Follow-up by competent authorities

Article 42 is the enforcement keystone of the entire oversight framework. Since the Lead Overseer cannot directly impose binding orders or fines on critical ICT third-party providers (which are not financial entities), Article 42 creates an indirect enforcement mechanism through the financial entities that depend on these providers.

When the Lead Overseer identifies serious deficiencies at a critical provider or finds that a provider has failed to comply with recommendations, it communicates its findings to the relevant national competent authorities. Those authorities must then consider what supervisory action to take at the entity level — that is, against the financial entities that use the non-compliant provider's services.

The range of supervisory actions is significant. Competent authorities may require financial entities to activate contingency plans, accelerate exit strategies, implement additional risk mitigation measures, or in extreme cases, suspend or terminate their arrangements with the non-compliant critical provider. This creates a powerful economic incentive for critical providers to cooperate with the oversight framework — non-compliance risks the loss of their financial sector client base.

For financial entities, Article 42 underscores the importance of maintaining robust exit strategies and contingency plans for critical third-party arrangements, as required by Article 30. An entity that has not prepared for the possibility of being required to terminate a critical provider relationship could face severe operational disruption if this article is invoked. Prudent institutions maintain tested exit plans, identified alternative providers, and sufficient internal capabilities to bridge any transition period. Auditors assessing compliance should verify that entities' contingency plans are realistic, tested, and capable of execution within reasonable timeframes.