the Lead Overseer should make available to the competent authorities, the annual oversight plan and the multi-annual oversight plan8. 7.5 The Lead Overseer should make available any material updates to the annual oversight plan and the multi-annual oversight plan to the competent authorities without undue delay following the adoption of the updates. Competent authorities may provide comments on the material updates to the annual oversight plan within 30 working days following the receipt. Guideline 8: General investigations and inspections 8.1 At least 3 weeks before the start of the general investigation or inspection according to Articles 38(5), 39(3) and 36(1) of the DORA, or with the shortest possible delay in case of an urgent investigation or inspection, the Lead Overseer should inform the competent authorities of the financial entities using the ICT services provided by a critical ICT third-party service provider, the identity of the authorised persons for the general investigation or inspection. 8.2 The authorised persons include: 8 See Recital 3 of draft Regulatory Technical Standards on the conduct of oversight activities in relation to the joint examination teams under DORA 11 - relevant staff members of the Lead Overseer; and - the staff members of the Joint Examination Team as referred to in Article 40(2) of the DORA, appointed to carry out the general investigation or inspection. 8.3 The Lead Overseer should inform competent authorities of the financial entities using the ICT services provided by that critical ICT third-party service provider where the authorised persons find that a critical ICT third-party service provider opposes the inspection, including imposing any unjustified conditions to the inspection. Guideline 9: Additional information exchanges between the Lead Overseer and competent authorities in relation to oversight activities 9.1 Within 10 working days following the adoption of the request for information to the critical ICT third-party service provider, the Lead Overseer should make available to the Joint Oversight Network and the competent authorities of the financial entities using ICT services provided by a critical ICT third-party service provider, the relevant scope of the request for information submitted to the critical ICT third-party service provider according to Articles 36(1)9 and 37(1) of the DORA. 9.2 The Lead Overseer should inform competent authorities of the financial entities using ICT services provided by a critical ICT third-party service provider of any: - major incidents with direct or indirect impact on financial entities within the Union when reported by the critical ICT third-party service provider, including relevant details to determine the significance of the incident on financial entities and assess possible cross-border impacts;10 - relevant changes in the strategy of the critical ICT third-party service provider on ICT third-party risk; - events that could represent an important risk to the continuity and sustainability of the provision of ICT services; - reasoned statement that may be submitted by the critical ICT third-party service provider evidencing the expected impact of the draft oversight plan on customers which are entities falling outside of the scope of DORA and where appropriate, formulating solutions to mitigate risks referred to in Article 33(4) of the DORA. 9.3 If a critical ICT third-party service provider liaises with the competent authorities for the purposes of all matters related to the oversight, the competent authorities should make available those communications to the Lead Overseer and remind the critical ICT third-party service provider that 10 See Article 3(2), letter l of Draft regulatory technical standards on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1) points (a), b) and (d) of Regulation (EU) 2022/2554 12 the Lead Overseer is its primary point of contact for the purposes of all matters related to the oversight. Section 4: Follow-up of the recommendations Guideline 10: General principles for follow-up 10.1 The following general principles should apply to the follow-up of the recommendations issued by the Lead Overseer: - The competent authorities are the primary point of contact for financial entities under their supervision. The competent authorities are responsible for the follow-up concerning the risks identified in the recommendations concerning financial entities making use of the services of the critical ICT third-party service providers; - The Lead Overseer is the primary point of contact for critical ICT third-party service providers for the purposes of all matters related to the oversight. The Lead Overseer is responsible for the follow-up of the recommendations addressed to the critical ICT third-party service provider. Guideline 11: Information exchanges between the Lead Overseer and competent authorities to ensure the follow-up of recommendations 11.1 The Lead Overseer should make available to the competent authorities of the financial entities using the ICT services provided by a critical ICT third-party service provider, the following information: a. Within 10 working days following the receipt by the Lead Overseer: - the notification of the critical ICT third-party service provider to follow the recommendations issued by the Lead Overseer and the remediation plan prepared by the critical ICT third-party service provider; - the reasoned explanation of the critical ICT third-party service provider for not following the recommendations; - the reports specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider according to Article 35(1)(c) of the DORA. b. Within 10 working days after the expiration of the 60 calendar days according to Article 42(1) of the DORA: 13 - the fact that the critical ICT third-party service provider failed to send the notification within 60 calendar days after the issuance of recommendations to the critical ICT third- party service provider according to Article 35(1)(d) of the DORA. c. Within 10 working days after the adoption by the Lead Overseer: - the assessment as to whether the critical ICT third-party service provider’s explanation for not following the Lead Overseer’s recommendations is deemed sufficient and, if it is deemed sufficient, the Lead Overseer’s decision concerning amendment of recommendations11; - the assessment of the reports specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider according to Articles 35(1)(c) of the DORA. In case the critical ICT third-party service provider has not adequately implemented the recommendations, the assessment should at least cover the criteria a) to d) of Article 42(8) of the DORA; - the decision imposing a periodic penalty payment on the critical ICT third-party service provider according to Article 35(6) of the DORA. If the Lead Overseer opted not to disclose the periodic penalty payment to the public as per Article 35(10) of the DORA, the competent authorities receiving the information should not disclose it to the public; - assessment as to whether the refusal of a critical ICT-third-party service provider to endorse recommendations, based on a divergent approach from the one advised by the Lead Overseer, could adversely impact a large number of financial entities, or a significant part of the financial sector. 11.2 In accordance with Article 42(10) of the DORA, the competent authorities should make available to the Lead Overseer the following information where critical ICT third party service providers have not endorsed in part or entirely recommendations addressed to them by the Lead Overseer: a. Within 10 working days following the adoption by the competent authority: - notification to the financial entity of the possibility of a decision being taken where a competent authority deems that a financial entity fails to take into account or to sufficiently address within its management of ICT third-party risk the specific risks identified in the recommendations issued by the Lead Overseer according to Article 42(4) of the DORA; - individual warnings issued by competent authorities according to Article 42(7) of the DORA and relevant information which allows the Lead Overseer to assess whether such 11 The Lead Overseer and the Joint Examination Team assess the critical ICT third party service provider’s reasoned explanation for not following the recommendations. If the Lead Overseer decides that the explanation is deemed sufficient, the Lead Overseer may amend the respective recommendations. 14 warnings have resulted in consistent approaches mitigating the potential risk to financial stability. b. Within 10 working days following the consultation: - outcome of the consultation with NIS2 authorities prior to taking a decision, as referred to in Article 42(5) of the DORA , where possible. c. Within 10 working days following the receipt of the information from financial entities: - the material changes to existing contractual arrangements of financial entities with critical ICT third-party service providers which were made to address the risks identified in the recommendations issued by the Lead Overseer; - the start of executing exit strategies and transition plans of the financial entities as referred to in Article 28(8) of the DORA. 11.3 The ESAs, in consultation with competent authorities, should develop a template to facilitate the transmission of the information as defined in point 11.3. Guideline 12: Decision requiring financial entities to temporarily suspend the use or deployment of a service provided by the critical ICT third-party service provider or terminate the relevant contractual arrangements concluded with the critical ICT third-party service provider 12.1 The competent authorities should inform the Lead Overseer of their intention to notify a financial entity of the possibility of a decision being taken if the financial entity does not adopt appropriate contractual arrangements to address the specific risks identified in the recommendations, as referred to in Article 42(4) of the DORA . For the purpose of application of point 12.2, the competent authorities should make available to the Lead Overseer all relevant information regarding the possible decision and highlight if they intend to adopt an urgent decision. 12.2 After the receipt of the information, the Lead Overseer should assess the potential impact such decision might have for the critical ICT third-party service provider whose service would be temporarily suspended or terminated. Within 10 working days from the receipt of the information or with the shortest possible delay in case the competent authorities intend to adopt an urgent decision, the Lead Overseer should make that assessment available to the competent authorities concerned. Competent authorities should consider that non-binding assessment when deciding whether or not to issue the notification referred to in point 12.1. 12.3 Where two or more competent authorities plan to take or have taken decisions regarding financial entities making use of ICT services provided by the same critical ICT third-party service 15 provider, the Lead Overseer should inform them about any inconsistent or divergent supervisory approaches that could lead to an unlevel playing field where financial entities are using the ICT services provided by a critical ICT third-party service provider across Member States. Section 5: Final provisions These Guidelines apply from 17 January 2025. These Guidelines will be subject to a review by the ESAs. 16 4. Accompanying documents 4.1 Draft cost-benefit analysis 1. As per Article 16(2) of the ESAs Regulations, the ESAs shall, where appropriate, analyse the related potential costs and benefits of issuing guidelines (impact assessment) and that analysis shall be proportionate in relation to the scope, nature and impact of the guidelines. 2. This analysis presents the impact assessment (IA) of the main policy options included in this Consultation Paper (CP) on the oversight cooperation and information exchange between the ESAs and CAs under DORA. Problem identification 3. DORA introduces an oversight framework to the financial sector for all CTPPs designated in accordance with Article 31(1)(a). 4. In order to ensure a consistent and coherent supervisory approach and a level playing field where financial entities are using the ICT services provided by a CTPPs across Member States, it is important to have close cooperation between CAs and the ESAs through the mutual exchange of information and the provision of assistance in the context of relevant supervisory activities. 5. In this context, the ESAs have been mandated under Article 32(7) of the DORA to issue guidelines on the cooperation between the ESAs and the CAs covering the detailed procedures and conditions for the allocation and execution of tasks between CAs and the ESAs and the details on the exchanges of information which are necessary for CAs to ensure the follow-up of recommendations addressed to CTPPs. Policy objectives 6. The Guidelines aim at ensuring that the ESAs and the CAs have: a) an overview of the areas where cooperation and/or exchange of information between CAs and the ESAs is needed in accordance with Article 32(7) of the DORA; b) a coordinated and cohesive approach between ESAs and CAs in the exchange of information and when cooperating for the purpose of oversight activities to ensure efficiency and consistency as well as to avoid duplications; c) a common approach to the rules of procedure and timelines that apply in relation to cooperation and information exchange, including roles and responsibilities and means for cooperation and information exchange. 17 Baseline scenario 7. Recitals 93 and 97 as well as Article 48(2) of the DORA highlight the importance of close cooperation and information exchange between the ESAs and CAs in the conduct of oversight activities. However, DORA does not include detailed provisions on the cooperation and exchanges of information necessary for the purpose of oversight activities. 8. In the absence of further clarifications on details on the exchanges of information and the allocation and execution of tasks between CAs and ESAs, there is a risk of lack of coordination and information exchange between CAs and ESAs, resulting potentially in duplications/overlaps in the measures directed at CTPPs and financial entities using ICT services of CTPPs and inconsistent/divergent supervisory approaches by CAs. POLICY ISSUE 1 – GUIDELINE 5: INFORMATION FOR THE CRITICALITY ASSESSMENT TO BE SUBMITTED BY CAS TO THE ESAS Options considered 9. For the purposes of designating the ICT third-party service providers that are critical for financial entities, CAs should make available to the ESAs: - Option A: Only the reports referred to in Article 31(10) of the DORA; - Option B: Only the register of information referred to in Article 28(3) of the DORA; or - Option C: The register of information referred to in Article 28(3) of the DORA and any relevant additional information at the disposal of CAs. Cost benefit analysis 11. The information referred to in Options A and B is not sufficient for the purpose of designating the ICT third-party service providers that are critical for financial entities. In order to assess the criticality, the ESAs need additional input from CAs, including, relevant quantitative or qualitative information to determinate/calculate the indicators for the criticality criteria set out in Article 31(2) of the DORA (Option C). In order to avoid costs and burden for financial entities and CAs, CAs are not required gather any additional information from financial entities, but use the information they already have at their disposal. Preferred option 12. Option C has been retained. 18 POLICY ISSUE 2 – GUIDELINE 12: DECISION REQUIRING FINANCIAL ENTITIES TO TEMPORARILY SUSPEND THE USE OR DEPLOYMENT OF A SERVICE PROVIDED BY THE CRITICAL ICT THIRD-PARTY SERVICE PROVIDER OR TERMINATE THE RELEVANT CONTRACTUAL ARRANGEMENTS CONCLUDED WITH THE CRITICAL ICT THIRD-PARTY SERVICE PROVIDER Options considered 13. CAs should inform the LO: • Option A: After taking the decision as referred to in Article 42(6) of the DORA; • Option B: After notifying the financial entity of the possibility of a decision being taken as referred to in Article 42(4) of the DORA; or • Option C: Before notifying the financial entity of the possibility of a decision being taken as referred to in Article 42(4) of the DORA. Cost benefit analysis 14. If CAs inform the LO of their decision only after it has been taken (Option A) or the financial entity has been notified of the possibility of a decision being taken (Option B), the CAs will not be able to consider at an early stage of the decision-making process, the LO’s assessment of the potential impact of such decision on the CTPP and the LO’s information about any inconsistent or divergent supervisory approaches where applicable. Options A and B could result in an unlevel playing field where financial entities are using the ICT services provided by CTPPs across Member States. 15. If CAs inform the LO before notifying the financial entity of the possibility of a decision being taken (Option C), CAs will be able to adequately consider the LO’s assessment/information in their supervisory approaches, resulting in a more coordinated approach and a level playing for financial entities from a very early stage. Preferred option 16. Option C has been retained. 19 4.2 Summary of responses to the public consultation The ESAs ran a public consultation on its proposed draft guidelines between 8 December 2023 and 4 March 2024. The ESAs received 29 responses to the Consultation Paper. As indicated in the charts below, the vast majority of respondents are financial entities and industry associations/federations most of which are related to the banking and payments sector. Most respondents are located in Germany. Type of stakeholder Financial sector Member State of stakeholders Financial entity Industry Association/Federation Banking and payments Insurance and pension Germany Other Member States ICT Third-Party Service Provider Markets and securities Other EU trade associations The table below provides an overview of the comments received and if/how the ESAs have addressed the comments. References in the table are made to the numbering of the draft Guidelines submitted for public consultation. Topic Summary of comments received ESAs’ analysis Amendments to the proposal Point 1.6: Dedicated Two stakeholders raised concerns about The ESAs agree that there is a need for the Point 1.6 has been adjusted and new online tool to share potential leakage of sensitive information online tool to have strong security point 1.7 has been added to address information due to a lack of security measures for the measures and, therefore, point 1.6 states the concerns raised. dedicated online tool to share that the tool should allow for confidential information. It is suggested to describe and secure information exchange. Details how information will be transmitted, of the technical security measures will be exchanged, handled, stored and accessed specified when developing the tool. The to ensure that confidential and sensitive ESAs agree that the information to be information is secured against exchanged via the tool should be limited to unauthorised and third-party access, and the information specified in the GLs and inadvertent disclosure. under DORA. Point 1.7: One stakeholder suggested to delete The ESAs are of the view that the Point 1.7 has been removed. Acknowledgement of point 1.7 given that the ESAs and CAs acknowledge of receipt of information may receipt of information have established a single point of contact be too burdensome for CAs and the LO in in the form of a dedicated the absence of an automatic institutional/functional email address. acknowledgement of receipt through the online tool. Point 1.8: One stakeholder raised concerns about According to point 1.6, the online tool No change Communication and the proposed accessibility of information should allow for secure and confidential information exchange given that such information contains information exchange (see changes made should be accessible security-sensitive and competition- point 1.6). In addition, point 1.8 highlights 21 Topic Summary of comments received ESAs’ analysis Amendments to the proposal and inclusive for all sensitive information about CTPPs and that translation services or accessible parties financial entities (FEs) shared among communication tools should only be used if multiple supervisory bodies. data is protected from unauthorised use of third parties. The ESAs are of the view that points 1.6 and 1.8 are sufficient safeguards in that respect. Point 3: Difference of One stakeholder suggested to impose a The ESAs are of the view that there should No change opinions between timeline for ESAs and CAs to find a be sufficient flexibility for ESAs and CAs to ESAs and competent mutually agreed solution and, if no find a mutually agreed solution. The tasks authorities solution can be found, have the Oversight and timelines applicable to the OF may be Forum (OF) act as a referee subject to specified in separate rules of procedure of simple majority vote within a pre-agreed the OF. timeline. Point 5.1: Several stakeholders expressed the view The ESAs would like to clarify that they will No change Transmission of the that financial entities should not be make use of Article 35(2)12 of the ESAs’ full register of required to transmit the full register to Regulations to request the transmission of the CAs as this would involve an the full register of information for the designation of CTPPs. The European 12 Article 35(2) of the ESAs’ Regulations: “The Authority may also request information to be provided at recurring intervals and in specified formats. Such requests shall, where possible, be made using common reporting formats.” 22 Topic Summary of comments received ESAs’ analysis Amendments to the proposal information from CAs additional amount of work and is not Commission has welcomed the ESA’s to the OF foreseen under DORA. proposal to make use of Article 35(2) and the request will be formalised in a joint BoSs Decision in 2024. The formats and procedures for the transmission of the register will be specified in that Decision. Point 8.1: Information Several stakeholders suggested that The ESAs would like to clarify that point 8.1 No change about identity of information about the identity of is not intended to inform CTPPs, but CAs. authorised persons for authorised persons should be provided at The information exchange between the LO the general least 6 weeks (instead of 3 weeks) before and the CTPPs is not covered by these investigation or the start of the inspection or general Guidelines. CTPPs will be informed about inspection investigation to allow sufficient time for the identity of authorised persons in due preparation. time before the start of the inspection or general investigation to allow sufficient time for preparation. Point 9: Measures by Some stakeholders mentioned that point The intention of this provision was not to Point 9 has been deleted. Point 7 has CAs concerning CTPPs 9 suggests that CAs are empowered to empower or encourage CAs to take been updated to allow CAs to take measures concerning CTPPs and that measures concerning CTPPs. Article 33(5) comment on the draft oversight plan. this can lead to duplications/overlaps and provides the possibility for CAs to take, The annual consultation of CAs on HR may not be in line with the Level 1 text. either directly or indirectly, measures resources and expected profiles of concerning CTPPs in agreement with the staff to carry out the oversight 23 Topic Summary of comments received ESAs’ analysis Amendments to the proposal LO. The ESAs are of the view that, in order activity has been removed from the to influence the LO oversight, CAs should content of the oversight plan under comment on the draft oversight plan and point 7.3 to avoid overlap with the then volunteer to take part in the JET. consultation of the OF as per Article 3(1) of the draft RTS on the Joint Examination Teams. Additional sentence has been added to point 6 of the Introduction of the Final Report indicating that there should be a coordinated approach between the oversight activities of the LO and the activities of the CAs concerning directly or indirectly the CTPPs without any hindrance to the efficiency of the CAs’ powers towards the financial entities under their supervision. Point 10.1: Several stakeholders suggested that the The ESAs would like to clarify that point No change Transmission of the deadline to submit the relevant scope of 10.1 specifies that the relevant scope of relevant scope of the the request for information should be the request for information sent to the request for extended to 15 working days after CTPP should be submitted by the LO to the acceptance of the request for JON and CAs 10 working days following the 24 Topic Summary of comments received ESAs’ analysis Amendments to the proposal information submitted information to the CTPP to allow LO’s adoption of its request for to the CTPP sufficient time for processing. information. The LO does not need to process any specific information following the adoption of its request for information so 10 working days are sufficient time for the LO to transmit the scope of the request for information. Point 10.2: Major ICT- One stakeholder expressed the view that The ESAs agree that CTPPs are not required Point 10.2 has been adjusted to align related incidents the LO should not be expected to inform by DORA to proactively report major ICT- with Article 3(2), letter l of draft RTS reported by the CTPP CAs of major ICT-related incidents related incidents to the LO. However, the on conduct oversight. reported by the CTPP because DORA does ESAs can request such information from not require CTPPs to proactively report CTPPs in accordance with Article 37 of such incidents to the LO. DORA which allows the LO to require the CTPP to provide all information necessary for the LO to carry out its duties under DORA. Point 10.3: Primary Two stakeholders suggested that The ESAs would like to clarify that point No change point of contact for competent authorities can be the primary 10.3 is in line with the suggestion made by the purposes of all point of contact for CTPPs where the stakeholders, i. e. CAs can be the primary matters related to the interaction is unrelated to DORA point of contact for CTPPs where the oversight interaction is unrelated to DORA oversight. 25 Topic Summary of comments received ESAs’ analysis Amendments to the proposal oversight, including in relation to national Point 10.3 refers to “all matters related to laws. the oversight” and this reflects Article 33(1) of DORA. Point 12.1: Two stakeholders expressed the view Article 4(1) of the draft RTS on the No change Transmission of the that Article 35(1)(c) does not always harmonisation of conditions enabling the remediation plan require remediation and that a CTPP is conduct of the oversight activities under not compelled to remediate. Article 41(1), (a), (b) and (d) of DORA foresee that, as part of the notification of its intention to comply with the recommendations, the CTPP provides the LO with a remediation plan. The remediation plan is requested from the CTPP in accordance with Article 37 of DORA which allows the LO to require the CTPP to provide all information necessary for the LO to carry out its duties under DORA. Point 12.2: One stakeholder suggested that the The ESAs agree that recommendations Point 12.2 has been adjusted Implementation of the adequacy of implementation of the should be deemed as having been accordingly. remediation plan recommendations must be assessed adequately implemented where they are in 26 Topic Summary of comments received ESAs’ analysis Amendments to the proposal based on adherence to the remediation accordance with the remediation plan plan. prepared by the CTPP. Point 12.3(a): One stakeholder suggested that the term The ESAs would like to clarify that the term Reference to Article 42(4) has been Transmission of “adoption” should be clarified and “adoption” in point 12.3(a) refers to the added to point 12.3(a). information where reference to the Level 1 text be added adoption by CAs of the notification to the CTPPs have not when referring to the “decision being FEs according to Article 42(4) and the endorsed in part or taken” to require FEs to adoption by CAs of the individual warnings entirely suspend/terminate the relevant issued by CAs according to Article 42(7). recommendations contractual arrangements with the CTPP. Scope of the Several stakeholders proposed to: The ESAs would like to clarify that the No change Guidelines scope of the Guidelines is limited to the • include a description and criteria for cooperation and information exchange the application of measures CAs can between ESAs and CAs. Other areas, such impose on financial entities as well as the measures CAs can impose on FEs as provide scenarios for the and the information exchange between measures; CAs and FEs, are outside the scope of the • provide guidance on how, what and Guidelines. when the CAs should inform the FEs The ESAs acknowledge that it is important about recommendations issued by to ensure that FEs are continuously the LO; and informed about findings/conclusions arising from the oversight activities so that 27 Topic Summary of comments received ESAs’ analysis Amendments to the proposal • describe how FEs should be FEs will be able to consider such continuously informed by CAs about information as part of upcoming the findings/conclusions of the outsourcing arrangements/processes oversight activities. ensuring on-going compliance. 28 Annex: Table summarising information exchanges The following table summarises the information exchanges between the LO/ESAs (marked grey) and CAs (marked green) as indicated by these Guidelines. The table is not intended to introduce any new guidance, but to reflect the guidance included in the Guidelines. If there are any differences between the Guidelines and this table, the information included in the Guidelines prevails. Related Article Information exchange Timeline in the Level 1 GL text Section 1: General considerations LO, in consultation with relevant CAs, reduce or - - 2.1 extend the timelines LO, in consultation with the JON, to present to the OF difference of opinions regarding the oversight - - 3.1 cooperation and information exchanges Where possible, CAs and LO to make available to each other, relevant information from their - 4.1 dialogue with NIS2 authorities Section 2: Designation of CTPPs Without undue 28(3)13 delay following the CAs to make available the full register of 31(1)(a)14, (2), (6)15 receipt of the 5.1 information to the ESAs and (10)16 register of information Article 35(2) of the ESAs’ founding CAs to make available to the ESAs any relevant - regulation17 5.2 quantitative or qualitative information at their 13 Article 28(3): As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers… 14 Article 31(1)(a): The ESAs, through the Joint Committee and upon recommendation from the Oversight Forum established pursuant to Article 32(1), shall designate the ICT third-party service providers that are critical for financial entities, following an assessment that takes into account the criteria specified in paragraph 2. 15 Article 31(6): The Commission is empowered to adopt a delegated act in accordance with Article 57 to supplement this Regulation by specifying further the criteria referred to in paragraph 2 of this Article, by 17 July 2024. 16 Article 31(10): For the purposes of paragraph 1, point (a), competent authorities shall, on a yearly and aggregated basis, transmit the reports referred to in Article 28(3), third subparagraph, to the Oversight Forum established pursuant to Article 32.... 17 Article 35(2) of the ESAs’ founding regulation: The Authority may also request information to be provided at recurring intervals and in specified formats. Such requests shall, where possible, be made using common reporting formats. Related Article Information exchange Timeline in the Level 1 GL text disposal to facilitate the criticality assessment Upon request, CAs to make available additional available information acquired in their supervisory - 5.3 activities ESAs to make available to CAs information about Within 10 working the TPP that submitted a request to be designated days following the 6.1 as critical receipt from the TPP Within 10 working LO to share with CAs notification of the CTPP about days following the 6.2 any changes to the structure of the management of 31(5)18, (11)19 and receipt from the (a) the subsidiary established in the Union (13)20 CTPP Within 10 working LO to share with CAs information about the TPP days after the 6.2 that has been designated as critical and the starting submission of the (b) date of designation notification Section 3: Core oversight activities Prior to the 33(4)21 LO to make available to CAs the draft annual finalisation of the 7.1 oversight plan annual oversight Recital 3 of draft plan Regulatory Technical Within 30 working Standards on the CAs may provide comments on the draft annual days following the conduct of 7.3 oversight plan receipt oversight activities in relation to the LO to make available to CAs, the annual oversight Within 10 working joint examination 7.4 18 Article 31(5): … After designating an ICT third-party service provider as critical, the ESAs, through the Joint Committee, shall notify the ICT third-party service provider of such designation and the starting date as from which they will effectively be subject to oversight activities. 19 Article 31(11): The ICT third-party service providers that are not included in the list referred to in paragraph 9 may request to be designated as critical in accordance with paragraph 1, point (a). 20 Article 31(13): The critical ICT third-party service provider referred to in paragraph 12 shall notify the Lead Overseer of any changes to the structure of the management of the subsidiary established in the Union. 21 Article 33(4): Based on the assessment referred to in paragraph 2, and in coordination with the Joint Oversight Network referred to in Article 34(1), the Lead Overseer shall adopt a clear, detailed and reasoned individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each critical ICT third-party service provider. That plan shall be communicated yearly to the critical ICT third-party service provider. 30 Related Article Information exchange Timeline in the Level 1 GL text plan and the multi-annual oversight plan. days following the teams under DORA adoption Without undue LO to make available to CAs any material updates to delay following the the annual oversight plan and the multi-annual 7.5 adoption of the oversight plan updates Within 30 working CAs may provide comments on the material days following the 7.5 updates to the annual oversight plan receipt At least 3 weeks before the start of the investigation or inspection LO to confirm to the CAs of the identity of the Or 36(1), 38(5)22 and authorised persons for the investigation or 8.1 39(3)23 inspection With the shortest possible delay in case of an urgent investigation or inspection LO to inform CAs where the authorised persons find that a CTPP opposes an inspection, including - 39(7)24 8.3 imposing any unjustified conditions to the inspection 22 Article 38(5): In good time before the start of the investigation, the Lead Overseer shall inform competent authorities of the financial entities using the ICT services of that critical ICT third-party service provider of the envisaged investigation and of the identity of the authorised persons. 23 Article 39(3): In good time before the start of the inspection, the Lead Overseer shall inform the competent authorities of the financial entities using that ICT third-party service provider. 24 Article 39(7): Where the officials and other persons authorised by the Lead Overseer find that a critical ICT third-party service provider opposes an inspection ordered pursuant to this Article, the Lead Overseer shall inform the critical ICT third- party service provider of the consequences of such opposition, including the possibility for competent authorities of the relevant financial entities to require financial entities to terminate the contractual arrangements concluded with that critical ICT third-party service provider. 31 Related Article Information exchange Timeline in the Level 1 GL text Within 10 working days following the LO to make available to the JON and the CAs, adoption of the 36(1)25,37(1)26 and relevant scope of the request for information 9.1 request for 37(5)27 submitted to the CTPP information to the CTPP 33(4)28 LO to make available to CAs of: Article 3(2), letter l of Draft regulatory • major incidents with direct/indirect impact on technical FEs when reported by the CTPP (upon request standards on the by LO); harmonisation of • relevant changes in the strategy of the CTPP on conditions - 9.2 ICT third-party risk; enabling the conduct of the • events that could represent important risk to oversight activities the provision of ICT services; under Article 41(1) • reasoned statement from the CTPP evidencing points (a), b) and the expected impact of the draft oversight plan. (d) of Regulation (EU) 2022/2554 CAs to make available to the LO, communications of - 33(1)29 9.3 the CTPP with the CAs for the purposes of all 25 Article 36(1): When oversight objectives cannot be attained by means of interacting with the subsidiary set up for the purpose of Article 31(12), or by exercising oversight activities on premises located in the Union, the Lead Overseer may exercise the powers, referred to in the following provisions, on any premises located in a third-country which is owned, or used in any way, for the purposes of providing services to Union financial entities, by a critical ICT third party service provider, in connection with its business operations, functions or services, including any administrative, business or operational offices, premises, lands, buildings or other properties… 26 Article 37(1): The Lead Overseer may, by simple request or by decision, require critical ICT third-party service providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies, documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party service provider has outsourced operational functions or activities. 27 The Lead Overseer shall, without delay, transmit a copy of the decision to supply information to the competent authorities of the financial entities using the services of the relevant critical ICT third-party service providers and to the JON. 28 Article 33(4), third subparagraph: Upon receipt of the draft oversight plan, the critical ICT third-party service provider may submit a reasoned statement within 15 calendar days evidencing the expected impact on customers which are entities falling outside of the scope of this Regulation and where appropriate, formulating solutions to mitigate risks. 29 Article 33(1): The Lead Overseer shall conduct the oversight of the assigned critical ICT third party service providers and shall be, for the purposes of all matters related to the oversight, the primary point of contact for those critical ICT third party service providers. 32 Related Article Information exchange Timeline in the Level 1 GL text matters related to the oversight Section 4: Follow-up of the recommendations LO to make available to CAs: • notification of CTPP to follow recommendations; • the CTPP’s remediation plan; Within 10 working 11.1 days following the • the reasoned explanation of the CTPP for not a) receipt by the LO following the recommendations; and 35(1)(c)30 and • the report specifying the actions taken or 42(1)31 remedies implemented by the CTPP LO to make available to CAs, the fact that the CTPP Within 10 working failed to send the notification within 60 calendar days after the 11.1 days after the issuance of recommendations to the expiration of the 60 b) CTPP calendar days LO to make available to CAs: Within 10 working 35(1)(c), 35(6)32, 11.1 days following the 35(10)33, 42(1), • assessment as to whether the CTPP’s c) adoption by the LO 42(8)(a-d)34 explanation for not following the LO’s 30 Article 35(1)(c): The Lead Overseer has the power to request, after the completion of the oversight activities, reports specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third party service provider in relation to the recommendations issued. 31 Article 42(1): Within 60 calendar days of the receipt of the recommendations issued by the Lead Overseer, critical ICT third party service providers shall either notify the Lead Overseer of their intention to follow the recommendations or provide a reasoned explanation for not following such recommendations. 32 Article 35(6): In the event of whole or partial non-compliance with the measures required to be taken pursuant to the exercise of the powers under paragraph 1, points (a), (b) and (c), and after the expiry of a period of at least 30 calendar days from the date on which the critical ICT third-party service provider received notification of the respective measures, the Lead Overseer shall adopt a decision imposing a periodic penalty payment to compel the critical ICT third-party service provider to comply with those measures. 33 Article 35(10): The Lead Overseer shall disclose to the public every periodic penalty payment that has been imposed, unless such disclosure would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved. 34 Article 42(8): Upon receiving the reports referred to in Article 35(1), point (c), competent authorities, when taking a decision as referred to in paragraph 6 of this Article, shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provider, as well as the seriousness of the non-compliance, having regard to the following criteria: (a) the gravity and the duration of the non-compliance; (b) whether the non-compliance has revealed serious weaknesses in the critical ICT third-party service provider’s procedures, management systems, risk management and internal controls; (c) whether a financial crime was facilitated, occasioned or is otherwise attributable to the non-compliance; (d) whether the non-compliance has been intentional or negligent. 33 Related Article Information exchange Timeline in the Level 1 GL text recommendations is deemed sufficient and, if so, the LO’s decision concerning amendment of recommendations; • assessment of the reports specifying the actions taken or remedies implemented by the CTPP; • decision imposing a periodic penalty payment on the CTPP; • assessment as to whether the refusal of a CTPP to endorse recommendations could adversely impact a large number of financial entities, or a significant part of the financial sector CAs to make available to LO: • notification to the financial entity of the possibility of a decision being taken; Within 10 working 42(4)35, (7)36 and 11.2 • individual warnings issued by CAs and relevant days following the (10)37 a) information which allows the LO to assess adoption by the CA whether such warnings have resulted in consistent approaches mitigating the potential risk to financial stability Where possible, CAs to make available to LO, Within 10 working 11.2 outcome of the consultation with NIS2 authorities days following the 42(5)38 b) prior to taking a decision. consultation 35 Article 42(4): Where a competent authority deems that a financial entity fails to take into account or to sufficiently address within its management of ICT third-party risk the specific risks identified in the recommendations, it shall notify the financial entity of the possibility of a decision being taken, within 60 calendar days of the receipt of such notification, pursuant to paragraph 6, in the absence of appropriate contractual arrangements aiming to address such risks. 36 Article 42(7): Where a critical ICT third-party service provider refuses to endorse recommendations, based on a divergent approach from the one advised by the Lead Overseer, and such a divergent approach may adversely impact a large number of financial entities, or a significant part of the financial sector, and individual warnings issued by competent authorities have not resulted in consistent approaches mitigating the potential risk to financial stability, the Lead Overseer may, after consulting the Oversight Forum, issue non-binding and non-public opinions to competent authorities, in order to promote consistent and convergent supervisory follow-up measures, as appropriate. 37 Article 42(10): Competent authorities shall regularly inform the Lead Overseer on the approaches and measures taken in their supervisory tasks in relation to financial entities as well as on the contractual arrangements concluded by financial entities where critical ICT third party service providers have not endorsed in part or entirely recommendations addressed to them by the Lead Overseer. 38 Article 42(5): Upon receiving the reports referred to in Article 35(1), point (c), and prior to taking a decision as referred to in paragraph 6 of this Article, competent authorities may, on a voluntary basis, consult the competent authorities designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service provider. 34 Related Article Information exchange Timeline in the Level 1 GL text CAs to make available to LO: • the material changes to existing contractual Within 10 working arrangements of financial entities with CTPPs days following the 11.2 made to address the risks identified in the receipt of the 28 and 42(10)39 c) recommendations; information from financial entities • the start of executing exit strategies and transition plans of the financial entities CAs to inform LO of: • intention to notify a financial entity of the possibility of a decision being taken if the financial entity does not adopt appropriate contractual arrangements to address the - 12.1 specific risks identified in the recommendations; • all relevant information regarding the decision; • whether they intend to carry out an urgent decision 42(4) and (10) Within 10 working days from the receipt of the information referred LO to make available to CAs, non-binding to in GL 12.1 assessment of potential impact the decision might 12.2 have for the CTPP whose service would be or temporarily suspended or terminated With the shortest possible delay in case of an urgent decision 39 Article 42(10): Competent authorities shall regularly inform the Lead Overseer on the approaches and measures taken in their supervisory tasks in relation to financial entities as well as on the contractual arrangements concluded by financial entities where critical ICT third-party service providers have not endorsed in part or entirely recommendations addressed to them by the Lead Overseer. 35

JC%202024-36%20-%20Final%20report%20on%20GL%20on%2

Classification

Pipeline Progress

🔄 Pipeline Journey

🤖 How this summary was made

Full AI Instructions