RTS on ICT third-party service provider policy

Where financial entitiesas defined in Article 2, points (a) to (t) belong to a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, the parent undertaking means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; that is responsible for providing the consolidated or sub-consolidated financial statements for the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should therefore ensure that the policy is applied in a consistent and coherent way within the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;.

When applying the policy, ICT intra-group service providers means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;, including those fully or collectively owned by financial entitiesas defined in Article 2, points (a) to (t) within the same institutional protection scheme, should be considered as ICT third-party services providers means an undertaking providing ICT services;. The risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed by ICT intra-group service providers means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; may be different but the requirements applicable to them are the same under Regulation (EU) 2022/2554. In a similar way, the policy should apply to subcontractors that provide ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; or material parts thereof to ICT third-party service providers means an undertaking providing ICT services;, where a chain of ICT third-party service providers means an undertaking providing ICT services; exists.

The ultimate responsibility of the management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). in managing a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; is an overarching principle which is also applicable regarding the use of ICT third-party service providers means an undertaking providing ICT services;. This responsibility should be further translated into the continuous engagement of the management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). in the control and monitoring of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, including in the adoption and review, at least once per year, of the policy.

To ensure appropriate reporting to the management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32)., the policy should clearly specify and identify the internal responsibilities for the approval, management, control and documentation of contractual arrangements on the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; provided by ICT third-party service providers means an undertaking providing ICT services; (‘contractual arrangements’), including the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided under contractual arrangements referred to in Article 28(1), point (a), of Regulation (EU) 2022/2554.

In order to take into account all possible risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; that may arise when contracting ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, the structure of the policy should follow all the steps of the each main phase of the life cycle for contractual arrangements with third-party providers.

To mitigate the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified, the policy should specify the planning of contractual arrangements, including the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment, the due diligence, and the approval process for new or material changes to those contractual arrangements. In order to manage the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; that may arise before entering into a contractual arrangement with an ICT third-party service provider means an undertaking providing ICT services;, the policy should specify an appropriate and proportionate process to select and assess the suitability of prospective ICT third-party service providers means an undertaking providing ICT services; and require that the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; takes into account a non-exhaustive list of elements that the ICT third-party service providers means an undertaking providing ICT services; should have in place. The list should include elements related to the business reputation of the service providers, their financial, human and technical resources, their information-security, their organisational structure, including risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management, and their internal controls.

To ensure a sound risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management in the provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; by ICT third-party service providers means an undertaking providing ICT services;, the policy should contain information about the implementation, monitoring and management of the contractual arrangements, including at consolidated and sub-consolidated level, where applicable. This includes requirements for the contractual clauses on mutual obligations of the financial entitiesas defined in Article 2, points (a) to (t) and the ICT third-party service providers means an undertaking providing ICT services;, which should be set out in writing. In order to ensure an efficient supervision and foster resilience in case of changes in the business model or business environment, the policy should ensure the financial entitiesas defined in Article 2, points (a) to (t)’ or appointed third parties’ and competent authoritiesas defined in Article 46’ rights to inspections and access to information and should also further specify the exit strategies and termination processes.

To the extent personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; are processed by ICT third-party service providers means an undertaking providing ICT services;, this policy and any contractual arrangements are without prejudice to and should complement the obligations under Regulation (EU) 2016/679 of the European Parliament and of the Council(²)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj)., such as to have a written contract in place describing the personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; processing, requirement to ensure security of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; processing and setting out all other elements required under that regulation.

The Joint Committee means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; of the European Supervisory Authorities referred to in Article 54 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council(³)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., in Article 54 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council(⁴)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj). and in Article 54 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁵)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj). has conducted open public consultations on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). on which this Regulation is based, analysed the potential costs and benefits of the proposed standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). and requested advice of the Banking Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010, the Insurance and Reinsurance Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the Occupational Pensions Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1094/2010, and the Securities and Markets Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1095/2010,

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁶)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). and delivered an opinion on 24 January 2024,