ROI Recitals
Recital 1
It is necessary to establish standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided by information and communication technology (ICT) third-party service providers referred to in Article 28(3) of Regulation (EU) 2022/2554. Information gathered from that register is essential for the financial entities’ internal ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, for the effective supervision of the financial entitiesas defined in Article 2, points (a) to (t) by their competent authoritiesas defined in Article 46, and for the establishment and conduct of oversight of the critical ICT third-party providers by the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;. Furthermore, that information is essential for the annual process to designate critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; by the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority (collectively ‘European Supervisory Authorities’ (ESAsEuropean Supervisory Authority)).
Recital 2
To ensure supervisory outcomes which are consistent with the existing supervisory frameworks, the parent undertakingmeans a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; of financial entitiesas defined in Article 2, points (a) to (t) that are part of a groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; as defined in Regulation (EU) 2022/2554 should determine the entities to be included in the register of information at sub-consolidated and consolidated level in accordance with Union financial services legislation. To reduce administrative costs of groupsmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;, groupsmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; should have the possibility to develop a single register of information at entity, sub-consolidated and consolidated levels in relation to all contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided by ICT third-party service providersmeans an undertaking providing ICT services; to all the financial entitiesas defined in Article 2, points (a) to (t) that are part of that groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;. In such cases, the single register of information should allow each financial entity to comply with its obligation to maintain and update the register of information at entity and sub-consolidated level, where applicable, including its reporting to its competent authorityas defined in Article 46.
Recital 3
Pursuant to Article 28(1), point (b), of Regulation (EU) 2022/2554, the financial entities’ management of ICT third-party risksmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; is to take into account the nature, scale, complexity and importance of ICT-related dependencies, and the risks arising from contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; concluded with ICT third-party service providersmeans an undertaking providing ICT services;. That risk assessment should take into account the criticality or importance of the service, process or function of the financial entity and the potential impact on the continuity and availability of financial services and activities, at entity level and at groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; level.
Recital 4
Certain sector-specific Union financial services legislation contains requirements on outsourcing. Those requirements have been further developed in guidelines issued by the ESAsEuropean Supervisory Authority. Under those guidelines, some financial entitiesas defined in Article 2, points (a) to (t) are expected to record specific information on their outsourcing arrangements, in some cases also in the form of registers, as part of their outsourcing risk management. In recent years, several national competent authoritiesas defined in Article 46 and the ECB have collected information included in such registers as part of their supervision of financial entity compliance with the outsourcing requirements. Based on the lessons learned from the different data collection exercises of outsourcing registers performed in the recent years by the ESAsEuropean Supervisory Authority and competent authoritiesas defined in Article 46, the standard templates should be designed in a technology-neutral manner with open tables, which have a predefined number of columns and an indefinite number of rows. In addition, the standard templates should be linked to one another by using different specific keys forming a relational structure between those templates.
Recital 5
To receive ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; from an ICT third-party service providermeans an undertaking providing ICT services;, including ICT intra-group service providersmeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;, financial entitiesas defined in Article 2, points (a) to (t) conclude a written contract with the ICT third-party service providermeans an undertaking providing ICT services;. In case of groupsmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;, ICT intra-group service providersmeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; may conclude a contract with ICT third-party providers that are external to the groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; to provide ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to one or more financial entitiesas defined in Article 2, points (a) to (t) of the groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;. To capture the full ICT service supply chain, financial entitiesas defined in Article 2, points (a) to (t) maintaining the register of information should report both information on the contractual arrangement with their ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; and information on the arrangement stipulated by the ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; and the ICT third-party providers that are external to the groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; as subcontractors. Therefore, the register of information should include a specific template enabling the reconciliation between the intra-group contracts and the contracts with ICT third-party service providersmeans an undertaking providing ICT services; that are external to the groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;.
Recital 6
The provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t) may rely on potentially long or complex chains of subcontracting which should be monitored by the financial entitiesas defined in Article 2, points (a) to (t). Financial entitiesas defined in Article 2, points (a) to (t) should assess the associated risks, including ICT third-party concentration risks with regard to the ICT third-party service providersmeans an undertaking providing ICT services; supporting a critical or important functionmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, considering a risk-based approach and the principle of proportionality. To enable that assessment, financial entitiesas defined in Article 2, points (a) to (t) should be required to record in the register of information only those subcontractors that effectively underpin ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, including all the subcontractors providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; whose disruption would impair the security or the continuity of the service provision. When identifying those subcontractors, financial entitiesas defined in Article 2, points (a) to (t) should consider business and ICT service continuity and ICT security aspects.
Recital 7
A register of information should be maintained and updated by financial entitiesas defined in Article 2, points (a) to (t) including where a financial entity outsources all its activities to another entity, as the maintenance of the register of information contributes to the operational resilience of that financial entity. Therefore, where an entity is acting on behalf of a financial entity for all the activities of the financial entity (including the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;), the direct ICT third-party service providersmeans an undertaking providing ICT services; to that entity should be recorded in the relevant templates of the register of information of the financial entity. In such case, the entity is only registered as an entity maintaining the register.
Recital 8
To allow transparency and comparability of contractual arrangements and the ongoing monitoring of those arrangements, the register of information should focus on the operational links between the financial entitiesas defined in Article 2, points (a) to (t) and the ICT third-party service providersmeans an undertaking providing ICT services;. To that end, the register of information should use four keys, which, among others, linking relevant data to each other across the templates of the register of information: (i) the reference number of the contractual arrangement between the financial entity signing that arrangement and the direct ICT third-party service providermeans an undertaking providing ICT services;, (ii) an appropriate identifier of financial entitiesas defined in Article 2, points (a) to (t) and ICT third-party service providersmeans an undertaking providing ICT services;, (iii) the function identifier, and (iv) the type of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;.
Recital 9
To appropriately document the contractual arrangements between the financial entitiesas defined in Article 2, points (a) to (t) and the ICT third-party service providersmeans an undertaking providing ICT services; as required by Regulation (EU) 2022/2554, it is understood that ICT third-party service providersmeans an undertaking providing ICT services; should provide for an identification number which allows for their consistent and accurate identification by the financial entitiesas defined in Article 2, points (a) to (t) and by the ESAsEuropean Supervisory Authority, the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors, and the competent authoritiesas defined in Article 46, when exercising their supervisory powers, including for the designation of critical ICT third-party service providersmeans an ICT third-party service provider designated as critical in accordance with Article 31; under Article 31 of that Regulation. Concerning legal persons, the LEI and EUID are recognised international and European identifiers ensuring the consistent, unique and robust identification of companies. Consequently, either of these two identifiers should be used for the identification of the ICT third-party service providersmeans an undertaking providing ICT services; established in the Union for the purposes of the application of that Regulation and should be considered as information that is common to all contractual arrangements, whereas the ICT third-party service providersmeans an undertaking providing ICT services; established in third-countries should be identified with LEI only. The templates used for the register of information about the ICT third-party service providersmeans an undertaking providing ICT services; should require information on either of these two identifiers for ICT service providers that are legal persons, while allowing natural persons acting in the capacity of ICT service providers to use alternative identification codes.
Recital 10
Each financial entity, including financial entitiesas defined in Article 2, points (a) to (t) from the same groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;, have their own internal taxonomy of functions depending on their specific business models and internal organisations. To allow for a clear monitoring distinguishing between the functions of the financial entitiesas defined in Article 2, points (a) to (t) and the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, financial entitiesas defined in Article 2, points (a) to (t) should themselves designate relevant functions by using the function identifier at individual level and at groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; level.
Recital 11
To enable the operability of the register of information at entity, sub-consolidated and consolidated level across all the financial entitiesas defined in Article 2, points (a) to (t) that are part of the same groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;, financial entitiesas defined in Article 2, points (a) to (t) should ensure the correctness and consistency of all the data in that register. In particular, to enable such operability, it is necessary to ensure consistency in the consolidation of the identifiers, namely the contractual arrangement reference numbers, the function identifier, LEI of the financial entitiesas defined in Article 2, points (a) to (t) and identifiers of the ICT third-party service providersmeans an undertaking providing ICT services;.
Recital 12
To ensure consistency and harmonisation and to avoid burdensome reprocessing of data for reporting purposes, the structure of the templates and the requirements of the data elements should consider data management and reporting perspectives. To ensure full comparability of the information reported in the register of information with the information provided in other regulatory or statistical reporting, financial entitiesas defined in Article 2, points (a) to (t) should adhere to data quality principles, when maintaining and updating that register.
Recital 13
This Regulation is based on the draft implementing technical standards submitted to the Commission by the ESAsEuropean Supervisory Authority.
Recital 14
The ESAsEuropean Supervisory Authority have conducted open public consultations on the draft implementing technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the ESAs’ Stakeholder Groupsmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (2)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (3)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj). and Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010 p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).
Recital 15
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj)..