Final Report on draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities

Final Report Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554 JC 2024 54 17 July 2024

2 Contents

1. Executive Summary 3
2. Background and rationale 5
3. Draft Regulatory Technical Standards 7
4. Cost-benefit analysis / impact assessment 14
5. Feedback statement 18

3

1. Executive Summary Introduction and scope
2. Regulation (EU) 2022/25541 (“DORA”) introduces a pan-European oversight framework of ICT third-party service providers designated as critical (CTPPs). As part of this oversight framework, the ESAs and competent authorities (CAs) have received new roles and responsibilities.
3. In this context, the ESAs have been mandated under Article 41(1) to develop draft regulatory technical standards (RTS) to harmonise the conditions enabling the conduct of oversight activities.
4. According to the mandate, the draft RTS shall specify: a) the information to be provided by an ICT third–party service provider in the application for a voluntary request to be designated as critical; b) the information to be submitted by the ICT third–party service providers that is necessary for the LO to carry out its duties; c) the criteria for determining the composition of the joint examination team, their designation, tasks, and working arrangements; d) the details of the competent authorities’ assessment of the measures taken by CTPPs based on the recommendations of the LO.
5. The draft RTS covered by this final report aims at specifying the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements (point c above). A dedicated consultation report and draft RTS covering points (a), (b) and (d) has been published on 8 December 2023 and publicly consulted by the ESAs up to 4 March 2024. The final report is due to be published on 17 July 2024.
6. The draft RTS on joint examination team was publicly consulted between the 18 of April and 18 of May 2024. The ESAs assessed the feedback from the stakeholders and amended, where appropriate, the draft RTS.
7. The review of the draft RTS taking into account the stakeholders feedback was limited and focused on providing clarifications on specific limited provisions mostly concentrated in one single recital and one Article.
8. More information on the feedback received and how this was taken on board by the ESAs is provided in the section “Feedback Statement”. 1 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, OJ L 333, 27.12.2022, p. 1.

4 Next steps 8. The ESAs will submit the final draft RTS to the European Commission for adoption. The European Commission may decide if this draft RTS would be merged in a single RTS with the other draft RTS based on the mandates under Article 41(1)(a), (b), and (d) of the DORA. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. The expected date of application of these regulatory technical standards is 17 January 2025.

5 2. Background and rationale Background 9. The framework on digital operational resilience for the financial sector established by the DORA introduces a Union oversight framework for the information and communication technology (ICT) third-party service providers (TPPs) to the financial sector designated as critical in accordance with Article 31 of that Regulation. 10. In this context, the ESAs have been mandated under Article 41(1) of the DORA to develop draft regulatory technical standards (RTS) to harmonise the conditions enabling the conduct of oversight activities. According to the mandate, the draft RTS shall specify: (a) the information to be provided by an ICT third–party service provider in the application for a voluntary request to be designated as critical under Article 31(11) of the DORA; (b) the content, structure and format of the information to be submitted, disclosed or reported by the ICT third–party service providers to the Lead Overseer pursuant to Article 35(1) of the DORA, including the template for providing information on subcontracting arrangements; (c) the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements; (d) the details of the competent authorities’ assessment of the measures taken by CTPPs based on the recommendations of the Lead Overseer. 11. While developing this draft RTS, the ESAs have decided to divide the mandate of Article 41(1) of the DORA in two separate RTS: one focusing on the areas of the mandate having a direct impact on financial entities and ICT third party service providers (points (a), (b) and (d) above) and the other one on the requirements to be followed by the competent authorities in relation to the joint examination team (point (c) above). This decision was based on the different specific nature of the information included in the empowerment given by Article 41 of the DORA: the empowerments included in points (a), (b) and (d) have a clear impact on the market participants (either ICT third-party providers or financial entities), while the empowerment included in point (c) has impact only on the supervisory community. When adopting these new requirements, the European Commission will decide if this draft RTS would be merged in a single RTS with the other draft RTS based on Article 41(1) of the DORA.

6 Rationale 12. According to Article 40 of the DORA, when conducting oversight activities, the Lead Overseer is assisted by a joint examination team composed of staff members from: (e) the ESAs; (f) the relevant competent authorities supervising the financial entities to which the CTTP provides ICT services; (g) the national competent authority designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as CTPP, on a voluntary basis; (h) one national competent authority from the Member State where the critical ICT third￾party service provider is established, on a voluntary basis. The members of the joint examination team need to have expertise in ICT matters and in operational risk, as well as relevant skills (communication, collaboration, supervisory experience). 13. The success of the entire oversight activities is dependent on the good cooperation between ESAs and the competent authorities which happens both in the Oversight Forum introduced in Article 32 of the DORA and in the joint examination teams as described above. Particularly, since the joint examination team is the structure involved in the daily oversight of the CTPPs, given the high technical complexity of the oversight activities and the scarce availability of the expertise needed to perform them, it is crucial for the ESAs and the entire supervisory community to ensure the maximum efficiency and effectiveness of the joint examination teams. 14. The draft RTS complements the DORA and constitutes the regulatory framework to define the functioning of the joint examination team which will be complemented by specific ad hoc internal or public policies, procedures and arrangements to ensure its operational implementation.

7 3. Draft Regulatory Technical Standards COMMISSION DELEGATED REGULATION (EU) …/… of DD Month YYYY supplementing Regulation 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council, of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/10112 , and in particular Article 41(2), second subparagraph, thereof,Whereas:, (1) The oversight framework established by Regulation (EU) 2022/2554 should be built on a structured and continuous cooperation between the European Supervisory Authorities (ESAs) and the competent authorities through the Oversight Forum and the joint examination teams . (2) After the designation of the critical information and communication technology (ICT) third-party service providers and taking into account the annual oversight plans for all critical ICT third-party service providers, the authorities listed in Article 40(2) of Regulation (EU) 2022/2554 should be asked to nominate their staff as member of the joint examination teams. These authorities should ensure that the nominated staff meet the specific technical expertise required in the profiles needed in the joint examination teams. The demonstration that an authority does not have staff meeting the specific technical expertise needed in the joint examination teams should be considered by the Lead Overseer as justification to discharge, at that point in time, the authorities of their obligation to nominate staff members to the joint examination teams. In that case, the authority should nevertheless commit on the best effort basis to address this shortfall of expertise and try to reinforce its capabilities to contribute to the joint examination teams in the context of the next exercise. The staff members designated as members of a joint examination team should continue to be employees of the nominating authority and therefore subject to working hours and permanent location of work as included in their employment contracts. 2 OJ L 333, 27.12.2022, p. 1.

8 (3) In order to ensure the most effective use of resources in the execution of oversight activities, a joint examination team should be able to oversee multiple critical ICT third￾party service providers. The grouping of the critical ICT third-party service providers to be assigned to a specific joint examination team, and its overall staffing needs should take into account the risk profile of the critical ICT third-party service providers, and the envisaged level of intensity of oversight activities. This should result in a strategic multi-annual oversight plan, updated annually by the Lead Overseer to the extent necessary, and reflected into the individual annual oversight plan. To ensure the reliability of the planned and ongoing commitment of resource staffing of the joint examination teams by the nominating authorities, the Lead Overseer should consult both the joint oversight network and the Oversight Forum. (4) The Lead Overseer should apply a combination of criteria and principles when identifying the number of staff members in each joint examination team and the resulting composition. Those criteria and principles should take into account the technical nature of the oversight tasks, the different grade of dependency of financial entities on the services provided by the critical ICT third-party service providers, the geographical distribution, the size and the number of financial entities relying on those services and, where possible, a proportionate cross-sectoral representation. In performing this task, the Lead Overseer should rely on the information provided by competent authorities in the context of designation of the critical ICT third-party service providers, including the results of the calculation of all the sub-criteria as defined in Commission Delegated Regulation (EU) 2024/1502 3 and consider the criticality of the critical ICT third-party service providers for the provisioning of specific financial services both at Member State and Union level. (5) The Lead Overseer and the members of the joint examination teams should periodically assess the achievements of the joint examination teams to ensure that the structure and the composition of the joint examination teams are fit for purpose and continuously improving the efficiency and effectiveness of the Oversight Framework. The Lead Overseer and the nominating authorities should make use of these assessments to review the membership of the joint examination teams, when appropriate. (6) The ESAs should define the oversight procedures to be followed by the members of the joint examination teams and the Lead Overseer coordinator in the performance of their duties. (7) Since the oversight tasks involve the processing of confidential information, the Lead Overseer should grant members of the joint examination team access to such information and to the relating IT (e.g. tools, applications, datasets) and non-IT (e.g. policy, procedures, documentation) resources on a need-to-know basis and within the defined scope of their assignments if this is necessary for members of the joint examination team to assist the Lead Overseer in the fulfilment of its statutory functions or tasks. (8) When defining arrangements between the Lead Overseer and the compentent authorities to implement this Regulation, consistently with the Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party 3 Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers

9 service providers and the way in which those fees are to be paid, the Lead Overseer should include in such arrangements a section detailing the procedure of reimbursement of the direct and indirect costs of all nominating authorities involved in the joint examination teams. The arrangements should also ensure that the members of the joint examination teams are free from any conflict of interests while performing their duties. (9) This Regulation is based on the draft regulatory technical standards submitted to the European Commission by the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority. (10) The Joint Committee of the European Supervisory Authorities referred to in Article 54 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council4 , in Article 54 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council5 and in Article 54 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council6 has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential costs and benefits of the proposed standards and requested advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010, the Insurance and Reinsurance Stakeholder Group and the Occupational Pensions Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1094/2010, and the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010, HAS ADOPTED THIS REGULATION:

Article 1 Tasks of the members of a joint examination team

1. The joint examination team shall assist the Lead Overseer in conducting oversight activities, including the individual oversight plan adopted annually according to Article 33(4) of Regulation (EU) 2022/2554.
2. The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: a) assisting the Lead Overseer in the preparation and drafting of the individual annual oversight plan describing the annual oversight objectives and the main 4 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12). 5 Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48). 6 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

10 oversight activities planned for each critical ICT third-party service provider that are to be carried out by the Lead Overseer and the joint examination team; b) assisting the Lead Overseer in performing the assessment referred to in Article 33(2) of Regulation (EU) 2022/2554; c) collecting and assessing the information submitted by the critical ICT third￾party service provider according to Article 37 of Regulation (EU) 2022/2554 and Chapter II of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; d) conducting general investigations on the critical ICT third-party service providers according to Article 38 of Regulation (EU) 2022/2554; e) conducting inspections of the critical ICT third-party service providers according to Article 39 of Regulation (EU) 2022/2554; f) drafting the recommendations addressed to the critical ICT third-party service provider as defined in Article 35(1), point (d) of Regulation (EU) 2022/2554; g) assessing the remediation plan and the progress reports as defined in Article 4 of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; h) preparing and drafting the requests and decisions to the critical ICT third-party service provider referred to in Article 35(6), Article 37(1), Article 38(4), and Article 39(6) of Regulation (EU) 2022/2554; i) assisting the Lead Overseer in its contribution to horizontal oversight activities, including in the development of benchmarking, as referred to in Article 32(3) of Regulation (EU) 2022/2554; j) ensuring that the relevant information relating to financial entities making use of the services provided by the critical ICT third-party service providers are shared with the Lead Overseer; k) assisting the Lead Overseer in unplanned ad hoc activities deemed necessary by the Lead Overseer for the purpose of oversight. 3. In case the individual annual oversight plan is significantly revised during the year by the Lead Overseer, the Lead Overseer shall involve the joint examination team in the process of the revision and execution of the individual annual oversight plan according to point (a) of paragraph 2. Article 2 Establishment of a joint examination team

1. After the first designation of the ICT third-party service provider as critical in accordance with Article 31(1) of Regulation (EU) 2022/2554, the Lead Overseer, in agreement with the joint oversight network, shall establish the joint examination team responsible to carry out the oversight activities concerning the assigned critical ICT third-party service provider.

11 2. When material changes regarding the critical ICT third-party service provider occur, the Lead Overseer may consider to update the composition of the joint examination team responsible to carry out the oversight activities concerning the assigned critical ICT third-party service provider. For the purpose of this paragraph, material changes regarding the critical ICT third￾party service provider relate to: a) the services provided by critical ICT third-party service provider; b) the activities performed by financial entities supported by ICT services of the critical ICT third-party service provider; or c) the list of critical ICT third-party service providers at Union level referred in Article 31(9) or Regulation (EU) 2022/2554. 3. The Lead Overseer shall identify the number of members of the joint examination team and its composition according to Article 3(1), and depending on the envisaged level of intensity of oversight activities to be performed in relation to all critical ICT third-party service providers. 4. The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall nominate one or more individuals from their staff to be appointed as members of the joint examination team. An individual may be nominated and appointed as member of one or more joint examination teams. 5. The Lead Overseer shall appoint the nominated individuals as members of the joint examination team either on a full-time or on a part-time basis depending on their availability, the specific needs of the Lead Overseer, and the agreement between the nominating authority and the Lead Overseer. 6. When nominating the members of the joint examination teams, the authorities shall assess their technical expertise, qualifications and skills in ICT and relevant areas, including communication and collaboration skills, as well as audit and supervision skills. 7. The Lead Overseer may require the nominating authorities to modify their nominations only in justified circumstances and when the profiles of the nominated individuals do not match the profile of the resources needed. 8. The Lead Overseer and the authorities shall take all appropriate and possible measures to ensure the joint examination team is staffed adequately in accordance with the annual individual oversight plan. Article 3 Members of the joint examination team

1. The Lead Overseer shall define the number of members of the joint examination team and its composition in agreement with the Joint Oversight Network and in consultation with the Oversight Forum, as part of the process of establishment of the joint examination team, and as required over time, taking into account the tasks included in the individual annual oversight plans drafted for each critical ICT third-party service

12 provider overseen by the joint examination team. To define the number and the composition of members in the joint examination team, the Lead Overseer shall consider at least the following: a. the number of critical ICT third-party service providers overseen by the joint examination team and by the ESAs as Lead Overseers; b. the specific individual oversight needs related to the specific critical ICT third￾party service provider, as assessed by the Lead Overseer; c. the stability of the composition of the joint examination team, ensuring a proper knowledge retention ; d. the necessary skills required for the execution of the tasks by the joint examination team, considering the technical and non-technical ICT knowledge requirements; e. the Member States in which the critical ICT third-party service provider provides ICT services supporting critical or important functions of the financial entities, and the competent authorities which supervise the financial entities making use of those services; f. the different types, sizes and number of financial entities to which the critical ICT third-party service provider provides ICT services supporting critical or important functions; g. the competent authorities which supervise the financial entities which are the most dependent on the ICT services provided by the critical ICT third-party service providers; h. a proportionate cross-sectoral representation of the nominating authorities of the joint examination team. 2. When nominating members of the joint examination team, the authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall consider at least points (b), (c), (d), (f) and (g) of paragraph 1. 3. The members of the joint examination team shall be involved either in the execution of specific tasks, or in the ongoing support of the activities carried out by the Lead Overseer, considering the tasks defined in Article 1(2) of this Regulation. Article 4 Renewal of the membership in the joint examination team Periodically, or in cases where the appointed Lead Overseer changes, or in cases where material changes as defined in Article 2(2) occur, the Lead Overseer, after consulting the members of the joint examination team, shall assess the achievements of the joint examination team. The results of this assessment shall be used by both the nominating authorities and Lead Overseer to decide whether it is appropriate to renew the membership of the joint examination team.

13 Article 5 Working arrangements of the members of the joint examination team

1. The members of the joint examination team shall carry out their tasks identified in the individual annual oversight plan with due skill, care and diligence without any bias and in accordance with the instructions of the Lead Overseer coordinator.
2. When carrying out oversight tasks, the members of the joint examination team shall follow oversight procedures drafted jointly by the European Supervisory Authorities in relation to the conduct of oversight activities and any relevant operational area, including but not limited to specifications relating to the use of IT tools and equipment, and time management.
3. The members of the joint examination team shall follow the information and data handling specifications and instructions as provided by the Lead Overseer coordinator and shall comply with the confidentiality regime of the European Supervisory Authorities.
4. The Lead Overseer and the nominating authorities shall establish arrangements to implement the requirements in this Regulation, including arrangements on the time spent and estimated costs related to the oversight activities performed by the joint examination team, training and ethical and conduct considerations in relation to the role of the member of the joint examination team, where appropriate.
5. The Lead Overseer and the nominating authorities shall ensure that the arrangements referred to in paragraph 4 are timely implemented, reviewed and kept up to date. Article 6 Entry into force
6. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
7. This Regulation shall apply from 17 January 2025.
8. This Regulation shall be binding in its entirety and directly applicable in all Member States.

14 4. Cost-benefit analysis / impact assessment

1. As per Article 10(1) of Regulation (EU) No 1093/2010 (EBA Regulation), Regulation (EU) No 1094/2010 (EIOPA Regulation) and Regulation (EU) No 1095/2010 (ESMA Regulation), any draft regulatory technical standards developed by the ESAs shall be accompanied by an Impact Assessment (IA) to analyse ‘the potential related costs and benefits’ of the technical standard.
2. The next paragraphs present the IA of the main policy options included in this Consultation Paper (CP) on the harmonization of conditions enabling the conduct of oversight activities under Article 41(1), point (c), of Regulation (EU) 2022/2554 (DORA). Problem identification
3. The DORA introduces an oversight framework for the ICT third-party service providers designated as critical according to Article 31(1)(a) of that Regulation. Article 40 of the DORA on ongoing oversight stipulates that the Lead Overseer is to be supported by a joint examination team when conducting oversight activities. The joint examination team is composed by: (i) the ESAs (j) the relevant competent authorities supervising the financial entities to which the CTTP provides ICT services; (k) on a voluntary basis the national competent authority designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as CTPP; (l) on a voluntary basis one national competent authority from the Member State where the critical ICT third-party service provider is established.
4. In this context, Article 41(1) point (c) of the DORA mandates the ESAs to specify “the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements,”.
5. Article 41(1), points (a), (b) and (d), of the DORA mandate the ESAs to harmonise through a RTS additional elements of the conditions enabling the conduct of the oversight activities. As further detailed in the section dedicated to policy options and outlined in the introductory part of this consultation paper, the ESAs have decided to develop a dedicated RTS covering that part of the mandate of Article 41.
6. This impact assessment does not cover the requirements set out in DORA in relation to the areas covered by the draft RTS on harmonization of oversight conduct, but it focuses only on the specific provisions of the draft RTS related to the joint examination teams and assesses the implications of the policy issues considered by the ESAs while developing the draft RTS on the joint examination teams.

15 Policy Objectives 7. The objective of the draft RTS is to specify the criteria determining the composition of the joint examination teams, which are the structures supporting the Lead Overseer in conducting the oversight activities, ensuring a balanced participation of members from the ESAs and the relevant competent authorities that are parts of the joint examination teams. Furthermore, the draft RTS specify the criteria to be followed by the Lead Overseer, the ESAs and the competent authorities for the designation of the members of the joint examination teams, the tasks that those members will perform and their working arrangements. The relevant criteria and principles take into account the technical nature of the oversight tasks, the different grade of dependency of financial entities on the services provided by the critical ICT third-party service providers, the geographical distribution of those financial entities, the size and the number of those financial entities, the available ICT skills in each competent authority and, where possible, a proportionate cross-sectoral representation. Baseline scenario 8. DORA establishes a Union oversight framework of critical ICT third-party service providers for the financial sector that allows for a continuous monitoring of the activities of ICT third-party service providers that are critical to financial entities, while ensuring that the confidentiality and security of customers other than financial entities is preserved. 9. The baseline scenario builds on the roles and responsibilities of the Lead Overseer, ESAs and competent authorities set by the DORA with the goal to achieve the overall aim of the oversight framework, namely to ensure financial stability and market integrity in the digital age. It assumes the mandatory involvement of such authorities in the joint examination teams, to the extent it is considered as necessary by the Lead Overseers, to achieve their oversight objectives, and the leading role of the Lead Overseers in the conduct of the oversight activities. General policy options POLICY ISSUE 1: STRUCTURE OF THE DRAFT RTS Options considered 10. Option A: including in one single draft regulatory technical standard all the areas referred to in Article 41(1) of the DORA, i.e., covering those that have a direct impact on financial entities and ICT third party service providers (Article 41(1) points (a), (b) and (d) of the DORA) and the one that must be followed by the ESAs and the relevant competent authorities in relation to the joint examination team (Article 41(1) point (c) of the DORA). 11. Option B: dividing the mandate of Article 41(1) of the DORA in two separate consultation papers: one focusing on the areas of the mandate having a direct impact on financial entities and ICT third￾party service providers (Article 41(1) points (a), (b) and (d) of the DORA) and the other one on the requirements to be followed by the supervisory community in relation to the composition of the joint examination team as well as the designation process of such teams, their task and the

16 underlying arrangements linking the members and the Lead Overseers (Article 41(1)(c) of the DORA). This principle was established by the EBA in a previous RTS7 . Cost-benefit analysis 12. The empowerment given by Article 41(1) of the DORA contains two different sets of requirements in terms of market impacts: the empowerments included in points (a), (b) and (d) have a clear impact on the market participants (either ICT third-party providers or financial entities), while the one included in point (d) has an impact only to the supervisory community. In light of the above considerations, in order to give the necessary time to the market stakeholders to participate to this public consultation, the ESAs have decided to give priority to the empowerments included in points (a), (b) and (d). A targeted one-month consultation is organised for the remaining dimension of the mandate (point (c)). Preferred option 13. Option B has been retained. Policy options relating to Chapter II – Information from critical ICT third-party service providers to the Lead Overseer POLICY ISSUE 2: A joint examination team CAN OVERSEE MULTIPLE CTPPs Options considered 14. Option A: According to article 40(1) the Lead Overseer shall be assisted by a joint examination team established for each critical ICT third-party service provider. This may be translated into each joint examination team overseeing only one CTPP. 15. Option B: According to article 40(1) the Lead Overseer shall be assisted by a joint examination team established for each critical ICT third-party service provider. This may be translated into each joint examination team overseeing multiple CTPPs under the condition that the relationship joint examination team-CTPP is clearly assigned. Cost-benefit analysis 16. A successful oversight of critical ICT third-party service providers requires the gathering in the joint examination teams of resources with highly technical skills provided by members nominated by the authorities identified in article 40(2) of the DORA. Option B allows to maximise flexibility and synergies among joint examination team structures and ensure the most efficient use of the scarce technical resources available to the members. Such approach is commonly followed by European supervisors and overseers, especially when they have a great number of entities under their responsibility. Depending on the organisational choices of the Lead Overseers and the number and the profiles of the designated critical ICT third-party providers, option B would not prevent the Lead Overseers to set up joint examination teams focusing on one single critical ICT third-party provider (especially for the ones requiring a greater number of resources given their size, identified risk level for the financial sector, etc) and, in parallel, other joint examination teams in charge of 7 EBA Regulatory Technical Standards on Own Funds: https://www.eba.europa.eu/regulation-and-policy/own-funds/draft￾regulatory-technical-standards-on-own-funds.

17 several critical ICT third-party providers. If option A is retained, having the requirement that one joint examination team can oversee only one CTPP would excessively bind the Lead Overseers in their own organisational capacities, and would potentially require a higher number of FTEs from the ESAs and the competent authorities resulting potentially in higher fees to be levied from critical ICT third-party providers. Preferred option 17. Option B has been retained. Costs and benefits of the RTS Stakeholder groups affected Costs Benefits Financial entities NA NA ICT TPP NA The development of the leanest possible structure of joint examination team minimizes the impacts on the fees levied from the CTPPs ex Article 43 of the DORA. Competent authorities Competent authorities supervising financial entities making use of the services of CTPPs and ESAs shall provide resources to the joint examination team according to the specifications included in the draft RTS. While the provisioning of resources to the joint examination team will generate organizational impacts to the authorities, article 43 of DORA and the Commission Delegated acts issued according to that Article8 ensure that the estimated costs stemming from this contribution are covered by the fees levied by the CTPPs. The draft RTS ensures that the joint examination team minimizes the organizational impact on the ESAs and the competent authorities by ensuring an efficient and effective composition of the joint examination team. European Supervisory Authorities 8 Delegated act details - Register of delegated acts (europa.eu)

18 5. Feedback statement Topic Summary of responses received ESAs analysis Amendments to the proposal Access to information for joint examination team members Stakeholders proposed to add wording in recital 7 to further clarify the conditions of information sharing and access between the Lead Overseer and the joint examination team members, as follows: “The Lead Overseer should grant members of the joint examination team access to such information and to the relating IT (e.g. tools, applications, datasets) and non-IT (e.g. policy, procedures, documentation) resources on a need￾to-know basis and within the defined scope of the assessment, if this is […] This ESAs agree with the principle of the proposed amendment as it further enhances the concept of “need￾to-know basis” and segmented access to information in line with the tasks assigned to joint examination team Members. Recital 7 was amended making reference to the assignments given to the joint examination team members. Furthermore, it is to be noted that the draft RTS has been refined for legal clarification compared to the consultation paper. Tasks of the members of the joint examination team One stakeholder asked to further define terms like “relevant information” when used in Art. 1 (2) (j): “ensuring that the Article 3(1) of the draft RTS on harmonisation of conditions enabling the conduct of the oversight activities reads that “CTPPs shall provide to the Lead Overseer, upon its No change

19 relevant information relating to financial entities making use of the services provided by the critical ICT third￾party service providers are shared with the Lead Overseer” request, any information deemed necessary by the Lead Overseer to carry out its oversight duties”. Given that joint examination team members will assist the Lead Overseer to carry out such oversight duties, the relevant information mentioned here can be any of these “necessary information” mentioned in Article 3(1) of this other draft RTS. With the aim of avoiding generating additional complexity and running the risk of making processes overcomplex, the wording proposed in the consultation paper gives flexibility and recognizes the value added of the supervisory experience and knowledge of joint examination team members. Oversight Activities One stakeholder requested to clarify the technical term ‘Unplanned ad hoc activities’ in article 1(2)(k). More in detail, the request was related to further clarifying the situations in which an ad hoc activity could be necessary. Article 1(2)(k) of the draft RTS builds on Article 40 of DORA regarding the ongoing oversight. The wording of the RTS aims at capturing the set of unplanned oversight activities in which members of the joint examination team will be participating which would be triggered by new information/facts raised in the course of the planned oversight activities, to ensure the Lead Overseer can No change

20 reach its oversight objectives. The aim is to ensure that a certain level of flexibility is available for joint examination team members to cater for not planned / urgent tasks. Establishment of a Joint examination team after the CTPP designation Some stakeholders requested to further define the term “activity” also in the context of Article 2(1)b in order to avoid any mis interpretation In this case the ESAs purposefully chose to retain some flexibility by not including a hard definition and allowing the LO to have enough leeway when choosing the members of the joint examination team. However, this comment made that the ESAs have streamlined Article 2 to make a clearer distinction between the establishment of the joint examination team and their potential update. Previous Article 2(1) has been divided into 3 paragraphs, Article 2(1) focused on the establishment of the joint examination team, Article 2(2) focused on the potential update of the joint examination team, and Article 2(3) listing the potential “material changes” that may trigger an update of the joint examination team. In addition, the reference to Article 2 in Article 4 has been deleted, given it was deemed unnecessary. Establishment of a Joint examination team after the CTPP designation A limited number of stakeholders suggested to be more specific when joint examination team members will be designated, also in the context of proposed Article 2(1) (j) which indicates that a new joint examination team may be required to be established every time there is a ‘material change Given the fact that the oversight framework will be a complex and new endeavour, pulling in resources from multiple organizations is important to keep a certain degree of flexibility for the Lead Overseer and for the oversight community. In general, one of the key objectives of the joint examination team is to maintain stability and retention of No change

21 regarding the critical ICT third-party service provider’. knowledge within the team without running the risk of applying changes too often. For this reason, the ESAs have decided not to amend this Article. Establishment of a Joint examination team after the CTPP designation One stakeholder suggested to link the ICT services provided by the CTPP to the skills of the joint examination team’s members and to amend Article 2(5) to replace “ICT” with “the ICT services the CTPP provides” Such change would excessively limit the ability of the Lead Overseer to involve relevant experts in the joint examination teams. Hence, the ESAs disagree to reflect such proposal. No change Professional secrecy and security obligations Two stakeholders requested to further specify the professional secrecy regime and security obligations around the information shared by the CTPP with the Lead Overseer and the joint examination team, due to the risk of creating new vulnerabilities that could lead to misuse of sensitive data DORA already addresses in detail the topics of access to information, professional secrecy (Article 38 and Art 39) and designated persons (Article 55) without mandating further specifications in the context of the RTS. Adding further definitions would therefore fall outside the scope of the legal mandate. It is also noted that Article 5 of the RTS already provides that the joint examination team members should comply with the ESAs professional secrecy regime. No change