Third-party ICT service policy

Preamble (Recitals 1 – 13)

Recitals

Article 1

Overall risk profile and complexity

Article 2

Group application

Article 3

Governance arrangements

Article 4

Main phases of the life cycle for the adoption and use of contractual arrangements

Article 5

Ex-ante risk assessment

Article 6

Due diligence

Article 7

Conflicts of interest

Article 8

Contractual clauses

Article 9

Monitoring of the contractual arrangements

Article 10

Exit from and termination of the contractual arrangements

Article 11

Entry into force

Article 1 Overall risk profile and complexity

The policy on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; provided by ICT third-party service providersmeans an undertaking providing ICT services; (the ‘policy’) shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to:

  1. the type of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; included in the contractual arrangement on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; provided by ICT third-party service providersmeans an undertaking providing ICT services; (the ‘contractual arrangement’) between the financial entity and the ICT third-party service providermeans an undertaking providing ICT services;;

  2. the location of the ICT third-party service providermeans an undertaking providing ICT services; or the location of its parent company;

  3. whether the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; are provided by an ICT third-party service providermeans an undertaking providing ICT services; located within a Member State or in a third country, also considering the location from where the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; are provided and the location where the data is processed and stored;

  4. the nature of the data shared with the ICT third-party service providermeans an undertaking providing ICT services;;

  5. whether the ICT third-party service providermeans an undertaking providing ICT services; is part of the same groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; as the financial entity to which the services are provided;

  6. the use of ICT third-party service providersmeans an undertaking providing ICT services; that are authorised, registered or subject to supervision or oversight by a competent authorityas defined in Article 46 in a Member State or subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providersmeans an undertaking providing ICT services; that are not;

  7. the use of ICT third-party service providersmeans an undertaking providing ICT services; that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providersmeans an undertaking providing ICT services; that are not;

  8. whether the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; are concentrated to a single ICT third-party service providermeans an undertaking providing ICT services; or a small number of such service providers;

  9. the transferability of the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; to another ICT third-party service providermeans an undertaking providing ICT services;, including as a result of technology specificities;

  10. the potential impact of disruptions in the provision of the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; on the continuity of the financial entity’s activities and on the availability of its services.

Table of contents