Article 29 Preliminary assessment of ICT concentration risk at entity level
TL;DR
This article outlines the considerations that financial entities should take into account when identifying and assessing the risks associated with the use of ICT services supporting critical or important functions. This includes taking into account the risk of contracting an ICT third-party service provider that is not easily substitutable, and the impact of having multiple contractual arrangements with the same or closely connected ICT third-party service providers. Financial entities must weigh the benefits and costs of alternative solutions, and consider the implications of any subcontracting. They must also consider the insolvency law provisions and data protection rules that apply, and their ability to monitor the contracted functions and be supervised by the competent authority.-
When performing the identification and assessment of risks referred to in Article 28(4), point (c), financial entitiesas defined in Article 2, points (a) to (t) shall also take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; would lead to any of the following:
-
contracting an ICT third-party service providermeans an undertaking providing ICT services; that is not easily substitutable; or
-
having in place multiple contractual arrangements in relation to the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; with the same ICT third-party service providermeans an undertaking providing ICT services; or with closely connected ICT third-party service providersmeans an undertaking providing ICT services;.
Financial entitiesas defined in Article 2, points (a) to (t) shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providersmeans an undertaking providing ICT services;, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.
COIF Paragraph has special considerations for 'critical or important functions' as defined by Article 3 point 22. -
-
Where the contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; include the possibility that an ICT third-party service providermeans an undertaking providing ICT services; further subcontracts ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting a critical or important functionmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; to other ICT third-party service providersmeans an undertaking providing ICT services;, financial entitiesas defined in Article 2, points (a) to (t) shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country.
Where contractual arrangements concern ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, financial entitiesas defined in Article 2, points (a) to (t) shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity’s data.
Where contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; are concluded with an ICT third-party service provider established in a third countrymeans an ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services;, financial entitiesas defined in Article 2, points (a) to (t) shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country.
Where the contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; provide for subcontracting, financial entitiesas defined in Article 2, points (a) to (t) shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authorityas defined in Article 46 to effectively supervise the financial entity in that respect.
COIF Paragraph has special considerations for 'critical or important functions' as defined by Article 3 point 22.