Subcontracting ICT services

Preamble (Recitals 1 – 19)

Recitals

Article 1

Overall risk profile and complexity

Article 2

Group application

Article 3

Due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions

Article 4

Description and conditions under which ICT services supporting a critical or important function may be subcontracted

Article 5

Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity

Article 6

Material changes to subcontracting arrangements of ICT service supporting critical or important functions

Article 7

Termination of the contractual arrangement

Article 8

Entry into force

SIS Recitals

Recital 1

Article 30(2) of Regulation (EU) 2022/2554 requires from financial entitiesas defined in Article 2, points (a) to (t) to set out contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that should include at least a clear and complete description of all functions and ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to be provided by the ICT third-party service providermeans an undertaking providing ICT services;, indicating whether subcontracting of ICT service supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, or material parts thereof (hereafter “ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;) is permitted and, when that is the case, the conditions applying to such subcontracting.

Recital 2

To ensure a consistent and uniform application by financial entitiesas defined in Article 2, points (a) to (t) and supervisory convergence across the European Union, it is necessary to further specify the elements set out under Article 30(2) of Regulation (EU) 2022/2554.

Recital 3

The provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t) often depends on a complex chain of ICT subcontractors whereby ICT third-party service providersmeans an undertaking providing ICT services; may enter into one or more subcontracting arrangements with other ICT third-party service providersmeans an undertaking providing ICT services;. While this indirect reliance on ICT subcontractors may have an impact on financial entities’ ability to identify, assess and manage their risks, including risks linked to gaps in the information provided by ICT third-party service providersmeans an undertaking providing ICT services; and to the financial entitiesas defined in Article 2, points (a) to (t)' limited ability to obtain information from ICT subcontractors providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, it cannot reduce the responsibilities the financial entitiesas defined in Article 2, points (a) to (t) and their management bodiesmeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; to manage their risks and to comply with their legislative and regulatory requirements.

Recital 4

In this regard, where the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t) depends on potentially long or complex chain of ICT subcontractors whereby several subcontractors may be involved, it is essential that financial entitiesas defined in Article 2, points (a) to (t) identify the overall chain of subcontractors providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;.

Recital 5

According to Article 28(1) of Regulation (EU) 2022/2554 financial entitiesas defined in Article 2, points (a) to (t) shall, on a continuous basis, identify all sources of ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;. In order to do so, when receiving ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, financial entitiesas defined in Article 2, points (a) to (t) should continue to effectively monitor those ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;.

Recital 6

Among those subcontractors that provide ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, financial entitiesas defined in Article 2, points (a) to (t) should put a particular and continuous focus on the subcontractors that effectively underpin the ICT service supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, including all the subcontractors providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; whose disruption would impair the security or the continuity of the service provision in accordance with Article 3 (1) (b) of the Implementing Technical Standards with regard to standard templates for the register of information.

Recital 7

Financial entitiesas defined in Article 2, points (a) to (t) vary widely in their size, structure, and internal organisation and in the nature and complexity of their activities. It is therefore necessary to take into account that diversity while imposing certain fundamental regulatory requirements which are appropriate for all financial entitiesas defined in Article 2, points (a) to (t) when developing the elements which a financial entity needs to determine and assess when subcontracting ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; and to ensure that those requirements are applied in a manner that is proportionate.

Recital 8

When permitted by the financial entitiesas defined in Article 2, points (a) to (t) in accordance with Article 30(2) of Regulation (EU) 2022/2554, the use of subcontracted ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; by ICT third-party services providersmeans an undertaking providing ICT services; cannot reduce the ultimate responsibility for the financial entitiesas defined in Article 2, points (a) to (t) and their management bodiesmeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; to manage their risks and to comply with their legislative and regulatory obligations .

Recital 9

When subcontracting ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; is permitted, it is of utmost importance that financial entitiesas defined in Article 2, points (a) to (t) conduct a risk assessment before entering into an arrangement with ICT third-party service providersmeans an undertaking providing ICT services; to have a clear and holistic view of the risks associated with subcontracting, and be in a position to properly monitor, manage and mitigate the risks that may affect the provision of the subcontracted ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;.

Recital 10

Taking into account the application of the proportionality principle and a risk-based approach, financial entitiesas defined in Article 2, points (a) to (t) should have appropriate processes in place, directly or indirectly through their ICT third-party service providersmeans an undertaking providing ICT services;, to address the relevant risks that may impact the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, in accordance with their contractual arrangements with ICT third-party service providersmeans an undertaking providing ICT services;. Financial entitiesas defined in Article 2, points (a) to (t) should identify the most appropriate way to perform the due diligence on the subcontractors and risk assessment directly by themselves or indirectly through their ICT third-party service providersmeans an undertaking providing ICT services;, considering the specificities of the contractual arrangements and having regard of their final responsibility stemming from Regulation (EU) 2022/2554.

Recital 11

ICT intra-group subcontractors providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, including those fully or collectively owned by financial entitiesas defined in Article 2, points (a) to (t) within the same institutional protection scheme, where applicable, should be considered as ICT subcontractors. In accordance with Regulation (EU) 2022/2554, the requirements applicable for the use of intra-group subcontracting are the same as those applicable to non-intra-group subcontracting, regardless of the differences that may exist in the risks posed in both cases.

Recital 12

Where belonging to a groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;, the parent undertakingmeans a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; of financial entitiesas defined in Article 2, points (a) to (t) should ensure that the policy on the use of ICT subcontractors providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material part thereof by ICT third party providers is applied in a consistent and coherent way within the groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU;.

Recital 13

In order to have a comprehensive management of the risks that could arise when subcontracting ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, it is necessary to take into account the steps of the life cycle of a contractual arrangement for the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; provided by ICT third-party service providersmeans an undertaking providing ICT services;, including for subcontracting arrangements. In this regard, it is necessary to set out requirements for financial entitiesas defined in Article 2, points (a) to (t) that should be reflected in their contractual arrangements with ICT third-party service providersmeans an undertaking providing ICT services; when the use of subcontracted ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; is permitted.

Recital 14

To mitigate the subcontracting risks, it is necessary to specify all the conditions under which ICT third-party service providersmeans an undertaking providing ICT services; can use subcontractors for the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;. For this purpose, ICT contractual arrangements between financial entitiesas defined in Article 2, points (a) to (t) and ICT third-party service providersmeans an undertaking providing ICT services; should set out such conditions, including the planning of subcontracting arrangements, the risk assessments, the due diligence, and the approval process for new ICT subcontracting arrangements on ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, or material changes to existing ones made by the ICT third-party service providermeans an undertaking providing ICT services;.

Recital 15

In order to identify the risks that could arise before entering into an arrangement with an ICT subcontractor, the ICT third-party service providersmeans an undertaking providing ICT services; should follow an appropriate and proportionate process to select and assess the suitability of potential subcontractors in line with the ICT contractual arrangements concluded with the financial entity. The ICT contractual arrangements should therefore foresee that the ICT third-party service providermeans an undertaking providing ICT services;, or where appropriate, the financial entity directly, assesses its resources including expertise and adequate financial, human and technical resources, information security, its organisational structure, including the risk management and internal controls that the subcontractor should have in place.

Recital 16

In order to mitigate the subcontracting risks along the life cycle of contractual arrangements, it is necessary to set out the minimum content of the contractual arrangements between the financial entitiesas defined in Article 2, points (a) to (t) and the ICT third-party service providersmeans an undertaking providing ICT services; when using ICT subcontracting for the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;.

Recital 17

Financial entitiesas defined in Article 2, points (a) to (t) should monitor the performance of the ICT service provision and any relevant changes occurring within their subcontracting chain providing ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; to mitigate any vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and threats that may pose risks to their ICT systems and operations.

Recital 18

Financial entitiesas defined in Article 2, points (a) to (t) should be informed of new subcontracting arrangements or material changes thereof made by the ICT third-party provider with a notice period that allows them to assess the risks associated with such new arrangements or material changes. Where the outcome of the risk assessment is that the new arrangements or material changes carry a level of risk that exceed their risk tolerance, financial entitiesas defined in Article 2, points (a) to (t) should have the right to terminate the contract with the ICT third-party service providermeans an undertaking providing ICT services;. The financial entity’s objections may be addressed by the ICT third-party service providermeans an undertaking providing ICT services; before the financial entity exercises its termination right.

Recital 19

The European Supervisory Authorities have conducted an open public consultation on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the ESA’s Stakeholder Groupsmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010, Article 37 of Regulation (EU) No 1094/2010 and Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council.