The Commission Delegated Regulation (EU) 2024/1773 supplements Regulation (EU) 2022/2554 by specifying regulatory standards for managing ICT third-party risks in financial institutions. It ensures robust digital operational resilience when financial entities rely on external ICT services for critical functions.
Key Requirements for ICT Contracts
Financial entities must develop a policy on contractual arrangements with ICT third-party providers. The regulation mandates:
- Risk assessments and due diligence before contracting ICT services.
- Clear governance responsibilities for contract approval, monitoring, and review.
- Detailed contractual clauses, ensuring data security, operational continuity, and regulatory compliance.
- Exit strategies to manage unexpected service disruptions or contract terminations.
Ensuring Compliance and Oversight
The regulation emphasizes continuous monitoring of ICT service providers, requiring annual reviews and audits. It also enables financial authorities to oversee compliance, ensuring service providers meet legal and security requirements.
Conclusion
This regulation strengthens the resilience of financial ICT systems, mitigating risks from third-party providers and reinforcing cybersecurity and operational stability across the EU’s financial sector.
Download the Document File Here: COMMISSION DELEGATED REGULATION (EU) 2024/1773
of 13 March 2024