Third-party ICT service policy

Preamble (Recitals 1 – 13)

Recitals

Article 1

Overall risk profile and complexity

Article 2

Group application

Article 3

Governance arrangements

Article 4

Main phases of the life cycle for the adoption and use of contractual arrangements

Article 5

Ex-ante risk assessment

Article 6

Due diligence

Article 7

Conflicts of interest

Article 8

Contractual clauses

Article 9

Monitoring of the contractual arrangements

Article 10

Exit from and termination of the contractual arrangements

Article 11

Entry into force

Article 8 Contractual clauses

  1. The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate.

  2. The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity:

    1. its own internal audit or an audit by an appointed third party;

    2. where appropriate, pooled audits and pooled ICT testing, including threat-led penetration testinga framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, that are organised jointly with other contracting financial entitiesas defined in Article 2, points (a) to (t) or firms that use ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; of the same ICT third-party service providermeans an undertaking providing ICT services; and that are performed by those contracting financial entitiesas defined in Article 2, points (a) to (t) or firms or by a third party appointed by them;

    3. where appropriate, third-party certifications;

    4. where appropriate, internal or third-party audit reports made available by the ICT third-party service providermeans an undertaking providing ICT services;.

  3. The financial entity shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and d, where the financial entity:

    1. is satisfied with the audit plan of the ICT third-party service providermeans an undertaking providing ICT services; for the relevant contractual arrangements;

    2. ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements;

    3. thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete;

    4. ensures that key systems and controls are covered in future versions of the certification or audit report;

    5. is satisfied with the aptitude of the certifying or auditing party;

    6. is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place;

    7. has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls;

    8. has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency.

  4. The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements.

Table of contents