The classic trap
Article 34 organises the coordination between the three Lead Overseers of the ESAs within a Joint Oversight Network (JON). It is an institutional article that does not directly address financial entities: it structures the supervisory machinery covering critical ICT third-party service providers. The trap for a CSSF-regulated entity is therefore not a direct breach, but a strategic blind spot: believing that, because a critical provider (cloud hyperscaler, market-data SaaS vendor, eBRC datacentre) is overseen at European level, the financial entity using it is relieved of its own responsibility. That is false. JON oversight never replaces your own contractual and operational management of third-party risk under Articles 28 to 30 DORA and CSSF circular 25/882.
Why this article still concerns your compliance
The JON coordinates the recommendations addressed to critical ICT third-party providers. Those recommendations then cascade down to you. Three practical consequences for a private bank or a CSSF-regulated fintech:
- A recommendation from the Lead Overseer to your cloud provider may trigger an obligation to react on your side (contract review, exit plan, multi-vendor strategy under Article 28(8) DORA).
- Article 42 DORA allows competent authorities, including the CSSF, to draw consequences when a critical provider fails to address recommendations, possibly requiring you to suspend or terminate the use of that provider.
- You must continuously track which of your providers are, or may become, critical ICT third-party providers designated by the ESAs, since the oversight regime changes your entire monitoring framework.
The real risk sanctioned by the CSSF is not Article 34 itself, but the inability to demonstrate that you follow the Lead Overseer recommendations and that your register of information (Article 28(3) DORA) correctly identifies the criticality of each provider.
How Luxgap automates this risk
Our Luxgap Oversight Signal Tracker turns the abstract European JON oversight into concrete, actionable alerts for your DORA framework. The tool continuously monitors the critical ICT third-party provider designations published by the ESAs and their associated recommendations, then cross-references them with your register of information and your Odoo, ServiceNow or Sage BOB 50 contracts to instantly identify which of your vendors are affected, without your CISO having to manually watch EBA, ESMA and EIOPA publications.
- Automatically detects each new critical third-party provider designation by the ESAs and alerts via Teams or email when one of your active vendors enters the Lead Overseer scope.
- Cross-references JON recommendations with your DORA register of information to materialise the compliance actions that fall back on you.
- Calculates a probability score that a vendor will be designated critical within 12 months, based on its share in your ICT chain, its substitutability and its sector footprint.
- Generates a preformatted exit plan and a multi-vendor strategy under Article 28(8) DORA as soon as a concentration risk is detected.
- Produces a timestamped PDF report, enforceable before the CSSF during an inspection, demonstrating that you follow JON recommendations and the evolving criticality of your providers.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real register of information, with a free blank audit within 48h to measure your exposure to critical providers before any commitment.