Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity


  1. When permitting sub-contracting ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting a critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, the written contractual agreement between the financial entity and the third-party service provider shall provide all the following elements:

    1. that the chain of ICT subcontractors providing ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law shall be identified in accordance with Article 3(1)(b);

    2. that the identification of the chain remains up-to-date over time in order to allow for the financial entity to discharge its obligation to maintain and update the register of information in accordance with Article 28(3) and (9) of Regulation (EU) 2022/2554.

  2. To maintain the financial entity’s overall responsibility for the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law provided by ICT third-party service providersan undertaking providing ICT services, including ensuring effective monitoring, the written contractual agreement between the financial entity and the ICT third-party service provideran undertaking providing ICT services shall enable the financial entity’s effective monitoring of the contracted ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services in accordance with Article 30(3) point (a) of Regulation (EU) 2022/2554.

    The contractual arrangements shall in particular include elements enabling the financial entity to fulfil its obligation to monitor the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment that may arise in relation to its use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided by subcontractors providing ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, in particular those that effectively underpin the provision of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law or material parts thereof.

    The monitoring referred to in the second subparagraph may, where appropriate, rely on information provided by the ICT third-party service provideran undertaking providing ICT services.

  3. The contractual arrangements shall, in compliance with Article 4 of this Regulation, include elements enabling the financial entity to assess whether and how the potentially long or complex chain of subcontractors that provide ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law or material parts thereof may impact their ability to fully monitor the contracted functions and the ability of the competent authorityas defined in Article 46 to effectively supervise the financial entity in that respect.

  4. The contractual arrangements shall include elements allowing the financial entity to obtain information from the ICT third-party service provideran undertaking providing ICT services on contractual documentation between the ICT third-party service providersan undertaking providing ICT services and its subcontractors providing ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, and on relevant performance indicators, considering the provisions of Article 30 paragraphs 3 letter (e) of Regulation (EU) 2022/2554, and of Article 8 paragraph 2 of 2 of the Commission Delegated Regulation (EU) 2024/1773.