Recitals
COMMISSION DELEGATED REGULATION (EU) …/… of DD Month YYYY supplementing Regulation 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements (Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council,
of 14 December 2022 on digital operational resilience for the financial sector and amending
Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/10112, and in particular Article 41(2), second subparagraph, thereof,Whereas:,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council,
of 14 December 2022 on digital operational resilience for the financial sector and amending
Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/10112, and in particular Article 41(2), second subparagraph, thereof,Whereas:,
1)
The oversight framework established by Regulation (EU) 2022/2554 should be built on a structured and continuous cooperation between the European Supervisory Authorities (ESAs) and the competent authorities through the Oversight Forum and the joint examination teams .
2)
After the designation of the critical information and communication technology (ICT)
third-party service providers and taking into account the annual oversight plans for all
critical ICT third-party service providers, the authorities listed in Article 40(2) of
Regulation (EU) 2022/2554 should be asked to nominate their staff as member of the
joint examination teams. These authorities should ensure that the nominated staff meet
the specific technical expertise required in the profiles needed in the joint examination
teams. The demonstration that an authority does not have staff meeting the specific
technical expertise needed in the joint examination teams should be considered by the
Lead Overseer as justification to discharge, at that point in time, the authorities of their
obligation to nominate staff members to the joint examination teams. In that case, the
authority should nevertheless commit on the best effort basis to address this shortfall of
expertise and try to reinforce its capabilities to contribute to the joint examination teams
in the context of the next exercise. The staff members designated as members of a joint
examination team should continue to be employees of the nominating authority and
therefore subject to working hours and permanent location of work as included in their
employment contracts.
third-party service providers and taking into account the annual oversight plans for all
critical ICT third-party service providers, the authorities listed in Article 40(2) of
Regulation (EU) 2022/2554 should be asked to nominate their staff as member of the
joint examination teams. These authorities should ensure that the nominated staff meet
the specific technical expertise required in the profiles needed in the joint examination
teams. The demonstration that an authority does not have staff meeting the specific
technical expertise needed in the joint examination teams should be considered by the
Lead Overseer as justification to discharge, at that point in time, the authorities of their
obligation to nominate staff members to the joint examination teams. In that case, the
authority should nevertheless commit on the best effort basis to address this shortfall of
expertise and try to reinforce its capabilities to contribute to the joint examination teams
in the context of the next exercise. The staff members designated as members of a joint
examination team should continue to be employees of the nominating authority and
therefore subject to working hours and permanent location of work as included in their
employment contracts.
3)
In order to ensure the most effective use of resources in the execution of oversight
activities, a joint examination team should be able to oversee multiple critical ICT third_x0002_party service providers. The grouping of the critical ICT third-party service providers
to be assigned to a specific joint examination team, and its overall staffing needs should
take into account the risk profile of the critical ICT third-party service providers, and
the envisaged level of intensity of oversight activities. This should result in a strategic
multi-annual oversight plan, updated annually by the Lead Overseer to the extent
necessary, and reflected into the individual annual oversight plan. To ensure the
reliability of the planned and ongoing commitment of resource staffing of the joint
examination teams by the nominating authorities, the Lead Overseer should consult
both the joint oversight network and the Oversight Forum.
activities, a joint examination team should be able to oversee multiple critical ICT third_x0002_party service providers. The grouping of the critical ICT third-party service providers
to be assigned to a specific joint examination team, and its overall staffing needs should
take into account the risk profile of the critical ICT third-party service providers, and
the envisaged level of intensity of oversight activities. This should result in a strategic
multi-annual oversight plan, updated annually by the Lead Overseer to the extent
necessary, and reflected into the individual annual oversight plan. To ensure the
reliability of the planned and ongoing commitment of resource staffing of the joint
examination teams by the nominating authorities, the Lead Overseer should consult
both the joint oversight network and the Oversight Forum.
4)
The Lead Overseer should apply a combination of criteria and principles when identifying the number of staff members in each joint examination team and the resulting composition. Those criteria and principles should take into account the technical nature of the oversight tasks, the different grade of dependency of financial entities on the services provided by the critical ICT third-party service providers, the geographical distribution, the size and the number of financial entities relying on those services and, where possible, a proportionate cross-sectoral representation. In performing this task, the Lead Overseer should rely on the information provided by competent authorities in the context of designation of the critical ICT third-party service providers, including the results of the calculation of all the sub-criteria as defined in Commission Delegated Regulation (EU) 2024/1502 3 and consider the criticality of the critical ICT third-party service providers for the provisioning of specific financial services both at Member State and Union level.
5)
The Lead Overseer and the members of the joint examination teams should periodically
assess the achievements of the joint examination teams to ensure that the structure and
the composition of the joint examination teams are fit for purpose and continuously
improving the efficiency and effectiveness of the Oversight Framework. The Lead
Overseer and the nominating authorities should make use of these assessments to
review the membership of the joint examination teams, when appropriate.
assess the achievements of the joint examination teams to ensure that the structure and
the composition of the joint examination teams are fit for purpose and continuously
improving the efficiency and effectiveness of the Oversight Framework. The Lead
Overseer and the nominating authorities should make use of these assessments to
review the membership of the joint examination teams, when appropriate.
6)
The ESAs should define the oversight procedures to be followed by the members of the
joint examination teams and the Lead Overseer coordinator in the performance of their
duties.
joint examination teams and the Lead Overseer coordinator in the performance of their
duties.
7)
Since the oversight tasks involve the processing of confidential information, the Lead
Overseer should grant members of the joint examination team access to such
information and to the relating IT (e.g. tools, applications, datasets) and non-IT (e.g.
policy, procedures, documentation) resources on a need-to-know basis and within the
defined scope of their assignments if this is necessary for members of the joint
examination team to assist the Lead Overseer in the fulfilment of its statutory functions
or tasks.
Overseer should grant members of the joint examination team access to such
information and to the relating IT (e.g. tools, applications, datasets) and non-IT (e.g.
policy, procedures, documentation) resources on a need-to-know basis and within the
defined scope of their assignments if this is necessary for members of the joint
examination team to assist the Lead Overseer in the fulfilment of its statutory functions
or tasks.
8)
When defining arrangements between the Lead Overseer and the compentent
authorities to implement this Regulation, consistently with the Commission Delegated
Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU)
2022/2554 of the European Parliament and of the Council by determining the amount
of the oversight fees to be charged by the Lead Overseer to critical ICT third-party
service providers and the way in which those fees are to be paid, the Lead Overseer
should include in such arrangements a section detailing the procedure of reimbursement
of the direct and indirect costs of all nominating authorities involved in the joint
examination teams. The arrangements should also ensure that the members of the joint
examination teams are free from any conflict of interests while performing their duties.
authorities to implement this Regulation, consistently with the Commission Delegated
Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU)
2022/2554 of the European Parliament and of the Council by determining the amount
of the oversight fees to be charged by the Lead Overseer to critical ICT third-party
service providers and the way in which those fees are to be paid, the Lead Overseer
should include in such arrangements a section detailing the procedure of reimbursement
of the direct and indirect costs of all nominating authorities involved in the joint
examination teams. The arrangements should also ensure that the members of the joint
examination teams are free from any conflict of interests while performing their duties.
9)
This Regulation is based on the draft regulatory technical standards submitted to the
European Commission by the European Banking Authority, the European Insurance
and Occupational Pensions Authority, and the European Securities and Markets
Authority.
European Commission by the European Banking Authority, the European Insurance
and Occupational Pensions Authority, and the European Securities and Markets
Authority.
10)
The Joint Committee of the European Supervisory Authorities referred to in Article 54
of Regulation (EU) No 1093/2010 of the European Parliament and of the Council4, in
Article 54 of Regulation (EU) No 1094/2010 of the European Parliament and of the
Council5 and in Article 54 of Regulation (EU) No 1095/2010 of the European Parliament
and of the Council6 has conducted open public consultations on the draft regulatory
technical standards on which this Regulation is based, analysed the potential costs and
benefits of the proposed standards and requested advice of the Banking Stakeholder
Group established in accordance with Article 37 of Regulation (EU) No 1093/2010, the
Insurance and Reinsurance Stakeholder Group and the Occupational Pensions
Stakeholder Group established in accordance with Article 37 of Regulation (EU) No
1094/2010, and the Securities and Markets Stakeholder Group established in accordance
with Article 37 of Regulation (EU) No 1095/2010,
HAS ADOPTED THIS REGULATION:
of Regulation (EU) No 1093/2010 of the European Parliament and of the Council4, in
Article 54 of Regulation (EU) No 1094/2010 of the European Parliament and of the
Council5 and in Article 54 of Regulation (EU) No 1095/2010 of the European Parliament
and of the Council6 has conducted open public consultations on the draft regulatory
technical standards on which this Regulation is based, analysed the potential costs and
benefits of the proposed standards and requested advice of the Banking Stakeholder
Group established in accordance with Article 37 of Regulation (EU) No 1093/2010, the
Insurance and Reinsurance Stakeholder Group and the Occupational Pensions
Stakeholder Group established in accordance with Article 37 of Regulation (EU) No
1094/2010, and the Securities and Markets Stakeholder Group established in accordance
with Article 37 of Regulation (EU) No 1095/2010,
HAS ADOPTED THIS REGULATION: