Ongoing oversight

Article 40 establishes that oversight of critical ICT third-party providers is not a one-off exercise but a continuous, risk-based process. The Lead Overseer must maintain an ongoing understanding of each critical provider's risk profile, adapting the intensity and focus of oversight activities based on evolving circumstances.

Continuous oversight means that the Lead Overseer tracks material changes in the provider's operations, governance, technology stack, client base, and subcontracting arrangements. A major acquisition, a new service launch, a leadership change, or a significant security incident could all alter the provider's risk profile and warrant intensified oversight. The Lead Overseer must have processes to detect and assess such changes systematically.

Follow-up on recommendations is a central element of ongoing oversight. The Lead Overseer must track whether the provider has implemented the remedial actions committed to in its action plans, verify the effectiveness of implemented changes, and escalate when timelines are missed or implementation is inadequate. This follow-up cycle transforms oversight from a periodic assessment into a continuous improvement mechanism.

The risk-based approach means that not all critical providers receive the same level of scrutiny at all times. Providers with strong compliance track records, mature governance, and low-risk profiles may be subject to lighter-touch monitoring, while those with unresolved recommendations, recent incidents, or governance concerns receive heightened attention. This calibration is essential for the efficient use of supervisory resources and for maintaining proportionality. For financial entities, understanding the oversight intensity applied to their critical providers provides valuable intelligence for their own risk assessments and vendor management decisions.