European Union: Closed consultation on Regulatory Technical Standard on the harmonisation of conditions enabling the conduct of the oversight activities

On 4 March 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) closed their consultation on the draft Regulatory Technical Standard (RTS) on the harmonisation of conditions enabling the conduct of oversight activities of critical ICT third-party service providers under DORA. The draft RTS specifies the information to be provided by ICT third-party service providers in applications to be designated as critical, including information on services provided, market share, substitutability, clients, strategy, and more, and it outlines the process for the ESAs to assess the completeness of voluntary designation applications. It specifies the information critical ICT service providers must submit to the Lead Overseer, including arrangements, governance, risk management, security, audits, finances, employees and more. Critical ICT service providers would also be required to submit remediation plans and progress reports on implementing recommendations from the Lead Oversee, while competent authorities would be required to assess risks addressed in Lead Overseer recommendations as part of supervising financial entities, sharing information with the Lead Overseer upon request and especially for severe risks. Information submitted would have to follow specified formats, structure and language (English), and a template is provided for information on subcontracting arrangements. The annex maps the required information to relevant oversight assessment criteria in DORA.