ICT Third-Party Risk Management
Addresses the risks arising from reliance on ICT third-party service providers. Establishes principles for sound management of third-party risk including due diligence, contractual requirements, concentration risk monitoring, and an EU-level oversight framework for critical ICT third-party providers designated by the ESAs.
Key Themes
What this pillar covers
Third-party risk assessment and due diligence
Contractual arrangements and key provisions
Concentration risk management
Oversight framework for critical providers
Exit strategies and substitution planning
17 Articles
Articles in Pillar IV
Explore the 17 articles that make up ICT Third-Party Risk Management, from Art. 28-44.
17 articles
General principles
Establishes the fundamental principles for managing ICT third-party risk, including maintaining full responsibility for compliance, conducting thorough due diligence, and establishing a strategy for ICT third-party risk. Requires entities to maintain a register of all ICT third-party arrangements.
Preliminary assessment of ICT concentration risk at entity level
Requires financial entities to assess ICT concentration risk before entering into new third-party arrangements, considering substitutability, dependencies on single providers, and the potential systemic impact of a provider failure.
Key contractual provisions
Defines the mandatory contractual provisions that must be included in all ICT third-party arrangements, with enhanced requirements for arrangements supporting critical or important functions. Covers service levels, security requirements, audit rights, data location, subcontracting, exit provisions and termination rights.
Designation of critical ICT third-party service providers
Establishes the criteria and process for designating ICT third-party service providers as "critical" at the EU level. Designation triggers the direct oversight framework by the Lead Overseer, considering factors such as the systemic impact, substitutability, and number of financial entities relying on the provider.
Structure of the Oversight Framework
Defines the institutional structure for overseeing critical ICT third-party providers, including the role of the Lead Overseer, the Joint Examination Team, and cooperation with national competent authorities.
Tasks of the Lead Overseer
Defines the specific tasks and powers of the Lead Overseer in conducting oversight of critical ICT third-party providers, including risk assessments, recommendations, and the ability to request remedial action plans. The Lead Overseer assesses whether each critical provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage ICT risk.
Operational coordination between Lead Overseers
Establishes coordination mechanisms between Lead Overseers where a critical provider serves financial entities across multiple sectors supervised by different ESAs. Prevents fragmented or contradictory oversight by mandating joint approaches and information sharing.
Powers of the Lead Overseer
Enumerates the three core powers of the Lead Overseer: requesting information (Article 37), conducting general investigations (Article 38), and performing on-site inspections (Article 39). These powers are complemented by the ability to issue recommendations and, where appropriate, to publicize a provider's non-compliance.
Exercise of the powers of the Lead Overseer outside the Union
Addresses how the Lead Overseer exercises its oversight powers when critical ICT third-party providers are established outside the EU. Requires third-country providers to establish a subsidiary within the EU within 12 months of designation, enabling direct supervisory access.
Request for information
Establishes the Lead Overseer's power to request any information and documentation necessary for oversight, specifying procedural requirements including written requests, response deadlines, data protection safeguards, and the consequences of non-cooperation.
General investigations
Empowers the Lead Overseer to conduct general investigations of critical providers, including examining records, obtaining written or oral explanations, interviewing relevant persons, and requiring the production of documents. Investigations may be conducted directly or delegated to national competent authorities.
Inspections
Grants the Lead Overseer the power to conduct on-site inspections at any business premises, data centres, or operational sites of critical ICT third-party providers. Inspections may be announced or unannounced, and providers must grant full access to premises, systems, and data.
Ongoing oversight
Establishes the framework for continuous, risk-based oversight of critical ICT third-party providers. Requires the Lead Overseer to maintain an ongoing assessment of the provider's risk profile, follow up on recommendations, and adapt the oversight intensity based on evolving risks and compliance performance.
Harmonisation of conditions enabling the conduct of the oversight activities
Mandates the ESAs to develop delegated acts and technical standards specifying the detailed procedures and conditions for conducting oversight activities, ensuring a consistent and predictable approach across all designated critical providers.
Follow-up by competent authorities
Creates the enforcement bridge between the oversight framework and financial entity supervision. When a critical provider fails to comply with the Lead Overseer's recommendations, competent authorities must take supervisory action at the entity level, potentially requiring financial entities to reduce or terminate their dependency on the non-compliant provider.
Oversight fees
Establishes the fee framework for funding oversight activities. Critical ICT third-party service providers bear the costs of their oversight through fees calculated based on their turnover from ICT services provided to EU financial entities, ensuring that oversight is adequately resourced without burdening public finances.
International cooperation
Establishes the framework for cooperation between the Lead Overseer and third-country supervisory authorities regarding the oversight of critical ICT third-party providers operating globally. Aims to avoid regulatory fragmentation while preserving effective oversight of providers that serve EU financial entities from multiple jurisdictions.