CDR 2024-1773 Article 5

Article 5 – Ex-ante risk assessment

  1. The policy shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded.
  2. The policy shall require that a risk assessment is conducted at financial entity level and, where applicable, at consolidated and sub-consolidated level before a contractual arrangement is concluded.

    The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third-party service providers, including the following:

    1. operational risks;
    2. legal risks;
    3. ICT risks;
    4. reputational risks;
    5. risks linked to the protection of confidential or personal data;
    6. risks linked to the availability of data;
    7. risks linked to the location where the data is processed and stored;
    8. risks linked to the location of the ICT third-party service provider;
    9. ICT concentration risks at entity level.