Source: OJ L, 2024/1773, 25.6.2024

Current language: EN

Article 5 Ex-ante risk assessment

    1. The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded.

    1. The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded.

    2. The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following:

      1. operational risks;

      2. legal risks;

      3. ICT risks;

      4. reputational risks;

      5. risks linked to the protection of confidential or personal data;

      6. risks linked to the availability of data;

      7. risks linked to the location where the data is processed and stored;

      8. risks linked to the location of the ICT third-party service provider;

      9. ICT concentration risks at entity level.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod