Beta

Source: OJ L, 2025/295, 13.2.2025

EN

Article 2 Content, structure and format of the information to be submitted, disclosed or reported by critical ICT third-party service providers

    1. Critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; shall provide to the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, upon its request, any information that is necessary by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to carry out its oversight duties in accordance with the requirements of Regulation (EU) 2022/2554.

    1. The information referred to in paragraph 1 includes, inter alia, the following:

      1. information about the arrangements, and copies of contractual documents, between:

        1. the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; and the financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 2(1) of Regulation (EU) 2022/2554;

        2. the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; and its subcontractors with a view to capture the technological value chain of the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided to the financial entitiesas defined in Article 2, points (a) to (t) in the Union;

      2. information about the organisational and group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; structure of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, including identification of all entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; belonging to the same group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; that directly or indirectly provide ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t) in the Union;

      3. information about the major shareholders, including their structure and geographical spread, of any of the following:

        1. entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that hold, solely or jointly with their linked entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, 25 % or more of the capital or voting rights of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;;

        2. entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that hold the right to appoint or remove a majority of the members of the administrative, management, or supervisory body of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;;

        3. entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that control, pursuant to an agreement, a majority of shareholders’ or members’ voting rights in the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;;

      4. information about the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;’s market share per type of services, in the relevant markets where it operates;

      5. information about the internal governance arrangements of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, including the structure with lines of governance responsibility and accountability rules;

      6. the meeting minutes of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;’s management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). and any other internal relevant committees, which relate in any way to activities and risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; concerning ICT third-party services supporting functions of financial entitiesas defined in Article 2, points (a) to (t) within the Union;

      7. information about the ICT security of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, including relevant strategies, objectives, policies, procedures, protocols, processes, control measures to protect sensitive data, access controls, encryption practices, incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; response plans, and information about compliance with all relevant regulations and national and international standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). where applicable;

      8. information about technical and organisational measures to ensure data protection and data confidentiality, including personal and non-personal data, implemented control measures to protect sensitive data, access controls, encryption practices, data breach response plan; when in regards processing of personal data the ICT third-party service provider means an undertaking providing ICT services; is subject to laws from third-countries, including third-country government access request, list of the countries and the laws applicable:

      9. information about the mechanisms the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; offers to the Union financial entitiesas defined in Article 2, points (a) to (t) for data portability, application portability and interoperability;

      10. information about the location of the data centres and ICT production centres used for the purposes of providing services to the financial entitiesas defined in Article 2, points (a) to (t), including a list of all relevant premises and facilities of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, including outside the Union;

      11. information about provision of services by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; from third countries, including information on relevant legal provisions applicable to personal and non-personal data processed by the ICT third-party service provider means an undertaking providing ICT services;;

      12. information about measures taken to address risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; arising from the provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; and their subcontractors from third-countries;

      13. information about the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management framework and the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; management framework, including policies, procedures, tools, mechanisms, and governance arrangements of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; and of its subcontractors, including list and description of major incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; with direct or indirect impact on financial entitiesas defined in Article 2, points (a) to (t) within the Union, including relevant details to determine the significance of the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; on financial entitiesas defined in Article 2, points (a) to (t) and assess possible cross-border impacts;

      14. information about the change management framework, including policies, procedures, and controls of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; and its subcontractors;

      15. information about the overall response and recovery framework of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, including business continuity plans and related arrangements and procedures, software development lifecycle policy, response and recovery plans and related arrangements and procedures, backup policies arrangements and procedures;

      16. information about performance monitoring, security monitoring, and incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; tracking as well as information about reporting mechanisms related to service performance, incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, and compliance with agreed-upon service level agreements (SLAs) and service level objectives (SLOs) or similar arrangements between critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; and financial entitiesas defined in Article 2, points (a) to (t) in the Union;

      17. information about the ICT third-party management framework of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, including strategies, policies, procedures, processes, and controls including details on the due diligence and risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment performed by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; on its subcontractors before entering into an agreement with them and to monitor the relationship covering all relevant ICT and counterparty risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;;

      18. extractions from the monitoring and scanning systems of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; and of its subcontractors, covering but not limited to network monitoring, server monitoring, application monitoring, security monitoring, vulnerability means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; scanning, log management, performance monitoring, incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; management and measurements against reliability goals, such as SLOs;

      19. extractions from any production, pre-production and test system or application used by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; and its subcontractors, to provide directly or indirectly services to financial entitiesas defined in Article 2, points (a) to (t) in the Union;

      20. compliance and available audit reports as well as any relevant audit findings, including audits performed by national authorities in the Union and outside the Union where cooperation agreements with the relevant authorities provide for such information exchange, or certifications achieved by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; or its subcontractors, including reports from internal and external auditors, certifications, or compliance assessments with industry-specific standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. This includes information about any type of available independent testing of the resilience of the ICT systems of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, including any type of threat led penetration testing carried out by the ICT third-party service provider means an undertaking providing ICT services;;

      21. information about any assessments carried out by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; upon its request or on its behalf evaluating the suitability and integrity of individuals holding key positions within the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;;

      22. information about any remediation plan to address recommendations pursuant to Article 3, and relevant related information to confirm remedies have been implemented;

      23. information about available employee training schemes and security awareness programs, including, where relevant, information on investments, resources and methods of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; in training its staff to handle sensitive financial data and maintain high levels of security;

      24. information about the activities of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; and financial statements, including information on the budget and resources related to ICT and security.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod