Subcontracting ICT services

Preamble (Recitals 1 – 19)

Recitals

Article 1

Overall risk profile and complexity

Article 2

Group application

Article 3

Due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions

Article 4

Description and conditions under which ICT services supporting a critical or important function may be subcontracted

Article 5

Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity

Article 6

Material changes to subcontracting arrangements of ICT service supporting critical or important functions

Article 7

Termination of the contractual arrangement

Article 8

Entry into force

Article 4Note: This article is based on the final draft from the ESAs and is not yet adopted. Description and conditions under which ICT services supporting a critical or important function may be subcontracted

  1. When describing in the written contractual arrangements the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to be provided by an ICT third-party service providermeans an undertaking providing ICT services; in accordance with Article 30(2)(a) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall identify which ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; are eligible for subcontracting and under which conditions. In particular, and without prejudice to the financial entities’ final responsibilities stemming from Regulation 2022/2554, for each ICT service supporting a critical or important functionmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof eligible for subcontracting, the written contractual agreement between the financial entity and the third-party service provider shall specify:

    1. that the ICT third-party service providermeans an undertaking providing ICT services; is responsible for the provision of the services provided by the subcontractors;

    2. that the ICT third-party service providermeans an undertaking providing ICT services; is required to monitor all subcontracted ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting a critical or important functionmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof to ensure that its contractual obligations with the financial entity are continuously met;

    3. the monitoring and reporting obligations of the ICT third-party service providermeans an undertaking providing ICT services; towards the financial entity regarding subcontractors of ICT third-party service providersmeans an undertaking providing ICT services; providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material part thereof;

    4. that the ICT third-party service providermeans an undertaking providing ICT services; shall assess all risks associated with the location of the current or potential subcontractors providing ICT service supporting a critical or important functionmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material part thereof, and its parent company and the location where the ICT service is provided from;

    5. the location of data processed or stored by the subcontractor, where relevant;

    6. that the ICT third-party service providermeans an undertaking providing ICT services; is required to specify in its written contractual agreement with the subcontractor providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material part thereof the monitoring and reporting obligations of the subcontractor towards the ICT third-party service providermeans an undertaking providing ICT services;, and where agreed, towards the financial entity;

    7. that the ICT third-party service providermeans an undertaking providing ICT services; is required to ensure the continuity of the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; throughout the chain of subcontractors in case of failure by an ICT subcontractor to meet its contractual obligations, and that the written contractual agreement with the subcontractor providing the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof includes the requirements on business contingency plans as set out under Article 30(3)(c) of Regulation (EU) 2022/2554 and defines the service levels to be met by the ICT subcontractors in relation to these plans;

    8. that the ICT third-party service providermeans an undertaking providing ICT services; is required to specify in its written contractual agreement with the subcontractor providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof the ICT security standards and any additional security requirements, where relevant, that shall be met by the subcontractors in line with Article 30(3)(c) of Regulation (EU) 2022/2554;

    9. that the subcontractor is required to grant to the financial entity and relevant competent and resolution authorities the same rights of access, inspection and audit as referred to in Article 30(3)(e) of Regulation (EU) 2022/2554 as granted to the financial entity and relevant competent and resolution authorities by the ICT third-party service providermeans an undertaking providing ICT services;;

    10. that the financial entity will be notified of material changes to subcontracting arrangements in accordance with article 6;

    11. that the financial entity has termination rights in accordance with article 7 or in accordance with the circumstances set out under Article 28(7) of Regulation (EU) 2022/2554.

  2. Changes relative to contractual agreements between the financial entity and ICT third-party service providersmeans an undertaking providing ICT services; that provide an ICT service supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, made necessary to comply with this Regulation, shall be implemented in a timely manner and as soon as it is possible. The financial entity shall document the planned timeline for the implementation.

Table of contents