Source: OJ L, 2024/1773, 25.6.2024

Current language: EN

Article 9 Monitoring of the contractual arrangements


Summary What does Article 9 of the RTS on ICT third-party service provider policy say?

Article 9 focuses on the ongoing monitoring and performance management of ICT third-party service providers once contractual arrangements are in place.

Building on the pre-contractual due diligence requirements established in earlier articles, this article shifts the focus to the live relationship — requiring financial entities to embed continuous oversight mechanisms into their policy.

It covers how performance is measured, how shortcomings are to be identified and remedied, and crucially, how the findings from monitoring feed back into the financial entity's broader risk assessment process established under Article 6.

Important points:

  • Establish ongoing monitoring of ICT third-party service providers through key indicators, regular reporting, audits, and incident notification requirements embedded in your contractual arrangements.
  • Document all performance assessments and use the results to update your risk assessment, directly linking day-to-day monitoring back to the entity-level risk framework.
  • Define clear remediation measures and a monitored implementation timeframe for when shortcomings or incidents are identified in the provision of ICT services supporting critical or important functions.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity’s relevant policies and procedures. The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate.

    1. The policy shall specify how the financial entity is to assess whether the ICT third-party service providers used for the ICT services supporting critical or important functions meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity’s own policies. The policy shall, in particular, ensure the following:

      1. that the ICT third-party service providers provide appropriate reports on their activities and services to the financial entity, including periodic reports, incidents reports, service delivery reports, reports on ICT security and reports on business continuity measures and testing;

      2. that the performance of ICT third-party service providers is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity’s ICT risk management framework;

      3. that the financial entity receives other relevant information from the ICT third-party service providers;

      4. that the financial entity is notified, where appropriate, of ICT-related incidents and operational or security payment-related incidents;

      5. that an independent review and audits verifying compliance with legal and regulatory requirements and policies are performed.

    1. The policy shall specify that the assessment referred to in paragraph 2 is to be documented and its results to be used to update the financial entity’s risk assessment referred to in Article 6.

    1. The policy shall establish the appropriate measures that the financial entity is to adopt if it identifies shortcomings of the ICT third-party service providers, including ICT-related incidents and operational or security payment related incidents, in the provision of the ICT services supporting critical or important functions or in the compliance with contractual arrangements or legal requirements. It shall also specify how the implementation of such measures is to be monitored in order to ensure that they are effectively complied with within a defined timeframe, taking into account the materiality of the shortcomings.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod