Beta

Source: OJ L 333, 27.12.2022, p. 1–79

EN

Recital 67 Gradual approach to ICT third-party concentration risk

To address the systemic impact of ICT third-party concentration risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, this Regulation promotes a balanced solution by means of taking a flexible and gradual approach to such concentration risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; since the imposition of any rigid caps or strict limitations might hinder the conduct of business and restrain the contractual freedom. Financial entitiesas defined in Article 2, points (a) to (t) should thoroughly assess their envisaged contractual arrangements to identify the likelihood of such risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; emerging, including by means of in-depth analyses of subcontracting arrangements, in particular when concluded with ICT third-party service providers established in a third country means an ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services;. At this stage, and with a view to striking a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to set out rules on strict caps and limits to ICT third-party exposures. In the context of the Oversight Framework, a Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, appointed pursuant to this Regulation, should, in respect to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, pay particular attention to fully grasp the magnitude of interdependences, discover specific instances where a high degree of concentration of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; in the Union is likely to put a strain on the Union financial system’s stability and integrity and maintain a dialogue with critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; where that specific risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; is identified.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod