Source: OJ L, 2024/1773, 25.6.2024

Current language: EN

Article 4 Main phases of the life cycle for the adoption and use of contractual arrangements


Summary What does Article 4 of the RTS on ICT third-party service provider policy say?

Article 4 acts as a structural backbone for the broader regulation, requiring that the policy covers every major phase of a contractual arrangement's lifecycle with ICT third-party service providers.

Rather than focusing on one specific obligation, it maps out the full journey of a contractual arrangement — from planning and due diligence, through implementation and ongoing monitoring, all the way to exit and termination — ensuring nothing falls through the gaps.

It explicitly cross-references several other articles in the regulation, meaning it serves as a connecting thread that ties together the more detailed requirements found elsewhere.

Important points:

  • Ensure your policy addresses every stage of the contractual arrangement lifecycle, from pre-contractual planning through to exit strategies.
  • The management body must have defined responsibilities, including appropriate involvement in decision-making on the use of ICT services supporting critical or important functions.
  • Documentation and record-keeping obligations must align with the register of information requirements under Article 28(3) of Regulation (EU) 2022/2554.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following:

  1. the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers;

  2. the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4);

  3. the involvement of business units, internal controls and other relevant units in respect of contractual arrangements;

  4. the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable;

  5. the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554;

  6. the exit strategies and termination processes as set out in Article 10.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod