Subcontracting ICT services

Preamble (Recitals 1 – 19)

Recitals

Article 1

Overall risk profile and complexity

Article 2

Group application

Article 3

Due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions

Article 4

Description and conditions under which ICT services supporting a critical or important function may be subcontracted

Article 5

Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity

Article 6

Material changes to subcontracting arrangements of ICT service supporting critical or important functions

Article 7

Termination of the contractual arrangement

Article 8

Entry into force

Article 3Note: This article is based on the final draft from the ESAs and is not yet adopted. Due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions

  1. A financial entity shall decide before entering into an arrangement with an ICT third party service provider whether an ICT service supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof may be subcontracted by an ICT third-party service providermeans an undertaking providing ICT services; only after having assessed at least:

    1. that the due diligence processes implemented by the ICT third-party service providermeans an undertaking providing ICT services; ensure that it is able to select and assess the operational and financial abilities of potential ICT subcontractors to provide the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, including by participating in digital operational resilience testingas defined in Article 24 as referred to Chapter IV of Regulation (EU) 2022/2554 as required by the financial entity;

    2. that the ICT third-party service providermeans an undertaking providing ICT services; is able to identify, notify and inform the financial entity of any subcontractors in the chain of subcontracting providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, and to provide all relevant information that may be necessary for the assessment;

    3. that the ICT third-party service providermeans an undertaking providing ICT services; ensures that the contractual arrangements with the subcontractors providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof allow the financial entity to comply with its own obligations stemming from Regulation (EU) 2022/2554 and all other applicable legal and regulatory requirements, and grant the financial entity and competent and resolution authorities the same contractual rights of access, inspection and audit along the chain of subcontractors providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; as those granted by the ICT third-party service providermeans an undertaking providing ICT services;;

    4. that, without prejudice to the financial entity’s final responsibility to comply with its legal and regulatory obligations, the ICT third-party service providermeans an undertaking providing ICT services; itself has adequate abilities, expertise, financial, human and technical resources, applies appropriate information security standards, and has an appropriate organisational structure, including risk management and internal controls, incidents reporting and responses, to monitor its subcontractors;

    5. that the financial entity has adequate abilities, expertise, financial, human and technical resources, applies appropriate information security standards, and has an appropriate organisational structure, including risk management, incident response and business continuity management and internal controls, to monitor and oversee the ICT service supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof that has been subcontracted or, including where possible and appropriate, the subcontractors effectively underpinning the ICT service supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material part thereof directly as set out under Article 5;

    6. the impact of a possible failure of a subcontractor on the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; on the financial entity’s digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; and financial soundness;

    7. the risks associated with the location of the potential subcontractors in relation to the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; provided by the ICT third-party service providermeans an undertaking providing ICT services;;

    8. the ICT concentration risksmeans an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole; at entity level in accordance with Article 29 of Regulation (EU) 2022/2554;

    9. any obstacles to the exercise of audit, inspection and access rights by the competent authoritiesas defined in Article 46, resolution authorities, the financial entity, including persons appointed by them.

  2. Financial entitiesas defined in Article 2, points (a) to (t) that use ICT third-party service providersmeans an undertaking providing ICT services; that subcontract ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof shall periodically carry out the risk assessment referred to in paragraph 1) against possible changes in their business environment, including but not limited to changes in the supported business functions, in risk assessments including ICT threats, ICT concentration risksmeans an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole; and geopolitical risks.

  3. In accordance with their final responsibility to comply with their legal and regulatory obligations under Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) making use of the results of the risk assessment carried out by their ICT third-party service providersmeans an undertaking providing ICT services; on their subcontractors, for the purpose of complying with the obligations set out in this article, shall not rely exclusively on them in accordance with Article 5 (4).

Table of contents