CDR 2025-295 Article 6

Article 6 – Competent authorities’ assessment of the risks addressed in the recommendations of the Lead Overseer

  1. As part of their supervision of financial entities, the competent authority shall assess the impact on the financial entities of the measures taken by the critical ICT third-party service provider based on the recommendations of the Lead Overseer in accordance with the principle of proportionality.
  2. When conducting the assessment referred to in paragraph 1, the competent authority shall take into account all of the following:
    1. the adequacy and the coherence of the corrective and remedial measures implemented by the financial entities to mitigate the risks identified in the recommendations;
    2. the assessment made by the Lead Overseer of the compliance of the critical ICT third-party service provider with the measures and actions included in the report where it has impacts on the exposure of the financial entities under its remit to the risks identified in the recommendations;
    3. the view of any other competent authorities who have been consulted in accordance with Article 42(5) of Regulation (EU) 2022/2554;
    4. whether the Lead Overseer has considered the actions and remedies implemented by the critical ICT third-party service provider as adequate to mitigate the exposure of the financial entities under its remit to the risks identified in the recommendations.
  3. Upon request from the Lead Overseer, the competent authority shall provide in reasonable time the results of the assessment set out in paragraph 1. When requesting the results of this assessment, the Lead Overseer shall consider the principle of proportionality and the magnitude of risks associated with the recommendations, including the cross-border impacts of these risks when impacting financial entities operating in more than one Member State.
  4. Where relevant, the competent authority shall request financial entities to provide any information necessary to carry out the assessment referred to in paragraph 1.