Material changes to subcontracting arrangements of ICT service supporting critical or important functions


  1. In case of any material changes to the subcontracting arrangements regarding ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law or material parts thereof, the financial entity shall ensure, through the ICT contractual arrangement with its ICT third-party service provideran undertaking providing ICT services, that it is informed with a notice period sufficient to assess the impact on the risks it is or might be exposed to, as well as whether such changes might affect the ability of the ICT third-party service provideran undertaking providing ICT services to meet its obligations under the contractual agreement as referred to under Article 4, and with regard to changes considering the elements of increased or reduced complexity listed in Article 1.

  2. The financial entity shall require that the ICT third-party service provideran undertaking providing ICT services implements the material changes only after the financial entity has either approved or not objected to the changes by the end of the notice period.

  3. If the risk assessment referred to in paragraph 1) finds that the planned subcontracting or changes to subcontracting by the ICT third-party service provideran undertaking providing ICT services exceeds the financial entity’s risk tolerance, the financial entity shall, before the end of the notice period:

    1. inform the ICT third-party service provideran undertaking providing ICT services of its risk assessment results as referred to in paragraph 1), and,

    2. object to the changes and request modifications to the proposed subcontracting changes before their implementation.