CDR 2025-295 Annex

Annex – Template for sharing information on subcontracting arrangements

Information Category Key Information Elements
General Information
  1. Name of the critical ICT third-party service provider.
  2. Identification code of the critical ICT third-party service provider.
  3. Name of contact person and contact details of the critical ICT third-party service provider.
  4. Date of submission of the template.
Overview of Subcontracting Arrangements
  1. Mapping of the subcontracting arrangements, including a short description of the purpose and scope of the subcontracting relationships (including an indication on the level of criticality or importance of the subcontracting arrangements for the critical ICT third-party service provider).
  2. Specification and description of the types of ICT services subcontracted and their significance to the ICT services provided to financial entities, in line with the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.
  3. When specifying the types of ICT services, please refer to the list in Annex IV of the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.
Subcontractors’ Information
  1. Name and legal entity details (including identification code) of each subcontractor.
  2. Contact information of the staff members responsible for each of the subcontracting relationships in the critical ICT third-party provider management structure.
  3. Overview for each subcontractor of the expertise, experience and qualifications related to the contracted ICT services.
Description of Services Provided by Subcontractors
  1. Detailed description of the specific ICT services provided by each subcontractor.
  2. Breakdown of the responsibilities and tasks allocated to subcontractors by detailing the different roles in the different stages of the ICT processes.
  3. Information on the level of access subcontractors have to personal or otherwise sensitive data or systems regarding the ICT services provided to financial entities.
  4. Information on the sites from which the services of subcontractors are provided and on the measures taken to address risks arising from services provided outside the Union.
Subcontracting Governance and Oversight
  1. Description of the contractual and governance framework in place to manage subcontracting relationships, including clauses restricting the usage of sensitive data.
  2. Explanation of the processes for selecting, engaging and monitoring subcontractors.
  3. Overview of performance metrics, service level objectives and agreements, and key performance indicators used to assess subcontractor’s performance and reliability monitoring.
Risk Management and Compliance
  1. Assessment of the subcontractor’s risk profiles and potential impact on the ICT services provided to financial entities.
  2. Explanation of the risk mitigation measures implemented to address subcontracting-related risks.
  3. Details of subcontractor’s compliance with relevant regulations, including on data protection and industry standards.
Business Continuity and Contingency Planning
  1. Overview of the subcontractor’s business continuity and response and recovery plans.
  2. Description of the arrangements in place to ensure service continuity in case of disruptions or termination by the subcontractor.
  3. Frequency of tests of the business continuity plans and response and recovery plans by the subcontractors, dates of the latest tests over the past 3 years, and specification if the critical ICT third-party service provider has been involved in those tests.
Reporting
  1. Description of the reporting mechanisms and frequency of reporting between the critical ICT third-party service provider and its subcontractors.
Remediation and Incident Management
  1. Outline of the procedures for addressing subcontractor-related incidents, breaches or non-compliance.
Certifications and Audits
  1. Information on any certifications, independent audits or assessments conducted on subcontractors to validate their security controls, quality standards or regulatory compliance.
  2. Date and frequency of the audits of the subcontractors conducted by the critical ICT third-party service provider.