Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (1), and in particular Article 28(10), third subparagraph, thereof,

Whereas:

(1) The framework on digital operational resilience for the financial sector established by Regulation (EU) 2022/2554 requires that financial entities set out certain key principles to manage ICT third-party risk, which are of particular importance when financial entities engage with ICT third-party service providers to support their critical or important functions.

(2) Financial entities, as part of their ICT risk management framework, are to adopt, and regularly review, a strategy on ICT third-party risk. In accordance with Article 28(2) of Regulation (EU) 2022/2554, that strategy is to include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. It is to apply on an individual and, where relevant, on a sub-consolidated and consolidated basis.

(3) Financial entities vary widely in size, structure, and internal organisation and in the nature and complexity of their activities and operations. It is necessary to take into account that diversity while imposing certain fundamental regulatory requirements which are appropriate for all financial entities when developing the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions by ICT third-party providers (‘the policy), and to ensure that those requirements are applied in a manner that is proportionate.

(4) Where financial entities belong to a group, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group should therefore ensure that the policy is applied in a consistent and coherent way within the group.

(5) When applying the policy, ICT intra-group service providers, including those fully or collectively owned by financial entities within the same institutional protection scheme, should be considered as ICT third-party services providers. The risks posed by ICT intra-group service providers may be different but the requirements applicable to them are the same under Regulation (EU) 2022/2554. In a similar way, the policy should apply to subcontractors that provide ICT services supporting critical or important functions or material parts thereof to ICT third-party service providers, where a chain of ICT third-party service providers exists.

(6) The ultimate responsibility of the management body in managing a financial entity’s ICT risk is an overarching principle which is also applicable regarding the use of ICT third-party service providers. This responsibility should be further translated into the continuous engagement of the management body in the control and monitoring of ICT risk management, including in the adoption and review, at least once per year, of the policy.

(7) To ensure appropriate reporting to the management body, the policy should clearly specify and identify the internal responsibilities for the approval, management, control and documentation of contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (‘contractual arrangements’), including the ICT services provided under contractual arrangements referred to in Article 28(1), point (a), of Regulation (EU) 2022/2554.

(8) In order to take into account all possible risks that may arise when contracting ICT services supporting critical or important function, the structure of the policy should follow all the steps of the each main phase of the life cycle for contractual arrangements with third-party providers.

(9) To mitigate the risks identified, the policy should specify the planning of contractual arrangements, including the risk assessment, the due diligence, and the approval process for new or material changes to those contractual arrangements. In order to manage the risks that may arise before entering into a contractual arrangement with an ICT third-party service provider, the policy should specify an appropriate and proportionate process to select and assess the suitability of prospective ICT third-party service providers and require that the financial entity takes into account a non-exhaustive list of elements that the ICT third-party service providers should have in place. The list should include elements related to the business reputation of the service providers, their financial, human and technical resources, their information-security, their organisational structure, including risk management, and their internal controls.

(10) To ensure a sound risk management in the provision of ICT services supporting critical or important functions by ICT third-party service providers, the policy should contain information about the implementation, monitoring and management of the contractual arrangements, including at consolidated and sub-consolidated level, where applicable. This includes requirements for the contractual clauses on mutual obligations of the financial entities and the ICT third-party service providers, which should be set out in writing. In order to ensure an efficient supervision and foster resilience in case of changes in the business model or business environment, the policy should ensure the financial entities’ or appointed third parties’ and competent authorities’ rights to inspections and access to information and should also further specify the exit strategies and termination processes.

(11) To the extent personal data are processed by ICT third-party service providers, this policy and any contractual arrangements are without prejudice to and should complement the obligations under Regulation (EU) 2016/679 of the European Parliament and of the Council (2), such as to have a written contract in place describing the personal data processing, requirement to ensure security of personal data processing and setting out all other elements required under that regulation.

(12) The Joint Committee of the European Supervisory Authorities referred to in Article 54 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (3), in Article 54 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (4) and in Article 54 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (5) has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential costs and benefits of the proposed standards and requested advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010, the Insurance and Reinsurance Stakeholder Group and the Occupational Pensions Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1094/2010, and the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010,

(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered an opinion on 24 January 2024,

HAS ADOPTED THIS REGULATION:

Article 1

Overall risk profile and complexity

The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the ‘policy’) shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to:

(a) the type of ICT services included in the contractual arrangement on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (the ‘contractual arrangement’) between the financial entity and the ICT third-party service provider;

(b) the location of the ICT third-party service provider or the location of its parent company;

(c) whether the ICT services supporting critical or important functions are provided by an ICT third-party service provider located within a Member State or in a third country, also considering the location from where the ICT services are provided and the location where the data is processed and stored;

(d) the nature of the data shared with the ICT third-party service provider;

(e) whether the ICT third-party service provider is part of the same group as the financial entity to which the services are provided;

(f) the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a competent authority in a Member State or subject to the oversight framework under Chapter V, Section II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providers that are not;

(g) the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority in a third country, and the use of ICT third-party service providers that are not;

(h) whether the provision of ICT services supporting critical or important functions are concentrated to a single ICT third-party service provider or a small number of such service providers;

(i) the transferability of the ICT services supporting critical or important functions to another ICT third-party service provider, including as a result of technology specificities;

(j) the potential impact of disruptions in the provision of the ICT services supporting critical or important functions on the continuity of the financial entity’s activities and on the availability of its services.

Article 2

Group application

Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group.

Article 3

Governance arrangements

(a) the ICT risk management framework referred to in Article 6 of Regulation (EU) 2022/2554;

(b) the information security policy referred to in Article 9(4) of Regulation (EU) 2022/2554;

(c) the ICT business continuity policy referred to in Article 11 of Regulation (EU) 2022/2554;

(d) the requirements on incident reporting set out in Article 19 of Regulation (EU) 2022/2554.

(a) do not relieve the financial entity and its management body of its regulatory obligations and its responsibilities to its clients;

(b) are not to prevent effective supervision of a financial entity and are not to contravene any supervisory restrictions on services and activities;

(c) are to require that the ICT third party service providers cooperate with the competent authorities;

(d) are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions.

Article 4

Main phases of the life cycle for the adoption and use of contractual arrangements

The policy shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following:

(a) the responsibilities of the management body, including its involvement, as appropriate, in the decision-making process on the use of ICT services supporting critical or important functions provided by ICT third-party service providers;

(b) the planning of contractual arrangements, including the risk assessment, the due diligence as set out in Articles 5 and 6 and the approval process regarding new or material changes to contractual arrangements as set out in Article 8(4);

(c) the involvement of business units, internal controls and other relevant units in respect of contractual arrangements;

(d) the implementation, monitoring and management of contractual arrangements as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated level, where applicable;

(e) the documentation and record-keeping, taking into account the requirements with regard to the register of information laid down in Article 28(3) of Regulation (EU) 2022/2554;

(f) the exit strategies and termination processes as set out in Article 10.

Article 5

Ex-ante risk assessment

The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following:

(a) operational risks;

(b) legal risks;

(c) ICT risks;

(d) reputational risks;

(e) risks linked to the protection of confidential or personal data;

(f) risks linked to the availability of data;

(g) risks linked to the location where the data is processed and stored;

(h) risks linked to the location of the ICT third-party service provider;

(i) ICT concentration risks at entity level.

Article 6

Due diligence

(a) has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisations or registrations to provide the ICT services supporting the critical or important function in a reliable and professional manner;

(b) has the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework;

(c) uses or intends to use ICT sub-contractors to perform the ICT services supporting critical or important functions or material parts thereof;

(d) is located, or processes or stores the data in a third country and, if this is the case, whether this practice affects the level of operational or reputational risks or the risk of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider to provide the ICT services or the financial entity to receive those ICT services;

(e) consents to contractual arrangements that ensure that it is effectively possible to conduct audits at the ICT third-party service provider, including onsite, by the financial entity itself, appointed third parties, and competent authorities;