Article 4
Conditions under which ICT services that support critical or important functions or a material part thereof may be subcontracted
1. The contractual arrangement concluded between the financial entity and the ICT third-party service provider shall identify which ICT services that support critical or important functions or material parts thereof are eligible for subcontracting and under which conditions. That contract shall specify:
|
(a) |
that the ICT third-party service provider is responsible for the provision of the services provided by the subcontractors; |
|
(b) |
that the ICT third-party service provider is required to monitor all subcontracted ICT services that support critical or important functions or material parts thereof to ensure that its contractual obligations with the financial entity are continuously met; |
|
(c) |
the monitoring and reporting obligations of the ICT third-party service provider towards the financial entity regarding subcontractors that provide ICT services that support critical or important functions or material parts thereof; |
|
(d) |
that the ICT third-party service provider is to assess all risks associated with the location of the current or potential subcontractors that provide ICT service that support critical or important functions or material parts thereof, and their parent company and with the location where the ICT service concerned is provided from; |
|
(e) |
the location of data processed or stored by the subcontractor, where relevant; |
|
(f) |
that the ICT third-party service provider is to specify in its contract with its subcontractors the monitoring and reporting obligations of that subcontractor towards the ICT third-party service provider, and where agreed, towards the financial entity; |
|
(g) |
that the ICT third-party service provider is to ensure the continuity of the ICT services that support critical or important functions throughout the chain of subcontractors in case of failure by an ICT subcontractor to meet its contractual obligations; |
|
(h) |
that the contractual arrangement between the ICT third-party service provider and its subcontractors contains the requirements on business contingency plans referred to in Article 30(3), point (c), of Regulation (EU) 2022/2554 and specifies the service levels to be met by the ICT subcontractors in relation to those plans; |
|
(i) |
that the contractual arrangement between the ICT third-party service provider and its subcontractors specifies the ICT security standards and any additional security requirements referred to in Article 30(3), point (c), of Regulation (EU) 2022/2554; |
|
(j) |
that the subcontractor is to grant to the financial entity and relevant competent and resolution authorities the same rights of access, inspection, and audit as those referred to in Article 30(3), point (e), of Regulation (EU) 2022/2554; |
|
(k) |
that the ICT third-party service provider is to notify the financial entity of any material change to subcontracting arrangements; |
|
(l) |
that the financial entity has the right to terminate the contract with the ICT third-party service provider when the conditions laid down in either Article 6 of this Regulation or the conditions laid down in Article 28(7) of Regulation (EU) 2022/2554 have been fulfilled. |
2. Changes relative to contractual agreements between the financial entity and ICT third-party service providers that provide an ICT service supporting critical or important functions or material parts thereof, made necessary to comply with this Regulation, shall be implemented in a timely manner and as soon as it is possible. The financial entity shall document the planned timeline for the implementation.