Source: OJ L, 2025/532, 2.7.2025

Current language: EN

Article 1 Overall risk profile and complexity


Summary What does Article 1 of the RTS on subcontracting ICT services say?

This opening article establishes the foundational principle that financial entities must take their own size, risk profile, and operational complexity into account when applying the rules of this regulation.

It then sets out an extensive list of factors to be considered, all centred on the subcontracting arrangements of ICT third-party service providers.

The factors span the nature of the subcontracted services, geographic location of subcontractors, the depth of the subcontracting chain, data sharing, supervisory status of subcontractors, concentration risks, and the potential impact of disruptions.

This article effectively sets the parameters for how financial entities should calibrate their approach to ICT subcontracting risk throughout the rest of the regulation.

Important points:

  • Take into account your own size, risk profile, and operational complexity when assessing ICT subcontracting arrangements supporting critical or important functions.
  • The factors to consider extend deep into the supply chain, covering the location, regulatory status, and concentration of subcontractors, including those in third countries.
  • Assess whether subcontracting arrangements could affect the transferability of ICT services or the continuity of critical or important functions in the event of a disruption.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Financial entities shall take into account their size and their overall risk profile and the nature, scale, and elements of increased or reduced complexity of their services, activities and operations, including elements relating to:

  1. the type of ICT services that support critical or important functions covered by the contractual arrangement between the financial entity and the ICT third-party service provider;

  2. the type of ICT services covered by the contractual arrangement between the ICT-third party service provider and its subcontractors;

  3. the location of the ICT subcontractor providing ICT services that support critical or important functions or a material part thereof, or of its parent company;

  4. the length and complexity of the chain of subcontractors providing ICT services that support critical or important functions or material parts thereof used by the ICT third-party service provider;

  5. the nature of the data shared with the ICT subcontractors providing ICT services that support critical or important functions or material parts thereof;

  6. whether the ICT services that support critical or important functions or material parts thereof are provided by subcontractors, located within a Member State or in a third country, including the location where the ICT services are actually provided from and the location where the data are actually processed and stored;

  7. whether the ICT subcontractors providing ICT services that support critical or important functions or material parts thereof are part of the same group as the financial entity to which those services are provided;

  8. whether the ICT subcontractors providing ICT services that support critical or important functions or material parts thereof are authorised, registered or subject to supervision or oversight by a competent authority in a Member State, or are subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554;

  9. whether the ICT third-party service providers that support critical or important functions or material parts thereof are authorised, registered or subject to supervision or oversight by a supervisory authority from a third country;

  10. whether the provision of ICT services supporting critical or important functions or material parts thereof is concentrated to a single subcontractor of an ICT third-party service provider or a small number of such subcontractors;

  11. whether the subcontracting of ICT services that support critical or important functions or material parts would impact the transferability of those ICT services to another ICT third-party service provider;

  12. the potential impact of disruptions on the continuity and availability of the ICT services that support critical or important functions or material parts thereof provided by the ICT third-party service provider when using a subcontractor providing ICT services that support critical or important functions or material parts thereof.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod