Source: OJ L, 2025/532, 2.7.2025

Current language: EN

Article 1 Overall risk profile and complexity

Financial entities shall take into account their size and their overall risk profile and the nature, scale, and elements of increased or reduced complexity of their services, activities and operations, including elements relating to:

  1. the type of ICT services that support critical or important functions covered by the contractual arrangement between the financial entity and the ICT third-party service provider;

  2. the type of ICT services covered by the contractual arrangement between the ICT-third party service provider and its subcontractors;

  3. the location of the ICT subcontractor providing ICT services that support critical or important functions or a material part thereof, or of its parent company;

  4. the length and complexity of the chain of subcontractors providing ICT services that support critical or important functions or material parts thereof used by the ICT third-party service provider;

  5. the nature of the data shared with the ICT subcontractors providing ICT services that support critical or important functions or material parts thereof;

  6. whether the ICT services that support critical or important functions or material parts thereof are provided by subcontractors, located within a Member State or in a third country, including the location where the ICT services are actually provided from and the location where the data are actually processed and stored;

  7. whether the ICT subcontractors providing ICT services that support critical or important functions or material parts thereof are part of the same group as the financial entity to which those services are provided;

  8. whether the ICT subcontractors providing ICT services that support critical or important functions or material parts thereof are authorised, registered or subject to supervision or oversight by a competent authority in a Member State, or are subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554;

  9. whether the ICT third-party service providers that support critical or important functions or material parts thereof are authorised, registered or subject to supervision or oversight by a supervisory authority from a third country;

  10. whether the provision of ICT services supporting critical or important functions or material parts thereof is concentrated to a single subcontractor of an ICT third-party service provider or a small number of such subcontractors;

  11. whether the subcontracting of ICT services that support critical or important functions or material parts would impact the transferability of those ICT services to another ICT third-party service provider;

  12. the potential impact of disruptions on the continuity and availability of the ICT services that support critical or important functions or material parts thereof provided by the ICT third-party service provider when using a subcontractor providing ICT services that support critical or important functions or material parts thereof.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod