+RTS ICT Third-Party Service Providers Art. 5 Ex-ante risk assessment
---+RTS ICT Third-Party Service Providers Art. 5, 1
---+RTS ICT Third-Party Service Providers Art. 5, 2
---+RTS ICT Third-Party Service Providers Art. 5, 3

1. Overview

RTS ICT Third-Party Service Providers Art. 5 Ex-ante risk assessment

Ex-ante risk assessment
RTS ICT Third-Party Service Providers Art. 5, 1 1. The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded.
RTS ICT Third-Party Service Providers Art. 5, 2 2. The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded.
RTS ICT Third-Party Service Providers Art. 5, 3

The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following:

  • (a) operational risks;
  • (b) legal risks;
  • (c) ICT risks;
  • (d) reputational risks;
  • (e) risks linked to the protection of confidential or personal data;
  • (f) risks linked to the availability of data;
  • (g) risks linked to the location where the data is processed and stored;
  • (h) risks linked to the location of the ICT third-party service provider;
  • (i) ICT concentration risks at entity level.

1.1 References

1.2 Identified Requirements

1.3 Related Standards

2. Identified Requirements

Requirements

3. Related Standards

Standards
Impressum