Article 30 Key contractual provisions

1. The rights and obligations of the financial entity and of the ICT third-party service providermeans an undertaking providing ICT services; shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format.
1. The contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; shall include at least the following elements:
  1. a clear and complete description of all functions and ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to be provided by the ICT third-party service providermeans an undertaking providing ICT services;, indicating whether subcontracting of an ICT service supporting a critical or important functionmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
  2. the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service providermeans an undertaking providing ICT services; to notify the financial entity in advance if it envisages changing such locations;
  3. provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
  4. provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service providermeans an undertaking providing ICT services;, or in the event of the termination of the contractual arrangements;
  5. service level descriptions, including updates and revisions thereof;
  6. the obligation of the ICT third-party service providermeans an undertaking providing ICT services; to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
  7. the obligation of the ICT third-party service providermeans an undertaking providing ICT services; to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;
  8. termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;
  9. the conditions for the participation of ICT third-party service providersmeans an undertaking providing ICT services; in the financial entities’ ICT security awareness programmes and digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; training in accordance with Article 13(6).
1. The contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; shall include, in addition to the elements referred to in paragraph 2, at least the following:
  1. full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;
  2. notice periods and reporting obligations of the ICT third-party service providermeans an undertaking providing ICT services; to the financial entity, including notification of any development that might have a material impact on the ICT third-party service providermeans an undertaking providing ICT services;’s ability to effectively provide the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; in line with agreed service levels;
  3. requirements for the ICT third-party service providermeans an undertaking providing ICT services; to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;
  4. the obligation of the ICT third-party service providermeans an undertaking providing ICT services; to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27;
  5. the right to monitor, on an ongoing basis, the ICT third-party service providermeans an undertaking providing ICT services;’s performance, which entails the following:
    unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service providermeans an undertaking providing ICT services;, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
    the right to agree on alternative assurance levels if other clients’ rights are affected;
    the obligation of the ICT third-party service providermeans an undertaking providing ICT services; to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseermeans the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, financial entity or an appointed third party; and
    the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;
  6. exit strategies, in particular the establishment of a mandatory adequate transition period:
    during which the ICT third-party service providermeans an undertaking providing ICT services; will continue providing the respective functions, or ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring;
    allowing the financial entity to migrate to another ICT third-party service providermeans an undertaking providing ICT services; or change to in-house solutions consistent with the complexity of the service provided.
2. By way of derogation from point (e), the ICT third-party service providermeans an undertaking providing ICT services; and the financial entity that is a microenterprisemeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service providermeans an undertaking providing ICT services;, and that the financial entity is able to request information and assurance on the ICT third-party service providermeans an undertaking providing ICT services;’s performance from the third party at any time.
1. When negotiating contractual arrangements, financial entities and ICT third-party service providersmeans an undertaking providing ICT services; shall consider the use of standard contractual clauses developed by public authoritiesmeans any government or other public administration entity, including national central banks. for specific services.
1. The ESAs shall, through the Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010;, develop draft regulatory technical standards to specify further the elements referred to in paragraph 2, point (a), which a financial entity needs to determine and assess when subcontracting ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;.
2. When developing those draft regulatory technical standards, the ESAs shall take into consideration the size and overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations.
3. The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024.
4. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Relevant recitals

Recital 68 Harmonisation of contractual provisions with ICT third-party service providers

To evaluate and monitor on a regular basis the ability of an ICT third party service provider to securely provide services to a financial entity without adverse effects on a financial entity’s digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, several key contractual elements with ICT third-party service providersmeans an undertaking providing ICT services; should be harmonised. Such harmonisation should cover minimum areas which are crucial for enabling a full monitoring by the financial entity of the risks that could emerge from the ICT third-party service providermeans an undertaking providing ICT services;, from the perspective of a financial entity’s need to secure its digital resilience because it is deeply dependent on the stability, functionality, availability and security of the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; received.

Recital 69 Alignment with key requirements in contract renegotiation

When renegotiating contractual arrangements to seek alignment with the requirements of this Regulation, financial entities and ICT third-party service providersmeans an undertaking providing ICT services; should ensure the coverage of the key contractual provisions as provided for in this Regulation.

Recital 71 Contractual arrangements with ICT services

Irrespective of the criticality or importance of the function supported by the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, contractual arrangements should, in particular, provide for a specification of the complete descriptions of functions and services, of the locations where such functions are provided and where data is to be processed, as well as an indication of service level descriptions. Other essential elements to enable a financial entity’s monitoring of ICT third party risk are: contractual provisions specifying how the accessibility, availability, integrity, security and protection of personal data are ensured by the ICT third-party service providermeans an undertaking providing ICT services;, provisions laying down the relevant guarantees for enabling the access, recovery and return of data in the case of insolvency, resolution or discontinuation of the business operations of the ICT third-party service providermeans an undertaking providing ICT services;, as well as provisions requiring the ICT third-party service providermeans an undertaking providing ICT services; to provide assistance in case of ICT incidents in connection with the services provided, at no additional cost or at a cost determined ex-ante; provisions on the obligation of the ICT third-party service providermeans an undertaking providing ICT services; to fully cooperate with the competent authorities and resolution authorities of the financial entity; and provisions on termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities.

Recital 72 Contractual arrangements for critical or important ICT services

In addition to such contractual provisions, and with a view to ensuring that financial entities remain in full control of all developments occurring at third-party level which may impair their ICT security, the contracts for the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; should also provide for the following: the specification of the full service level descriptions, with precise quantitative and qualitative performance targets, to enable without undue delay appropriate corrective actions when the agreed service levels are not met; the relevant notice periods and reporting obligations of the ICT third-party service providermeans an undertaking providing ICT services; in the event of developments with a potential material impact on the ICT third-party service providermeans an undertaking providing ICT services;’s ability to effectively provide their respective ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;; a requirement upon the ICT third-party service providermeans an undertaking providing ICT services; to implement and test business contingency plans and have ICT security measures, tools and policies allowing for the secure provision of services, and to participate and fully cooperate in the TLPT carried out by the financial entity.

Recital 73 Access, inspection, and audit provisions

Contracts for the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; should also contain provisions enabling the rights of access, inspection and audit by the financial entity, or an appointed third party, and the right to take copies as crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service providermeans an undertaking providing ICT services;’s performance, coupled with the service provider’s full cooperation during inspections. Similarly, the competent authority of the financial entity should have the right, based on notices, to inspect and audit the ICT third-party service providermeans an undertaking providing ICT services;, subject to the protection of confidential information.

Recital 74 Exit strategies and resolution resilience

Such contractual arrangements should also provide for dedicated exit strategies to enable, in particular, mandatory transition periods during which ICT third-party service providersmeans an undertaking providing ICT services; should continue providing the relevant services with a view to reducing the risk of disruptions at the level of the financial entity, or to allow the latter effectively to switch to the use of other ICT third-party service providersmeans an undertaking providing ICT services; or, alternatively, to change to in-house solutions, consistent with the complexity of the provided ICT service. Moreover, financial entities within the scope of Directive 2014/59/EU should ensure that the relevant contracts for ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; are robust and fully enforceable in the event of resolution of those financial entities. Therefore, in line with the expectations of the resolution authorities, those financial entities should ensure that the relevant contracts for ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; are resolution resilient. As long as they continue meeting their payment obligations, those financial entities should ensure, among other requirements, that the relevant contracts for ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; contain clauses for non-termination, non-suspension and non-modification on grounds of restructuring or resolution.

Recital 75 Use of standard contractual clauses

Moreover, the voluntary use of standard contractual clauses developed by public authoritiesmeans any government or other public administration entity, including national central banks. or Union institutions, in particular the use of contractual clauses developed by the Commission for cloud computing services could provide further comfort to the financial entities and ICT third-party service providersmeans an undertaking providing ICT services;, by enhancing their level of legal certainty regarding the use of cloud computing services in the financial sector, in full alignment with the requirements and expectations set out by the Union financial services law. The development of standard contractual clauses builds on measures already envisaged in the 2018 Fintech Action Plan that announced the Commission’s intention to encourage and facilitate the development of standard contractual clauses for the use of cloud computing services outsourcing by financial entities, drawing on cross-sectorial cloud computing services stakeholders’ efforts, which the Commission has facilitated with the help of the financial sector’s involvement.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.