Source: OJ L, 2025/532, 2.7.2025Current language: EN
- Digital operational resilience in the financial sector
ICT third-party service providers
- RTS on subcontracting ICT services
Article 3 Due diligence and risk assessment regarding the use of subcontractors that support critical or important functions
A financial entity shall, before entering into a contractual arrangement with an ICT third-party service provider, decide whether that ICT third-party service provider may subcontract an ICT service that supports critical or important functions or material parts thereof. The financial entity shall only enter into such contractual arrangement where it has assessed that all of the following conditions have been complied with:
the due diligence processes on the ICT third-party service provider ensure that it is able to select and assess the operational and financial abilities of potential ICT subcontractors to provide the ICT services that support critical or important functions or material parts thereof, including by participating, when required to do so by the financial entity, in digital operational resilience testing as referred to in Chapter IV of Regulation (EU) 2022/2554;
the ICT third-party service provider is able to identify all subcontractors that provide ICT services that support critical or important functions or material parts thereof, to notify and inform the financial entity of those subcontractors, and is able to provide to the financial entity all information that may be necessary for the assessment of the conditions under this Article;
the ICT third-party service provider ensures that the contractual arrangements with the subcontractors that provide ICT services that support critical or important functions or material parts thereof enable the financial entity to comply with its own obligations stemming from Regulation (EU) 2022/2554 and applicable Union and national legislation;
the subcontractor grants the financial entity and competent and resolution authorities the same contractual rights of access and inspection as those granted by the ICT third-party service provider;
without prejudice to the financial entity’s final responsibility to comply with its legal and regulatory obligations, the ICT third-party service provider itself has sufficient ability, expertise, and adequate financial, human, and technical resources to monitor the ICT risks at the level of subcontractors, including by applying appropriate information security standards and by having in place an appropriate organisational structure, risk management and internal controls, and incidents reporting and responses;
the financial entity has sufficient abilities, expertise, and adequate financial, human and technical resources to monitor the ICT risks relating to the service supporting critical or important functions or material parts thereof that has been subcontracted, including by applying appropriate information security standards and by having in place an appropriate organisational structure and risk management, incident response, business continuity management and internal controls;
the financial entity has assessed the impact on the financial entity’s digital operational resilience and financial soundness of a possible failure of a subcontractor that provides ICT services that support critical or important functions or a material part thereof;
the financial entity has assessed the risks associated with the location of the potential subcontractors in relation to the ICT services that support critical or important functions or a material part thereof provided by the ICT third-party service provider;
the financial entity has assessed the ICT concentration risks at entity level in accordance with Article 29 of Regulation (EU) 2022/2554;
the financial entity has assessed whether there are any obstacles to the exercise of audit, inspection and access rights by the competent authorities, resolution authorities, or the financial entity, including persons appointed by them.
Financial entities that use ICT third-party service providers that subcontract ICT services that support critical or important functions or material parts thereof shall periodically carry out the risk assessment referred to in paragraph 1, points (f) to (j), against possible changes in their business environment, including against changes in the supported business functions, in risk assessments including ICT threats, ICT concentration risks, and geopolitical risks.
Reliance on the results of the risk assessment carried out by their ICT third-party service providers on their subcontractors in complying with the obligations set out in this article shall not limit the final responsibility of financial entities to comply with their legal and regulatory obligations under Regulation (EU) 2022/2554.
Relevant recitals
Recital 4 Clear and holistic view of risks associated with subcontracting
When permitted by the financial entities in accordance with Article 30(2) of Regulation (EU) 2022/2554, the use of subcontracted ICT services supporting critical or important functions by ICT third-party services providers cannot reduce the ultimate responsibility for the management bodies of the financial entities to manage their risks and to comply with their legislative and regulatory obligations. Where subcontracting ICT services supporting critical or important functions is permitted, it is important that financial entities have a clear and holistic view of the risks associated with subcontracting services that support critical or important functions so that they are able to monitor, manage and mitigate those risks. They should therefore assess those risks before subcontracting those services.
Recital 7 Life cycle and contractual provisions
It is important to ensure a comprehensive management of the risks that can arise when ICT services that support critical or important functions are subcontracted. For that reason, financial entities should follow the steps of the life cycle of a contractual arrangement for the use of ICT services that support those functions and that are provided by ICT third-party service providers, including for subcontracting arrangements. It is therefore necessary to lay down requirements for financial entities that should be reflected in their contractual arrangements with ICT third-party service providers where the use of subcontracted ICT services supporting critical or important functions is permitted.
Recital 8 Conditions throughout the life cycle
To mitigate risks that are linked to subcontracting, it is necessary to specify the conditions under which ICT third-party service providers can use subcontractors for the provision of ICT services that support critical or important functions. For that purpose, ICT contractual arrangements between financial entities and ICT third-party service providers should set out such conditions, including the planning of subcontracting arrangements, the risk assessments, the due diligence, and the approval process for new ICT subcontracting arrangements on ICT services supporting critical or important functions or material parts thereof, or material changes to existing ones made by the ICT third-party service provider.
Recital 9 Due diligence of subcontractors
To identify risks that could arise before a financial entity enters into an arrangement with an ICT subcontractor, ICT third-party service providers should assess, in appropriate and proportional way, the suitability of potential subcontractors on the basis of the ICT contractual arrangements that the ICT third-party service provider concluded with the financial entity. Those ICT contractual arrangements should therefore require the ICT third-party service provider, or the financial entity directly, as appropriate, assesses the resources of the potential subcontractor, including its expertise and whether it has the proper financial, human and technical resources, its information security, and its organisational structure, including the risk management and internal controls that the subcontractor should have in place.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.