Preamble Recitals

The provision of ICT services to financial entities often depends on a complex chain of ICT subcontractors, whereby ICT third-party service providers may enter into one or more subcontracting arrangements with other ICT third-party service providers. Indirect reliance on ICT subcontractors may have an impact on a financial entity’ ability to identify, assess, and manage its risks, including risks that are related to gaps in the information provided by ICT third-party service providers, and to the limited ability of a financial entity to obtain information from those ICT subcontractors that provide ICT services that support critical or important functions or material parts thereof. In that regard, where the provision of ICT services to financial entities depends on a potentially long or complex chain of ICT subcontractors, it is essential that financial entities identify the overall chain of subcontractors providing ICT services supporting critical or important functions.

Among those subcontractors that provide ICT services that support critical or important functions, financial entities should focus in particular and continuously on those subcontractors that effectively underpin the ICT service that supports critical or important functions, including all the subcontractors that provide ICT services the disruption of which would impair the security or continuity of the service as laid down in the register of information referred to in Article 28(3) of Regulation (EU) 2022/2554.

Financial entities vary widely in size, structure, internal organisation, and in the nature and complexity of their activities. To ensure proportionality, that diversity should be taken into account when specifying which elements a financial entity should determine and assess when subcontracting ICT services that support critical or important functions.

When permitted by the financial entities in accordance with Article 30(2) of Regulation (EU) 2022/2554, the use of subcontracted ICT services supporting critical or important functions by ICT third-party services providers cannot reduce the ultimate responsibility for the management bodies of the financial entities to manage their risks and to comply with their legislative and regulatory obligations. Where subcontracting ICT services supporting critical or important functions is permitted, it is important that financial entities have a clear and holistic view of the risks associated with subcontracting services that support critical or important functions so that they are able to monitor, manage and mitigate those risks. They should therefore assess those risks before subcontracting those services.

ICT intra-group subcontractors that provide ICT services that support critical or important functions or material parts thereof, including ICT intra-group subcontractors that are fully or collectively owned by financial entities within the same institutional protection scheme, should be considered as ICT subcontractors.

Where applicable, in a group context, the parent undertaking of financial entities should ensure that the policy on the use of ICT subcontractors providing ICT services that support critical or important functions or a material part thereof is applied in a consistent and coherent way within the group.

It is important to ensure a comprehensive management of the risks that can arise when ICT services that support critical or important functions are subcontracted. For that reason, financial entities should follow the steps of the life cycle of a contractual arrangement for the use of ICT services that support those functions and that are provided by ICT third-party service providers, including for subcontracting arrangements. It is therefore necessary to lay down requirements for financial entities that should be reflected in their contractual arrangements with ICT third-party service providers where the use of subcontracted ICT services supporting critical or important functions is permitted.

To mitigate risks that are linked to subcontracting, it is necessary to specify the conditions under which ICT third-party service providers can use subcontractors for the provision of ICT services that support critical or important functions. For that purpose, ICT contractual arrangements between financial entities and ICT third-party service providers should set out such conditions, including the planning of subcontracting arrangements, the risk assessments, the due diligence, and the approval process for new ICT subcontracting arrangements on ICT services supporting critical or important functions or material parts thereof, or material changes to existing ones made by the ICT third-party service provider.

To identify risks that could arise before a financial entity enters into an arrangement with an ICT subcontractor, ICT third-party service providers should assess, in appropriate and proportional way, the suitability of potential subcontractors on the basis of the ICT contractual arrangements that the ICT third-party service provider concluded with the financial entity. Those ICT contractual arrangements should therefore require the ICT third-party service provider, or the financial entity directly, as appropriate, assesses the resources of the potential subcontractor, including its expertise and whether it has the proper financial, human and technical resources, its information security, and its organisational structure, including the risk management and internal controls that the subcontractor should have in place.

To mitigate any vulnerabilities and threats that may pose risks to their ICT systems and operations, financial entities should be able to monitor the performance of the ICT service and to be informed of any relevant changes within their ICT subcontracting chain where such changes concern critical or important functions.

To enable financial entities to assess the risks associated with subcontracting arrangements or material changes thereto, ICT third-party service providers should inform the financial entities to which they provide ICT services of all such new arrangements or changes well before such arrangements or changes start to apply. For the same reason, financial entities should have the right to terminate the contract with the ICT third-party service provider where the outcome of their risk assessment shows that the new arrangements or material changes carry a level of risk that exceed their risk tolerance.

The European Supervisory Authorities have conducted an open public consultation on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the ESA’s Stakeholder Groups established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council(²)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council(³)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj)., and Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁴)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj)..

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁵)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). and delivered an opinion on 20 August 2024,