Gradual approach to ICT third-party concentration risk
To address the systemic impact of ICT third-party concentration risk, this Regulation promotes a balanced solution by means of taking a flexible and gradual approach to such concentration risk since the imposition of any rigid caps or strict limitations might hinder the conduct of business and restrain the contractual freedom. Financial entitiesas defined in Article 2, points (a) to (t) should thoroughly assess their envisaged contractual arrangements to identify the likelihood of such risk emerging, including by means of in-depth analyses of subcontracting arrangements, in particular when concluded with ICT third-party service providers established in a third countryan ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services. At this stage, and with a view to striking a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to set out rules on strict caps and limits to ICT third-party exposures. In the context of the Oversight Framework, a Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation, appointed pursuant to this Regulation, should, in respect to critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31, pay particular attention to fully grasp the magnitude of interdependences, discover specific instances where a high degree of concentration of critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 in the Union is likely to put a strain on the Union financial system’s stability and integrity and maintain a dialogue with critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 where that specific risk is identified.