Source: OJ L, 2025/532, 2.7.2025Current language: EN
- Digital operational resilience in the financial sector
ICT third-party service providers
- RTS on subcontracting ICT services
Article 5 Material changes to subcontracting arrangements of ICT services that support critical or important functions or material parts thereof
The contractual arrangement shall provide that the ICT third-party service provider shall inform the financial entity about any intended material changes to its subcontracting arrangements well in time to enable the financial entity to assess:
the impact on the risks it is or might be exposed to;
whether such material changes might affect the ability of the ICT third-party service provider to meet its contractual obligations vis-a-vis the financial entity.
The contractual arrangement shall contain a reasonable notice period by which the financial entity is to approve or object to the changes.
The ICT third-party service provider shall only implement the material changes to its subcontracting arrangements after the financial entity has either approved or not objected to the changes by the end of the notice period.
Where the financial entity is of the opinion that the material changes referred to in paragraph 1 exceed the financial entity’s risk tolerance, the financial entity shall, before the end of the notice period:
inform the ICT third-party service provider thereof;
object to the changes and request modifications to those changes before they are implemented.
Relevant recitals
Recital 8 Conditions throughout the life cycle
To mitigate risks that are linked to subcontracting, it is necessary to specify the conditions under which ICT third-party service providers can use subcontractors for the provision of ICT services that support critical or important functions. For that purpose, ICT contractual arrangements between financial entities and ICT third-party service providers should set out such conditions, including the planning of subcontracting arrangements, the risk assessments, the due diligence, and the approval process for new ICT subcontracting arrangements on ICT services supporting critical or important functions or material parts thereof, or material changes to existing ones made by the ICT third-party service provider.
Recital 10 Monitoring of subcontractors and notifications of changes
To mitigate any vulnerabilities and threats that may pose risks to their ICT systems and operations, financial entities should be able to monitor the performance of the ICT service and to be informed of any relevant changes within their ICT subcontracting chain where such changes concern critical or important functions.
Recital 11 Notification of changes and right to terminate
To enable financial entities to assess the risks associated with subcontracting arrangements or material changes thereto, ICT third-party service providers should inform the financial entities to which they provide ICT services of all such new arrangements or changes well before such arrangements or changes start to apply. For the same reason, financial entities should have the right to terminate the contract with the ICT third-party service provider where the outcome of their risk assessment shows that the new arrangements or material changes carry a level of risk that exceed their risk tolerance.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.