Article 6 Due diligence

---

1. has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)., appropriate organisational structure, risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting the critical or important function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; in a reliable and professional manner;

2. has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; framework;

3. uses or intends to use ICT sub-contractors to perform the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof;

4. is located, or processes or stores the data in a third country and, if this is the case, whether this practice affects the level of operational or reputational risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; or the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider means an undertaking providing ICT services; to provide the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; or the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to receive those ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;;

5. consents to contractual arrangements that ensure that it is effectively possible to conduct audits at the ICT third-party service provider means an undertaking providing ICT services;, including onsite, by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; itself, appointed third parties, and competent authoritiesas defined in Article 46;

6. acts in an ethical and socially responsible manner, respects human rights and children’s rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions.

The policy shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers means an undertaking providing ICT services;’ risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management framework for the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; to be provided by an ICT third-party service provider means an undertaking providing ICT services;. The policy shall require that the due diligence process includes an assessment of the existence of risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; mitigation and business continuity measures and of how their functioning within the ICT third-party service provider means an undertaking providing ICT services; is ensured.

1. audits or independent assessments performed by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; itself or on its behalf;

2. the use of independent audit reports made on request by the ICT third-party service provider means an undertaking providing ICT services;;

3. the use of audit reports made by the internal audit function of the ICT third-party service provider means an undertaking providing ICT services;;

4. the use of appropriate third-party certifications;

5. the use of other relevant information available to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or other information provided by the ICT third-party service provider means an undertaking providing ICT services;.

Financial entitiesas defined in Article 2, points (a) to (t) shall ensure an appropriate level of assurance on the ICT third-party service provider means an undertaking providing ICT services;’s performance, taking into account the elements listed in paragraph 3, points (a) to (e). Where appropriate, more than one element listed in those points shall be used.