Home

Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information (Text with EEA relevance)

Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information (Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011(1), and in particular Article 28(9), second subparagraph, thereof,

Whereas:

  1. It is necessary to establish standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by information and communication technology (ICT) third-party service providers referred to in Article 28(3) of Regulation (EU) 2022/2554. Information gathered from that register is essential for the financial entities’ internal ICT risk management, for the effective supervision of the financial entities by their competent authorities, and for the establishment and conduct of oversight of the critical ICT third-party providers by the Lead Overseer. Furthermore, that information is essential for the annual process to designate critical ICT third-party service providers by the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority (collectively ‘European Supervisory Authorities’ (ESAs)).

  2. To ensure supervisory outcomes which are consistent with the existing supervisory frameworks, the parent undertaking of financial entities that are part of a group as defined in Regulation (EU) 2022/2554 should determine the entities to be included in the register of information at sub-consolidated and consolidated level in accordance with Union financial services legislation. To reduce administrative costs of groups, groups should have the possibility to develop a single register of information at entity, sub-consolidated and consolidated levels in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers to all the financial entities that are part of that group. In such cases, the single register of information should allow each financial entity to comply with its obligation to maintain and update the register of information at entity and sub-consolidated level, where applicable, including its reporting to its competent authority.

  3. Pursuant to Article 28(1), point (b), of Regulation (EU) 2022/2554, the financial entities’ management of ICT third-party risks is to take into account the nature, scale, complexity and importance of ICT-related dependencies, and the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers. That risk assessment should take into account the criticality or importance of the service, process or function of the financial entity and the potential impact on the continuity and availability of financial services and activities, at entity level and at group level.

  4. Certain sector-specific Union financial services legislation contains requirements on outsourcing. Those requirements have been further developed in guidelines issued by the ESAs. Under those guidelines, some financial entities are expected to record specific information on their outsourcing arrangements, in some cases also in the form of registers, as part of their outsourcing risk management. In recent years, several national competent authorities and the ECB have collected information included in such registers as part of their supervision of financial entity compliance with the outsourcing requirements. Based on the lessons learned from the different data collection exercises of outsourcing registers performed in the recent years by the ESAs and competent authorities, the standard templates should be designed in a technology-neutral manner with open tables, which have a predefined number of columns and an indefinite number of rows. In addition, the standard templates should be linked to one another by using different specific keys forming a relational structure between those templates.

  5. To receive ICT services from an ICT third-party service provider, including ICT intra-group service providers, financial entities conclude a written contract with the ICT third-party service provider. In case of groups, ICT intra-group service providers may conclude a contract with ICT third-party providers that are external to the group to provide ICT services to one or more financial entities of the group. To capture the full ICT service supply chain, financial entities maintaining the register of information should report both information on the contractual arrangement with their ICT intra-group service provider and information on the arrangement stipulated by the ICT intra-group service provider and the ICT third-party providers that are external to the group as subcontractors. Therefore, the register of information should include a specific template enabling the reconciliation between the intra-group contracts and the contracts with ICT third-party service providers that are external to the group.

  6. The provision of ICT services to financial entities may rely on potentially long or complex chains of subcontracting which should be monitored by the financial entities. Financial entities should assess the associated risks, including ICT third-party concentration risks with regard to the ICT third-party service providers supporting a critical or important function or material parts thereof, considering a risk-based approach and the principle of proportionality. To enable that assessment, financial entities should be required to record in the register of information only those subcontractors that effectively underpin ICT services supporting critical or important functions or material parts thereof, including all the subcontractors providing ICT services whose disruption would impair the security or the continuity of the service provision. When identifying those subcontractors, financial entities should consider business and ICT service continuity and ICT security aspects.

  7. A register of information should be maintained and updated by financial entities including where a financial entity outsources all its activities to another entity, as the maintenance of the register of information contributes to the operational resilience of that financial entity. Therefore, where an entity is acting on behalf of a financial entity for all the activities of the financial entity (including the ICT services), the direct ICT third-party service providers to that entity should be recorded in the relevant templates of the register of information of the financial entity. In such case, the entity is only registered as an entity maintaining the register.

  8. To allow transparency and comparability of contractual arrangements and the ongoing monitoring of those arrangements, the register of information should focus on the operational links between the financial entities and the ICT third-party service providers. To that end, the register of information should use four keys, which, among others, linking relevant data to each other across the templates of the register of information: (i) the reference number of the contractual arrangement between the financial entity signing that arrangement and the direct ICT third-party service provider, (ii) an appropriate identifier of financial entities and ICT third-party service providers, (iii) the function identifier, and (iv) the type of ICT services.

  9. To appropriately document the contractual arrangements between the financial entities and the ICT third-party service providers as required by Regulation (EU) 2022/2554, it is understood that ICT third-party service providers should provide for an identification number which allows for their consistent and accurate identification by the financial entities and by the ESAs, the Oversight Forum, and the competent authorities, when exercising their supervisory powers, including for the designation of critical ICT third-party service providers under Article 31 of that Regulation. Concerning legal persons, the LEI and EUID are recognised international and European identifiers ensuring the consistent, unique and robust identification of companies. Consequently, either of these two identifiers should be used for the identification of the ICT third-party service providers established in the Union for the purposes of the application of that Regulation and should be considered as information that is common to all contractual arrangements, whereas the ICT third-party service providers established in third-countries should be identified with LEI only. The templates used for the register of information about the ICT third-party service providers should require information on either of these two identifiers for ICT service providers that are legal persons, while allowing natural persons acting in the capacity of ICT service providers to use alternative identification codes.

  10. Each financial entity, including financial entities from the same group, have their own internal taxonomy of functions depending on their specific business models and internal organisations. To allow for a clear monitoring distinguishing between the functions of the financial entities and the ICT services, financial entities should themselves designate relevant functions by using the function identifier at individual level and at group level.

  11. To enable the operability of the register of information at entity, sub-consolidated and consolidated level across all the financial entities that are part of the same group, financial entities should ensure the correctness and consistency of all the data in that register. In particular, to enable such operability, it is necessary to ensure consistency in the consolidation of the identifiers, namely the contractual arrangement reference numbers, the function identifier, LEI of the financial entities and identifiers of the ICT third-party service providers.

  12. To ensure consistency and harmonisation and to avoid burdensome reprocessing of data for reporting purposes, the structure of the templates and the requirements of the data elements should consider data management and reporting perspectives. To ensure full comparability of the information reported in the register of information with the information provided in other regulatory or statistical reporting, financial entities should adhere to data quality principles, when maintaining and updating that register.

  13. This Regulation is based on the draft implementing technical standards submitted to the Commission by the ESAs.

  14. The ESAs have conducted open public consultations on the draft implementing technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the ESAs’ Stakeholder Groups established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council(2), Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council(3) and Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(4)

  15. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(5).

HAS ADOPTED THIS REGULATION:

Article 1 Definitions

For the purposes of this Regulation, the following definitions apply:

  1. ‘direct ICT third-party service provider’ means an ICT third-party service provider or ICT intra-group service provider that signed a contractual arrangement with:

    1. a financial entity to provide its ICT services directly to that financial entity;

    2. a financial or a non-financial entity to provide its services to other financial entities within the same group;

  2. ‘ICT service supply chain’ means a sequence of contractual arrangements connected with the ICT service being provided by the direct ICT third-party service provider to the financial entity, starting with the direct ICT third-party service provider which has one or multiple other ICT third-party service providers as counterparties (subcontractors);

  3. ‘rank’ means the position of an ICT third-party service provider in the ICT service supply chain.

Article 2 Ranking of ICT third-party providers in the supply chain

Financial entities shall assign a rank to each ICT third-party service provider. The rank shall be any natural number higher or equal to ‘1’ where the lower the natural number assigned to the rank, the closer the arrangement is to the financial entity.

The rank of the direct ICT third-party service provider in the ICT service supply chain shall always be ‘1’.

The rank of the subcontractor in the ICT service supply chain shall always be higher than ‘1’.

Article 3 General requirements for the templates of the register of information

1.

Financial entities shall use the templates set out in Annex I to IV to maintain and update the register of information in accordance with Article 28(3) of Regulation (EU) 2022/2554, at entity level, or at sub-consolidated and consolidated level.

2.

Financial entities shall ensure that the templates referred to in paragraph 1 include all of the following:

  1. the relevant information in relation to all the ICT services provided by direct ICT third-party providers;

  2. information on all subcontractors that effectively underpin ICT services supporting critical or important functions or material parts thereof.

3.

Financial entities shall ensure that the information contained in the templates referred to in paragraph 1 is accurate and consistent. Financial entities shall review the information contained in the templates regularly and shall promptly correct any errors or discrepancies detected.

In case of groups, financial entities responsible for maintaining and updating the register of information at sub-consolidated and consolidated level shall ensure that information in relation to entity level in the consolidation is correct and consistent with the information at the sub-consolidated and consolidated level.

4.

Financial entities shall ensure that the information contained in the templates referred to in paragraph 1 adhere to the following principles of data quality:

  1. accuracy;

  2. completeness;

  3. consistency;

  4. integrity;

  5. uniformity;

  6. validity.

5.

Financial entities shall use a valid and active legal entity identifier (LEI) or the European Unique Identifier referred to in Article 16 of Directive (EU) 2017/1132 (‘EUID’), and where available both of these identifiers, to identify all of their ICT third-party service providers that are legal persons, except for individuals acting in a business capacity.

6.

Where an ICT service provided by a direct ICT third-party service provider is supporting a critical or important function of the financial entities, financial entities shall ensure through the direct ICT third-party service provider, that all the subcontractors of the direct ICT third-party service provider included in the register of information in accordance with paragraph 2, point (b), which effectively underpin/support ICT services supporting critical or important functions, use a valid and active LEI or provide their EUID, and where available both of these identifiers, except if those subcontractors are individuals acting in a business capacity.

Article 4 Data format requirement

1.

Unless otherwise specified in the instructions, each template composing the register of information shall be a table with a predefined number of columns and an indefinite number of rows.

2.

Financial entities shall complete each data element with a single value. Where more than one value is valid for a specific data element, financial entities shall add an additional row in the corresponding template for each valid value.

3.

Financial entities shall complete all data elements in the register of information at entity level, sub-consolidated and consolidated level, as applicable.

Article 5 Content of the register of information

Article 6 Scope of the register of information at sub-consolidated and consolidated level

Article 7 Entry into force

ANNEX IInstructions for completing the register of information

ANNEX IIList of activities by type of entity

ANNEX IIIType of ICT services

ANNEX IVInstruction to report the “value of total assets”