Article 30(2) of Regulation (EU) 2022/2554 requires from financial entities to set out contractual arrangements on the use of ICT services that should include at least a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of ICT service supporting critical or important functions, or material parts thereof (hereafter “ICT services supporting critical or important functions) is permitted and, when that is the case, the conditions applying to such subcontracting.

To ensure a consistent and uniform application by financial entities and supervisory convergence across the European Union, it is necessary to further specify the elements set out under Article 30(2) of Regulation (EU) 2022/2554.

The provision of ICT services to financial entities often depends on a complex chain of ICT subcontractors whereby ICT third-party service providers may enter into one or more subcontracting arrangements with other ICT third-party service providers. While this indirect reliance on ICT subcontractors may have an impact on financial entities’ ability to identify, assess and manage their risks, including risks linked to gaps in the information provided by ICT third-party service providers and to the financial entities' limited ability to obtain information from ICT subcontractors providing ICT services supporting critical or important functions or material parts thereof, it cannot reduce the responsibilities the financial entities and their management bodies to manage their risks and to comply with their legislative and regulatory requirements.

In this regard, where the provision of ICT services to financial entities depends on potentially long or complex chain of ICT subcontractors whereby several subcontractors may be involved, it is essential that financial entities identify the overall chain of subcontractors providing ICT services supporting critical or important functions.

According to Article 28(1) of Regulation (EU) 2022/2554 financial entities shall, on a continuous basis, identify all sources of ICT risk. In order to do so, when receiving ICT services supporting critical or important functions, financial entities should continue to effectively monitor those ICT services.

Among those subcontractors that provide ICT services supporting critical or important functions, financial entities should put a particular and continuous focus on the subcontractors that effectively underpin the ICT service supporting critical or important functions, including all the subcontractors providing ICT services whose disruption would impair the security or the continuity of the service provision in accordance with Article 3 (1) (b) of the Implementing Technical Standards with regard to standard templates for the register of information.

Financial entities vary widely in their size, structure, and internal organisation and in the nature and complexity of their activities. It is therefore necessary to take into account that diversity while imposing certain fundamental regulatory requirements which are appropriate for all financial entities when developing the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions and to ensure that those requirements are applied in a manner that is proportionate.

When permitted by the financial entities in accordance with Article 30(2) of Regulation (EU) 2022/2554, the use of subcontracted ICT services supporting critical or important functions by ICT third-party services providers cannot reduce the ultimate responsibility for the financial entities and their management bodies to manage their risks and to comply with their legislative and regulatory obligations .

When subcontracting ICT services supporting critical or important functions is permitted, it is of utmost importance that financial entities conduct a risk assessment before entering into an arrangement with ICT third-party service providers to have a clear and holistic view of the risks associated with subcontracting, and be in a position to properly monitor, manage and mitigate the risks that may affect the provision of the subcontracted ICT services supporting critical or important functions

Taking into account the application of the proportionality principle and a risk-based approach, financial entities should have appropriate processes in place, directly or indirectly through their ICT third-party service providers, to address the relevant risks that may impact the provision of ICT services supporting critical or important functions, in accordance with their contractual arrangements with ICT third-party service providers. Financial entities should identify the most appropriate way to perform the due diligence on the subcontractors and risk assessment directly by themselves or indirectly through their ICT third-party service providers, considering the specificities of the contractual arrangements and having regard of their final responsibility stemming from Regulation (EU) 2022/2554.

ICT intra-group subcontractors providing ICT services supporting critical or important functions or material parts thereof, including those fully or collectively owned by financial entities within the same institutional protection scheme, where applicable, should be considered as ICT subcontractors. In accordance with Regulation (EU) 2022/2554, the requirements applicable for the use of intra-group subcontracting are the same as those applicable to non-intra-group subcontracting, regardless of the differences that may exist in the risks posed in both cases.

Where belonging to a group, the parent undertaking of financial entities should ensure that the policy on the use of ICT subcontractors providing ICT services supporting critical or important functions or material part thereof by ICT third party providers is applied in a consistent and coherent way within the group.

In order to have a comprehensive management of the risks that could arise when subcontracting ICT services supporting critical or important functions, it is necessary to take into account the steps of the life cycle of a contractual arrangement for the use of ICT services supporting critical or important functions provided by ICT third-party service providers, including for subcontracting arrangements. In this regard, it is necessary to set out requirements for financial entities that should be reflected in their contractual arrangements with ICT third-party service providers when the use of subcontracted ICT services supporting critical or important functions is permitted.

To mitigate the subcontracting risks, it is necessary to specify all the conditions under which ICT third-party service providers can use subcontractors for the provision of ICT services supporting critical or important functions. For this purpose, ICT contractual arrangements between financial entities and ICT third-party service providers should set out such conditions, including the planning of subcontracting arrangements, the risk assessments, the due diligence, and the approval process for new ICT subcontracting arrangements on ICT services supporting critical or important functions or material parts thereof, or material changes to existing ones made by the ICT third-party service provider.

In order to identify the risks that could arise before entering into an arrangement with an ICT subcontractor, the ICT third-party service providers should follow an appropriate and proportionate process to select and assess the suitability of potential subcontractors in line with the ICT contractual arrangements concluded with the financial entity. The ICT contractual arrangements should therefore foresee that the ICT third-party service provider, or where appropriate, the financial entity directly, assesses its resources including expertise and adequate financial, human and technical resources, information security, its organisational structure, including the risk management and internal controls that the subcontractor should have in place.

In order to mitigate the subcontracting risks along the life cycle of contractual arrangements, it is necessary to set out the minimum content of the contractual arrangements between the financial entities and the ICT third-party service providers when using ICT subcontracting for the use of ICT services.

Financial entities should monitor the performance of the ICT service provision and any relevant changes occurring within their subcontracting chain providing ICT services supporting critical or important function to mitigate any vulnerabilities and threats that may pose risks to their ICT systems and operations.

Financial entities should be informed of new subcontracting arrangements or material changes thereof made by the ICT third-party provider with a notice period that allows them to assess the risks associated with such new arrangements or material changes. Where the outcome of the risk assessment is that the new arrangements or material changes carry a level of risk that exceed their risk tolerance, financial entities should have the right to terminate the contract with the ICT third-party service provider. The financial entity’s objections may be addressed by the ICT third-party service provider before the financial entity exercises its termination right.

The European Supervisory Authorities have conducted an open public consultation on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the ESA’s Stakeholder Groups established in accordance with Article 37 of Regulation (EU) No 1093/2010, Article 37 of Regulation (EU) No 1094/2010 and Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council.
HAS ADOPTED THIS REGULATION: