Article 9 | Delegated Regulation 2025/1143

Article 9 - Delegated Regulation 2025/1143

Article 9

Organisational requirements regarding outsourcing

(Article 27g(3) and Article 27i(2) of Regulation (EU) No 600/2014)

1. An APA or ARM that arranges for activities to be performed on its behalf by third-party service providers, including undertakings with which it has close links, shall ensure that the third-party service provider has the ability and the capacity to perform those activities reliably and professionally.

An APA or ARM shall specify which of the activities are to be outsourced, including a specification of the level of human and technical resources needed to carry out each of those activities.

2. An APA or ARM that outsources activities shall ensure that the outsourcing does not reduce its ability or power to perform senior management or management body functions.

3. An APA or ARM shall remain responsible for any outsourced activity and shall adopt organisational measures to ensure:

(a)	that it assesses whether the third-party service provider carries out outsourced activities effectively and in compliance with applicable laws and regulatory requirements and adequately addresses identified failures;

(b)	the identification of the risks in relation to outsourced activities and adequate periodic monitoring;

(c)	adequate control procedures with respect to outsourced activities, including effectively supervising the activities and their risks within the APA or ARM;

(d)	adequate business continuity of outsourced activities.

For the purposes of point (d), the APA or ARM shall obtain information on the business continuity arrangements of the third-party service provider, assess its quality and, where needed, request improvements.

4. An APA or ARM shall ensure that the third-party service provider cooperates with ESMA or, where relevant, the national competent authority, in connection with outsourced activities.

5. Where an APA or ARM outsources a critical or important function, it shall provide ESMA or, where relevant, the national competent authority with:

(a)	the identification of the third-party service provider;

(b)	the organisational measures with respect to outsourcing and the risks posed by it as specified in paragraph 3;

(c)	internal or external reports on the outsourced activities.

CHAPTER I - AUTHORISATION AND ORGANISATIONAL REQUIREMENTS FOR APAs AND ARMs (Article 1-14)

SECTION I - Authorisation requirements for APAs and ARMs (Article 1-7)

SECTION II - Organisational requirements for APAs and ARMs (Article 8-14)Article 8 - (Article 27g(3) and Article 27i (2) of Regulation (EU) No 600/2014)Article 9 - (Article 27g(3) and Article 27i (2) of Regulation (EU) No 600/2014)Article 10 - (Article 27g (5) of Regulation (EU) No 600/2014) Article 11 - (Article 27i (4) of Regulation (EU) No 600/2014)Article 12 - (Article 27i (4) of Regulation (EU) No 600/2014)Article 13 - (Article 27g (1) of Regulation (EU) No 600/2014)Article 14 - (Article 27g (2) of Regulation (EU) No 600/2014)

CHAPTER II - AUTHORISATION REQUIREMENTS FOR CTPs (Article 15-30)

CHAPTER III - FINAL PROVISIONS (Article 31-32)

Metadata

Related documents

Article 9 - Delegated Regulation 2025/1143

Table of contents