Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (Text with EEA relevance)

Article 5 Ex-ante risk assessment

1. The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded.

2. The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded.

The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following:

(a)
operational risks;
(b)
legal risks;
(c)
ICT risks;
(d)
reputational risks;
(e)
risks linked to the protection of confidential or personal data;
(f)
risks linked to the availability of data;
(g)
risks linked to the location where the data is processed and stored;
(h)
risks linked to the location of the ICT third-party service provider;
(i)
ICT concentration risks at entity level.