Source: OJ L, 2024/1773, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT third-party service providers
- RTS on ICT third-party service provider policy
Article 5 Ex-ante risk assessment
Summary What does Article 5 of the RTS on ICT third-party service provider policy say?
Article 5 sets out the pre-contractual obligations that must be embedded in a financial entity's policy before any contractual arrangement with an ICT third-party service provider is concluded.
It establishes two clear prerequisites: first, that business needs are defined upfront, and second, that a thorough risk assessment is carried out.
The risk assessment requirement is notably detailed, covering a broad range of risk categories that must be evaluated, from operational and legal risks through to data location risks and ICT concentration risks.
This article connects directly to Article 4, which governs the lifecycle of contractual arrangements, by anchoring the planning phase of that lifecycle in a structured, risk-informed approach.
Important points:
- Define business needs and conduct a risk assessment before entering into any contractual arrangement with an ICT third-party service provider.
- The risk assessment must be conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level.
- The risk assessment must cover a wide range of risk categories, including ICT concentration risks at entity level and risks linked to the location where data is processed and stored.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded.
The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded.
The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following:
operational risks;
legal risks;
ICT risks;
reputational risks;
risks linked to the protection of confidential or personal data;
risks linked to the availability of data;
risks linked to the location where the data is processed and stored;
risks linked to the location of the ICT third-party service provider;
ICT concentration risks at entity level.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT risk
Definition
ICT concentration risk
Definition
ICT third-party service provider
Definition
network and information system
Definition
critical ICT third-party service provider
Definition
ICT services
Definition
critical or important function