Article 9 Monitoring of the contractual arrangements

The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providersan undertaking providing ICT services with the financial entity’s relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate.

The policy shall specify how the financial entity is to assess whether the ICT third-party service providersan undertaking providing ICT services used for the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity’s own policies. The policy shall, in particular, ensure the following:

1. that the ICT third-party service providersan undertaking providing ICT services provide appropriate reports on their activities and services to the financial entity, including periodic reports, incidents reports, service delivery reports, reports on ICT security and reports on business continuity measures and testing;

   Copy reference link

   Copy paragraph

2. that the performance of ICT third-party service providersan undertaking providing ICT services is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity’s ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework;

   Copy reference link

   Copy paragraph

3. that the financial entity receives other relevant information from the ICT third-party service providersan undertaking providing ICT services;

   Copy reference link

   Copy paragraph

4. that the financial entity is notified, where appropriate, of ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and operational or security payment-related incidentsa single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity;

   Copy reference link

   Copy paragraph

5. that an independent review and audits verifying compliance with legal and regulatory requirements and policies are performed.

   Copy reference link

   Copy paragraph

The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity’s risk assessment referred to in Article 6.

The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providersan undertaking providing ICT services, including ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and operational or security payment related incidents, in the provision of the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings.