COIF
Chapter II - ICT risk management
Article 5 - Governance and organisation
the potential impact of such changes on the critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity and their impact, as well as response, recovery and corrective measures.
Chapter II - ICT risk management
Article 8 - Identification
Financial entitiesas defined in Article 2, points (a) to (t) shall identify and document all processes that are dependent on ICT third-party service providersan undertaking providing ICT services, and shall identify interconnections with ICT third-party service providersan undertaking providing ICT services that provide services that support critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
Chapter II - ICT risk management
Article 9 - Protection and prevention
Financial entitiesas defined in Article 2, points (a) to (t) shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
Chapter II - ICT risk management
Article 11 - Response and recovery
ensure the continuity of the financial entity’s critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;
Financial entitiesas defined in Article 2, points (a) to (t) shall put in place, maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law outsourced or contracted through arrangements with ICT third-party service providersan undertaking providing ICT services.
test the ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly, as well as in the event of any substantive changes to ICT systems supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;
Chapter II - ICT risk management
Article 12 - Backup policies and procedures, restoration and recovery procedures and methods
capable of ensuring the continuity of critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law identically to the primary site, or providing the level of services necessary to ensure that the financial entity performs its critical operations within the recovery objectives;
immediately accessible to the financial entity’s staff to ensure continuity of critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law in the event that the primary processing site has become unavailable.
In determining the recovery time and recovery point objectives for each function, financial entitiesas defined in Article 2, points (a) to (t) shall take into account whether it is a critical or important functiona function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law and the potential overall impact on market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met.
Chapter II - ICT risk management
Article 13 - Learning and evolving
Financial entitiesas defined in Article 2, points (a) to (t) shall monitor the effectiveness of the implementation of their digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions strategy set out in Article 6(8). They shall map the evolution of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment over time, analyse the frequency, types, magnitude and evolution of ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset and their patterns, with a view to understanding the level of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment exposure, in particular in relation to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, and enhance the cyber maturity and preparedness of the financial entity.
Chapter II - ICT risk management
Article 15 - Further harmonisation of ICT risk management tools, methods, processes and policies
specify further the testing of ICT business continuity plans referred to in Article 11(6) to ensure that such testing duly takes into account scenarios in which the quality of the provision of a critical or important functiona function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law deteriorates to an unacceptable level or fails, and duly considers the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provideran undertaking providing ICT services and, where relevant, the political risks in the respective providers’ jurisdictions;
Chapter II - ICT risk management
Article 16 - Simplified ICT risk management framework
ensure the continuity of critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, through business continuity plans and response and recovery measures, which include, at least, back-up and restoration measures;
specify further the rules on the testing of business continuity plans and ensure the effectiveness of the controls referred to in paragraph 1, second subparagraph, point (g) and ensure that such testing duly takes into account scenarios in which the quality of the provision of a critical or important functiona function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law deteriorates to an unacceptable level or fails;
Chapter IV - Digital operational resilience testing
Article 24 - General requirements for the performance of digital operational resilience testing
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
Chapter IV - Digital operational resilience testing
Article 25 - Testing of ICT tools and systems
Central securities depositoriesa central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 and central counterpartiesa central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012 shall perform vulnerabilitya weakness, susceptibility or flaw of an asset, system, process or control that can be exploited assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of the financial entity.
Chapter IV - Digital operational resilience testing
Article 26 - Advanced testing of ICT tools, systems and processes based on TLPT
Each threat-led penetration test shall cover several or all critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of a financial entity, and shall be performed on live production systems supporting such functions.
Financial entitiesas defined in Article 2, points (a) to (t) shall identify all relevant underlying ICT systems, processes and technologies supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law and ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services, including those supporting the critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law which have been outsourced or contracted to ICT third-party service providersan undertaking providing ICT services.
Financial entitiesas defined in Article 2, points (a) to (t) shall assess which critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law need to be covered by the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The result of this assessment shall determine the precise scope of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and shall be validated by the competent authoritiesas defined in Article 46.
Without prejudice to paragraph 2, first and second subparagraphs, where the participation of an ICT third-party service provideran undertaking providing ICT services in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, referred to in paragraph 3, is reasonably expected to have an adverse impact on the quality or security of services delivered by the ICT third-party service provideran undertaking providing ICT services to customers that are entities falling outside the scope of this Regulation, or on the confidentiality of the data related to such services, the financial entity and the ICT third-party service provideran undertaking providing ICT services may agree in writing that the ICT third-party service provideran undertaking providing ICT services directly enters into contractual arrangements with an external tester, for the purpose of conducting, under the direction of one designated financial entity, a pooled TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems involving several financial entitiesas defined in Article 2, points (a) to (t) (pooled testing) to which the ICT third-party service provideran undertaking providing ICT services provides ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.
That pooled testing shall cover the relevant range of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law contracted to the respective ICT third-party service provideran undertaking providing ICT services by the financial entitiesas defined in Article 2, points (a) to (t). The pooled testing shall be considered TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems carried out by the financial entitiesas defined in Article 2, points (a) to (t) participating in the pooled testing.
The number of financial entitiesas defined in Article 2, points (a) to (t) participating in the pooled testing shall be duly calibrated taking into account the complexity and types of services involved.
Financial entitiesas defined in Article 2, points (a) to (t) shall, with the cooperation of ICT third-party service providersan undertaking providing ICT services and other parties involved, including the testers but excluding the competent authoritiesas defined in Article 46, apply effective risk management controls to mitigate the risks of any potential impact on data, damage to assets, and disruption to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, services or operations at the financial entity itself, its counterparts or to the financial sector.
Chapter V - Managing of ICT third-party risk
Article 28 - General principles
As part of their ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework, financial entitiesas defined in Article 2, points (a) to (t), other than entities referred to in Article 16(1), first subparagraph, and other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall adopt, and regularly review, a strategy on ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements shall include a policy on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law provided by ICT third-party service providersan undertaking providing ICT services and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
As part of their ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework, financial entitiesas defined in Article 2, points (a) to (t) shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided by ICT third-party service providersan undertaking providing ICT services.
The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law and those that do not.
Financial entitiesas defined in Article 2, points (a) to (t) shall report at least yearly to the competent authoritiesas defined in Article 46 on the number of new arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services, the categories of ICT third-party service providersan undertaking providing ICT services, the type of contractual arrangements and the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services and functions which are being provided.
Financial entitiesas defined in Article 2, points (a) to (t) shall make available to the competent authorityas defined in Article 46, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.
Financial entitiesas defined in Article 2, points (a) to (t) shall inform the competent authorityas defined in Article 46 in a timely manner about any planned contractual arrangement on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law as well as when a function has become critical or important.
assess whether the contractual arrangement covers the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting a critical or important functiona function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;
Financial entitiesas defined in Article 2, points (a) to (t) may only enter into contractual arrangements with ICT third-party service providersan undertaking providing ICT services that comply with appropriate information security standards. When those contractual arrangements concern critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, financial entitiesas defined in Article 2, points (a) to (t) shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providersan undertaking providing ICT services, of the most up-to-date and highest quality information security standards.
For ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, financial entitiesas defined in Article 2, points (a) to (t) shall put in place exit strategies. The exit strategies shall take into account risks that may emerge at the level of ICT third-party service providersan undertaking providing ICT services, in particular a possible failure on their part, a deterioration of the quality of the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided, any business disruption due to inappropriate or failed provision of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services or any material risk arising in relation to the appropriate and continuous deployment of the respective ICT service, or the termination of contractual arrangements with ICT third-party service providersan undertaking providing ICT services under any of the circumstances listed in paragraph 7.
Financial entitiesas defined in Article 2, points (a) to (t) shall ensure that they are able to exit contractual arrangements without:
Exit plans shall be comprehensive, documented and, in accordance with the criteria set out in Article 4(2), shall be sufficiently tested and reviewed periodically.
Financial entitiesas defined in Article 2, points (a) to (t) shall identify alternative solutions and develop transition plans enabling them to remove the contracted ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services and the relevant data from the ICT third-party service provideran undertaking providing ICT services and to securely and integrally transfer them to alternative providers or reincorporate them in-house.
Financial entitiesas defined in Article 2, points (a) to (t) shall have appropriate contingency measures in place to maintain business continuity in the event of the circumstances referred to in the first subparagraph.
The ESAsEuropean Supervisory Authority shall, through the Joint Committeethe committee of the EBA, EIOPA and ESMA, develop draft regulatory technical standards to further specify the detailed content of the policy referred to in paragraph 2 in relation to the contractual arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law provided by ICT third-party service providersan undertaking providing ICT services.
When developing those draft regulatory technical standards, the ESAsEuropean Supervisory Authority shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations. The ESAsEuropean Supervisory Authority shall submit those draft regulatory technical standards to the Commission by 17 January 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Chapter V - Managing of ICT third-party risk
Article 29 - Preliminary assessment of ICT concentration risk at entity level
When performing the identification and assessment of risks referred to in Article 28(4), point (c), financial entitiesas defined in Article 2, points (a) to (t) shall also take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law would lead to any of the following:
Financial entitiesas defined in Article 2, points (a) to (t) shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providersan undertaking providing ICT services, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.
Where the contractual arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law include the possibility that an ICT third-party service provideran undertaking providing ICT services further subcontracts ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting a critical or important functiona function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law to other ICT third- party service providers, financial entitiesas defined in Article 2, points (a) to (t) shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country.
Where contractual arrangements concern ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, financial entitiesas defined in Article 2, points (a) to (t) shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity’s data.
Where contractual arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law are concluded with an ICT third-party service provider established in a third countryan ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services, financial entitiesas defined in Article 2, points (a) to (t) shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country.
Where the contractual arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law provide for subcontracting, financial entitiesas defined in Article 2, points (a) to (t) shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authorityas defined in Article 46 to effectively supervise the financial entity in that respect.
Chapter V - Managing of ICT third-party risk
Article 30 - Key contractual provisions
a clear and complete description of all functions and ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services to be provided by the ICT third-party service provideran undertaking providing ICT services, indicating whether subcontracting of an ICT service supporting a critical or important functiona function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
The contractual arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law shall include, in addition to the elements referred to in paragraph 2, at least the following:
By way of derogation from point (e), the ICT third-party service provideran undertaking providing ICT services and the financial entity that is a microenterprisea financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provideran undertaking providing ICT services, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time.
The ESAsEuropean Supervisory Authority shall, through the Joint Committeethe committee of the EBA, EIOPA and ESMA, develop draft regulatory technical standards to specify further the elements referred to in paragraph 2, point (a), which a financial entity needs to determine and assess when subcontracting ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
When developing those draft regulatory technical standards, the ESAsEuropean Supervisory Authority shall take into consideration the size and overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations.
The ESAsEuropean Supervisory Authority shall submit those draft regulatory technical standards to the Commission by 17 July 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Chapter V - Managing of ICT third-party risk
Article 31 - Designation of critical ICT third-party service providers
the reliance of financial entitiesas defined in Article 2, points (a) to (t) on the services provided by the relevant ICT third-party service provideran undertaking providing ICT services in relation to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of financial entitiesas defined in Article 2, points (a) to (t) that ultimately involve the same ICT third-party service provideran undertaking providing ICT services, irrespective of whether financial entitiesas defined in Article 2, points (a) to (t) rely on those services directly or indirectly, through subcontracting arrangements;
Chapter V - Managing of ICT third-party risk
Article 33 - Tasks of the Lead Overseer
For the purposes of paragraph 1, the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall assess whether each critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment which it may pose to financial entitiesas defined in Article 2, points (a) to (t).
The assessment referred to in the first subparagraph shall focus mainly on ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided by the critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 supporting the critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of financial entitiesas defined in Article 2, points (a) to (t). Where necessary to address all relevant risks, that assessment shall extend to ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting functions other than those that are critical or important.
Chapter V - Managing of ICT third-party risk
Article 35 - Powers of the Lead Overseer
to issue recommendations on the areas referred to in Article 33(3), in particular concerning the following:
For the purpose of point (iv) of this point, ICT third-party service providersan undertaking providing ICT services shall, using the template referred to in Article 41(1), point (b), transmit the information regarding subcontracting to the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation.