Source: OJ L, 2025/532, 2.7.2025

Current language: EN

Article 5 Material changes to subcontracting arrangements of ICT services that support critical or important functions or material parts thereof


Summary What does Article 5 of the RTS on subcontracting ICT services say?

This article establishes the notification and approval process that must govern any material changes an ICT third-party service provider intends to make to its subcontracting arrangements.

It builds directly on Article 4, which sets out the required content of contractual arrangements, by specifying how changes to those arrangements must be handled in practice.

The core logic is that financial entities must be given sufficient advance notice of changes to assess the associated risks and decide whether to approve or object, and that providers cannot act unilaterally before that process is concluded.

Important points:

  • Ensure your contractual arrangements with ICT third-party service providers include a reasonable notice period for material subcontracting changes, along with your right to approve or object to them.
  • ICT third-party service providers are required to hold off implementing any material changes until the financial entity has approved or the notice period has elapsed without objection.
  • Where material changes exceed your risk tolerance, formally object and request modifications before the notice period expires.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The contractual arrangement shall provide that the ICT third-party service provider shall inform the financial entity about any intended material changes to its subcontracting arrangements well in time to enable the financial entity to assess:

      1. the impact on the risks it is or might be exposed to;

      2. whether such material changes might affect the ability of the ICT third-party service provider to meet its contractual obligations vis-a-vis the financial entity.

    1. The contractual arrangement shall contain a reasonable notice period by which the financial entity is to approve or object to the changes.

    1. The ICT third-party service provider shall only implement the material changes to its subcontracting arrangements after the financial entity has either approved or not objected to the changes by the end of the notice period.

    1. Where the financial entity is of the opinion that the material changes referred to in paragraph 1 exceed the financial entity’s risk tolerance, the financial entity shall, before the end of the notice period:

      1. inform the ICT third-party service provider thereof;

      2. object to the changes and request modifications to those changes before they are implemented.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod