ITS on register of information

Certain sector-specific Union financial services legislation contains requirements on outsourcing. Those requirements have been further developed in guidelines issued by the ESAsEuropean Supervisory Authority. Under those guidelines, some financial entitiesas defined in Article 2, points (a) to (t) are expected to record specific information on their outsourcing arrangements, in some cases also in the form of registers, as part of their outsourcing risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management. In recent years, several national competent authoritiesas defined in Article 46 and the ECB have collected information included in such registers as part of their supervision of financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; compliance with the outsourcing requirements. Based on the lessons learned from the different data collection exercises of outsourcing registers performed in the recent years by the ESAsEuropean Supervisory Authority and competent authoritiesas defined in Article 46, the standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). templates should be designed in a technology-neutral manner with open tables, which have a predefined number of columns and an indefinite number of rows. In addition, the standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). templates should be linked to one another by using different specific keys forming a relational structure between those templates.

To receive ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; from an ICT third-party service provider means an undertaking providing ICT services;, including ICT intra-group service providers means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;, financial entitiesas defined in Article 2, points (a) to (t) conclude a written contract with the ICT third-party service provider means an undertaking providing ICT services;. In case of groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, ICT intra-group service providers means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; may conclude a contract with ICT third-party providers that are external to the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; to provide ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to one or more financial entitiesas defined in Article 2, points (a) to (t) of the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;. To capture the full ICT service supply chain means a sequence of contractual arrangements connected with the ICT service being provided by the direct ICT third-party service provider to the financial entity, starting with the direct ICT third-party service provider which has one or multiple other ICT third-party service providers as counterparties (subcontractors);, financial entitiesas defined in Article 2, points (a) to (t) maintaining the register of information should report both information on the contractual arrangement with their ICT intra-group service provider means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; and information on the arrangement stipulated by the ICT intra-group service provider means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; and the ICT third-party providers that are external to the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; as subcontractors. Therefore, the register of information should include a specific template enabling the reconciliation between the intra-group contracts and the contracts with ICT third-party service providers means an undertaking providing ICT services; that are external to the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;.

The provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t) may rely on potentially long or complex chains of subcontracting which should be monitored by the financial entitiesas defined in Article 2, points (a) to (t). Financial entitiesas defined in Article 2, points (a) to (t) should assess the associated risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, including ICT third-party concentration risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; with regard to the ICT third-party service providers means an undertaking providing ICT services; supporting a critical or important function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, considering a risk-based approach and the principle of proportionality. To enable that assessment, financial entitiesas defined in Article 2, points (a) to (t) should be required to record in the register of information only those subcontractors that effectively underpin ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof, including all the subcontractors providing ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; whose disruption would impair the security or the continuity of the service provision. When identifying those subcontractors, financial entitiesas defined in Article 2, points (a) to (t) should consider business and ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; continuity and ICT security aspects.

A register of information should be maintained and updated by financial entitiesas defined in Article 2, points (a) to (t) including where a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; outsources all its activities to another entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, as the maintenance of the register of information contributes to the operational resilience of that financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Therefore, where an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is acting on behalf of a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; for all the activities of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; (including the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;), the direct ICT third-party service providers means an ICT third-party service provider or ICT intra-group service provider that signed a contractual arrangement with: a financial entity to provide its ICT services directly to that financial entity; a financial or a non-financial entity to provide its services to other financial entities within the same group; to that entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be recorded in the relevant templates of the register of information of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. In such case, the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is only registered as an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; maintaining the register.

To allow transparency and comparability of contractual arrangements and the ongoing monitoring of those arrangements, the register of information should focus on the operational links between the financial entitiesas defined in Article 2, points (a) to (t) and the ICT third-party service providers means an undertaking providing ICT services;. To that end, the register of information should use four keys, which, among others, linking relevant data to each other across the templates of the register of information: (i) the reference number of the contractual arrangement between the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; signing that arrangement and the direct ICT third-party service provider means an ICT third-party service provider or ICT intra-group service provider that signed a contractual arrangement with: a financial entity to provide its ICT services directly to that financial entity; a financial or a non-financial entity to provide its services to other financial entities within the same group;, (ii) an appropriate identifier of financial entitiesas defined in Article 2, points (a) to (t) and ICT third-party service providers means an undertaking providing ICT services;, (iii) the function identifier, and (iv) the type of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;.

To appropriately document the contractual arrangements between the financial entitiesas defined in Article 2, points (a) to (t) and the ICT third-party service providers means an undertaking providing ICT services; as required by Regulation (EU) 2022/2554, it is understood that ICT third-party service providers means an undertaking providing ICT services; should provide for an identification number which allows for their consistent and accurate identification by the financial entitiesas defined in Article 2, points (a) to (t) and by the ESAsEuropean Supervisory Authority, the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors, and the competent authoritiesas defined in Article 46, when exercising their supervisory powers, including for the designation of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; under Article 31 of that Regulation. Concerning legal persons, the LEI and EUID are recognised international and European identifiers ensuring the consistent, unique and robust identification of companies. Consequently, either of these two identifiers should be used for the identification of the ICT third-party service providers means an undertaking providing ICT services; established in the Union for the purposes of the application of that Regulation and should be considered as information that is common to all contractual arrangements, whereas the ICT third-party service providers means an undertaking providing ICT services; established in third-countries should be identified with LEI only. The templates used for the register of information about the ICT third-party service providers means an undertaking providing ICT services; should require information on either of these two identifiers for ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; providers that are legal persons, while allowing natural persons acting in the capacity of ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; providers to use alternative identification codes.

Each financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including financial entitiesas defined in Article 2, points (a) to (t) from the same group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, have their own internal taxonomy of functions depending on their specific business models and internal organisations. To allow for a clear monitoring distinguishing between the functions of the financial entitiesas defined in Article 2, points (a) to (t) and the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, financial entitiesas defined in Article 2, points (a) to (t) should themselves designate relevant functions by using the function identifier at individual level and at group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; level.

To enable the operability of the register of information at entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, sub-consolidated and consolidated level across all the financial entitiesas defined in Article 2, points (a) to (t) that are part of the same group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, financial entitiesas defined in Article 2, points (a) to (t) should ensure the correctness and consistency of all the data in that register. In particular, to enable such operability, it is necessary to ensure consistency in the consolidation of the identifiers, namely the contractual arrangement reference numbers, the function identifier, LEI of the financial entitiesas defined in Article 2, points (a) to (t) and identifiers of the ICT third-party service providers means an undertaking providing ICT services;.

To ensure consistency and harmonisation and to avoid burdensome reprocessing of data for reporting purposes, the structure of the templates and the requirements of the data elements should consider data management and reporting perspectives. To ensure full comparability of the information reported in the register of information with the information provided in other regulatory or statistical reporting, financial entitiesas defined in Article 2, points (a) to (t) should adhere to data quality principles, when maintaining and updating that register.

This Regulation is based on the draft implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). submitted to the Commission by the ESAsEuropean Supervisory Authority.

The ESAsEuropean Supervisory Authority have conducted open public consultations on the draft implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the ESAsEuropean Supervisory Authority’ Stakeholder Groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council(²)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council(³)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj). and Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁴)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010 p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁵)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj)..