Source: OJ L, 2024/1773, 25.6.2024Current language: FR
- Digital operational resilience in the financial sector
ICT third-party service providers
- RTS on ICT third-party service provider policy
Article 5 Évaluation ex ante des risques
Summary What does Article 5 of the RTS on ICT third-party service provider policy say?
Article 5 sets out the pre-contractual obligations that must be embedded in a financial entity's policy before any contractual arrangement with an ICT third-party service provider is concluded.
It establishes two clear prerequisites: first, that business needs are defined upfront, and second, that a thorough risk assessment is carried out.
The risk assessment requirement is notably detailed, covering a broad range of risk categories that must be evaluated, from operational and legal risks through to data location risks and ICT concentration risks.
This article connects directly to Article 4, which governs the lifecycle of contractual arrangements, by anchoring the planning phase of that lifecycle in a structured, risk-informed approach.
Important points:
- Define business needs and conduct a risk assessment before entering into any contractual arrangement with an ICT third-party service provider.
- The risk assessment must be conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level.
- The risk assessment must cover a wide range of risk categories, including ICT concentration risks at entity level and risks linked to the location where data is processed and stored.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
La politique exige que les besoins métiers de l’entité financière soient définis avant la conclusion de tout accord contractuel.
La politique exige qu’une évaluation des risques soit effectuée au niveau de l’entité financière et, s’il y a lieu, aux niveaux consolidé et sous-consolidé, avant la conclusion de tout accord contractuel.
L’évaluation des risques tient compte de toutes les exigences pertinentes énoncées dans le règlement (UE) 2022/2554 et dans la législation sectorielle de l’Union applicable. Elle tient compte, en particulier, des incidences que peut avoir sur l’entité financière la fourniture de services TIC soutenant des fonctions critiques ou importantes par des prestataires tiers de tels services, et de tous les risques liés à cette fourniture, qui incluent:
les risques opérationnels;
les risques juridiques;
les risques liés aux TIC;
les risques réputationnels;
les risques liés à la protection de données confidentielles ou à caractère personnel;
les risques liés à la disponibilité des données;
les risques liés au lieu où les données sont traitées et stockées;
les risques liés à la situation géographique du prestataire tiers de services TIC;
les risques de concentration de TIC au niveau de l’entité.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
services TIC
(En. ICT services)
Definition
prestataire tiers critique de services TIC
(En. critical ICT third-party service provider)
Definition
risque de concentration de TIC
(En. ICT concentration risk)
Definition
prestataire tiers de services TIC
(En. ICT third-party service provider)
Definition
fonction critique ou importante
(En. critical or important function)