Recital 63

Wide range of ICT third-party service providers


To address the complexity of the various sources of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, while taking into account the multitude and diversity of providers of technological solutions which enable a smooth provision of financial services, this Regulation should cover a wide range of ICT third-party service providersan undertaking providing ICT services, including providers of cloud computing services, software, data analytics services and providers of data centre services. Similarly, since financial entitiesas defined in Article 2, points (a) to (t) should effectively and coherently identify and manage all types of risk, including in the context of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services procured within a financial groupa group as defined in Article 2, point (11), of Directive 2013/34/EU, it should be clarified that undertakings which are part of a financial groupa group as defined in Article 2, point (11), of Directive 2013/34/EU and provide ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services predominantly to their parent undertakinga parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU, or to subsidiariesa subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU or branches of their parent undertakinga parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU, as well as financial entitiesas defined in Article 2, points (a) to (t) providing ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services to other financial entitiesas defined in Article 2, points (a) to (t), should also be considered as ICT third-party service providersan undertaking providing ICT services under this Regulation. Lastly, in light of the evolving payment services market becoming increasingly dependent on complex technical solutions, and in view of emerging types of payment services and payment-related solutions, participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, should also be considered to be ICT third-party service providersan undertaking providing ICT services under this Regulation, with the exception of central banks when operating payment or securities settlement systems, and public authoritiesany government or other public administration entity, including national central banks when providing ICT related services in the context of fulfilling State functions.