Source: OJ L, 2025/532, 2.7.2025Current language: EN
- Digital operational resilience in the financial sector
ICT third-party service providers
- RTS on subcontracting ICT services
Article 5 Material changes to subcontracting arrangements of ICT services that support critical or important functions or material parts thereof
Summary What does Article 5 of the RTS on subcontracting ICT services say?
This article establishes the notification and approval process that must govern any material changes an ICT third-party service provider intends to make to its subcontracting arrangements.
It builds directly on Article 4, which sets out the required content of contractual arrangements, by specifying how changes to those arrangements must be handled in practice.
The core logic is that financial entities must be given sufficient advance notice of changes to assess the associated risks and decide whether to approve or object, and that providers cannot act unilaterally before that process is concluded.
Important points:
- Ensure your contractual arrangements with ICT third-party service providers include a reasonable notice period for material subcontracting changes, along with your right to approve or object to them.
- ICT third-party service providers are required to hold off implementing any material changes until the financial entity has approved or the notice period has elapsed without objection.
- Where material changes exceed your risk tolerance, formally object and request modifications before the notice period expires.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The contractual arrangement shall provide that the ICT third-party service provider shall inform the financial entity about any intended material changes to its subcontracting arrangements well in time to enable the financial entity to assess:
the impact on the risks it is or might be exposed to;
whether such material changes might affect the ability of the ICT third-party service provider to meet its contractual obligations vis-a-vis the financial entity.
The contractual arrangement shall contain a reasonable notice period by which the financial entity is to approve or object to the changes.
The ICT third-party service provider shall only implement the material changes to its subcontracting arrangements after the financial entity has either approved or not objected to the changes by the end of the notice period.
Where the financial entity is of the opinion that the material changes referred to in paragraph 1 exceed the financial entity’s risk tolerance, the financial entity shall, before the end of the notice period:
inform the ICT third-party service provider thereof;
object to the changes and request modifications to those changes before they are implemented.
Relevant recitals
Recital 8 Conditions throughout the life cycle
To mitigate risks that are linked to subcontracting, it is necessary to specify the conditions under which ICT third-party service providers can use subcontractors for the provision of ICT services that support critical or important functions. For that purpose, ICT contractual arrangements between financial entities and ICT third-party service providers should set out such conditions, including the planning of subcontracting arrangements, the risk assessments, the due diligence, and the approval process for new ICT subcontracting arrangements on ICT services supporting critical or important functions or material parts thereof, or material changes to existing ones made by the ICT third-party service provider.
Recital 10 Monitoring of subcontractors and notifications of changes
To mitigate any vulnerabilities and threats that may pose risks to their ICT systems and operations, financial entities should be able to monitor the performance of the ICT service and to be informed of any relevant changes within their ICT subcontracting chain where such changes concern critical or important functions.
Recital 11 Notification of changes and right to terminate
To enable financial entities to assess the risks associated with subcontracting arrangements or material changes thereto, ICT third-party service providers should inform the financial entities to which they provide ICT services of all such new arrangements or changes well before such arrangements or changes start to apply. For the same reason, financial entities should have the right to terminate the contract with the ICT third-party service provider where the outcome of their risk assessment shows that the new arrangements or material changes carry a level of risk that exceed their risk tolerance.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
vulnerability
Definition
ICT services
Definition
critical or important function