Key contractual provisions

Article 30 prescribes the contractual framework for ICT third-party arrangements, recognizing that the contract is the primary governance mechanism for managing outsourced ICT risk. The article establishes minimum contractual provisions that must be included in all ICT third-party contracts, with enhanced requirements for arrangements supporting critical or important functions.

All contracts must include clear and complete descriptions of the services provided, defined performance targets and service levels, provisions on accessibility, availability, integrity and security, data protection compliance requirements, and obligations for incident reporting and cooperation during incidents.

For arrangements supporting critical or important functions, additional provisions are mandatory: the entity's right to audit the provider (and the provider's obligation to cooperate), restrictions on data processing and storage locations, requirements for business continuity and disaster recovery arrangements, subcontracting conditions and notification requirements, and comprehensive exit clauses with transition assistance obligations.

Audit and supervisory access rights deserve particular emphasis. Financial entities must contractually secure their right to inspect the provider's operations, and must also ensure that competent authorities can access the provider for supervisory purposes. These rights cannot be diluted by the provider's standard terms and conditions.

Exit strategies and termination provisions are critical safeguards. Contracts must define the circumstances under which the entity can terminate the arrangement, the provider's obligations to support transition to an alternative provider or back to in-house operations, and the timelines for data return and system migration. These provisions ensure that the entity is not locked into an unsatisfactory arrangement with no practical exit option.