Source: OJ L, 2024/1773, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT third-party service providers
- RTS on ICT third-party service provider policy
Article 4 Main phases of the life cycle for the adoption and use of contractual arrangements
Summary What does Article 4 of the RTS on ICT third-party service provider policy say?
Article 4 acts as a structural backbone for the broader regulation, requiring that the policy covers every major phase of a contractual arrangement's lifecycle with ICT third-party service providers.
Rather than focusing on one specific obligation, it maps out the full journey of a contractual arrangement — from planning and due diligence, through implementation and ongoing monitoring, all the way to exit and termination — ensuring nothing falls through the gaps.
It explicitly cross-references several other articles in the regulation, meaning it serves as a connecting thread that ties together the more detailed requirements found elsewhere.
Important points:
- Ensure your policy addresses every stage of the contractual arrangement lifecycle, from pre-contractual planning through to exit strategies.
- The management body must have defined responsibilities, including appropriate involvement in decision-making on the use of ICT services supporting critical or important functions.
- Documentation and record-keeping obligations must align with the register of information requirements under Article 28(3) of Regulation (EU) 2022/2554.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following:
the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers;
the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4);
the involvement of business units, internal controls and other relevant units in respect of contractual arrangements;
the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable;
the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554;
the exit strategies and termination processes as set out in Article 10.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
management body
Definition
ICT services
Definition
critical or important function