1. By 17 January 2028, the Commission shall, after consulting the ESAs and the ESRB, as appropriate, carry out a review and submit a report to the European Parliament and the Council, accompanied, where appropriate, by a legislative proposal. The review shall include at least the following:
(a) the criteria for the designation of critical ICT third-party service providers in accordance with Article 31(2);
(b) the voluntary nature of the notification of significant cyber threats referred to in Article 19;
(c) the regime referred to in Article 31(12) and the powers of the Lead Overseer provided for in Article 35(1), point (d), point (iv), first indent, with a view to evaluating the effectiveness of those provisions with regard to ensuring effective oversight of critical ICT third-party service providers established in a third country, and the necessity to establish a subsidiary in the Union.
For the purposes of the first subparagraph of this point, the review shall include an analysis of
…