On 8 December 2023, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published and opened a consultation until 4 March 2024 on the draft Regulatory Technical Standard (RTS) on the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions. The draft RTS specifies elements financial entities need to determine and assess when subcontracting these ICT services, including risk assessments, due diligence, and monitoring obligations. If financial entities, after a thorough evaluation of risks, resources, and the potential impact on operational resilience, opt for subcontracting, the draft RTS includes conditions governing the related contractual agreements, mandating the monitoring of the entire subcontracting chain and the obligation to notify the financial entity of any material changes to subcontracting arrangements, to allow for further risk assessment and the raising of objections. Financial entities would retain the prerogative to terminate contracts with ICT providers in instances where subcontracting changes are made without prior approval.
Original source