Recital 31

Oversight framework for ICT third-party service providers


Taking into account the potential systemic risk entailed by increased outsourcing practices and by the ICT third-party concentration, and mindful of the insufficiency of national mechanisms in providing financial supervisors with adequate tools to quantify, qualify and redress the consequences of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment occurring at critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31, it is necessary to establish an appropriate Oversight Framework allowing for a continuous monitoring of the activities of ICT third-party service providersan undertaking providing ICT services that are critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 to financial entitiesas defined in Article 2, points (a) to (t), while ensuring that the confidentiality and security of customers other than financial entitiesas defined in Article 2, points (a) to (t) is preserved. While intra-group provision of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services entails specific risks and benefits, it should not be automatically considered less risky than the provision of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services by providers outside of a financial groupa group as defined in Article 2, point (11), of Directive 2013/34/EU and should therefore be subject to the same regulatory framework. However, when ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services are provided from within the same financial groupa group as defined in Article 2, point (11), of Directive 2013/34/EU, financial entitiesas defined in Article 2, points (a) to (t) might have a higher level of control over intra-group providers, which ought to be taken into account in the overall risk assessment.