Source: OJ L, 2025/532, 2.7.2025Current language: EN
- Digital operational resilience in the financial sector
ICT third-party service providers
- RTS on subcontracting ICT services
Article 4 Conditions under which ICT services that support critical or important functions or a material part thereof may be subcontracted
The contractual arrangement concluded between the financial entity and the ICT third-party service providermeans an undertaking providing ICT services; shall identify which ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof are eligible for subcontracting and under which conditions. That contract shall specify:
that the ICT third-party service providermeans an undertaking providing ICT services; is responsible for the provision of the services provided by the subcontractors;
that the ICT third-party service providermeans an undertaking providing ICT services; is required to monitor all subcontracted ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof to ensure that its contractual obligations with the financial entity are continuously met;
the monitoring and reporting obligations of the ICT third-party service providermeans an undertaking providing ICT services; towards the financial entity regarding subcontractors that provide ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof;
that the ICT third-party service providermeans an undertaking providing ICT services; is to assess all risks associated with the location of the current or potential subcontractors that provide ICT service that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, and their parent company and with the location where the ICT service concerned is provided from;
the location of data processed or stored by the subcontractor, where relevant;
that the ICT third-party service providermeans an undertaking providing ICT services; is to specify in its contract with its subcontractors the monitoring and reporting obligations of that subcontractor towards the ICT third-party service providermeans an undertaking providing ICT services;, and where agreed, towards the financial entity;
that the ICT third-party service providermeans an undertaking providing ICT services; is to ensure the continuity of the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; throughout the chain of subcontractors in case of failure by an ICT subcontractor to meet its contractual obligations;
that the contractual arrangement between the ICT third-party service providermeans an undertaking providing ICT services; and its subcontractors contains the requirements on business contingency plans referred to in Article 30(3), point (c), of Regulation (EU) 2022/2554 and specifies the service levels to be met by the ICT subcontractors in relation to those plans;
that the contractual arrangement between the ICT third-party service providermeans an undertaking providing ICT services; and its subcontractors specifies the ICT security standards and any additional security requirements referred to in Article 30(3), point (c), of Regulation (EU) 2022/2554;
that the subcontractor is to grant to the financial entity and relevant competent and resolution authorities the same rights of access, inspection, and audit as those referred to in Article 30(3), point (e), of Regulation (EU) 2022/2554;
that the ICT third-party service providermeans an undertaking providing ICT services; is to notify the financial entity of any material change to subcontracting arrangements;
that the financial entity has the right to terminate the contract with the ICT third-party service providermeans an undertaking providing ICT services; when the conditions laid down in either Article 6 of this Regulation or the conditions laid down in Article 28(7) of Regulation (EU) 2022/2554 have been fulfilled.
Changes relative to contractual agreements between the financial entity and ICT third-party service providersmeans an undertaking providing ICT services; that provide an ICT service supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, made necessary to comply with this Regulation, shall be implemented in a timely manner and as soon as it is possible. The financial entity shall document the planned timeline for the implementation.
Relevant recitals
Recital 7 Life cycle and contractual provisions
It is important to ensure a comprehensive management of the risks that can arise when ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; are subcontracted. For that reason, financial entities should follow the steps of the life cycle of a contractual arrangement for the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support those functions and that are provided by ICT third-party service providersmeans an undertaking providing ICT services;, including for subcontracting arrangements. It is therefore necessary to lay down requirements for financial entities that should be reflected in their contractual arrangements with ICT third-party service providersmeans an undertaking providing ICT services; where the use of subcontracted ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; is permitted.
Recital 8 Conditions throughout the life cycle
To mitigate risks that are linked to subcontracting, it is necessary to specify the conditions under which ICT third-party service providersmeans an undertaking providing ICT services; can use subcontractors for the provision of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;. For that purpose, ICT contractual arrangements between financial entities and ICT third-party service providersmeans an undertaking providing ICT services; should set out such conditions, including the planning of subcontracting arrangements, the risk assessments, the due diligence, and the approval process for new ICT subcontracting arrangements on ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, or material changes to existing ones made by the ICT third-party service providermeans an undertaking providing ICT services;.
Recital 10 Monitoring of subcontractors and notifications of changes
To mitigate any vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and threats that may pose risks to their ICT systems and operations, financial entities should be able to monitor the performance of the ICT service and to be informed of any relevant changes within their ICT subcontracting chain where such changes concern critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.