eu-regulations

{ "id": "DORA_ITS_REGISTER", "full_name": "Commission Implementing Regulation (EU) 2024/2956 - Standard Templates for Register of Information", "celex_id": "32024R2956", "eur_lex_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R2956", "articles": [ { "number": "1", "title": "Definitions", "text": "For the purposes of this Regulation, the following definitions apply:\n\n1.\n\n‘direct ICT third-party service provider’ means an ICT third-party service provider or ICT intra-group service provider that signed a contractual arrangement with:\n\n(a)\n\na financial entity to provide its ICT services directly to that financial entity;\n\n(b)\n\na financial or a non-financial entity to provide its services to other financial entities within the same group;\n\n2.\n\n‘ICT service supply chain’ means a sequence of contractual arrangements connected with the ICT service being provided by the direct ICT third-party service provider to the financial entity, starting with the direct ICT third-party service provider which has one or multiple other ICT third-party service providers as counterparties (subcontractors);\n\n3.\n\n‘rank’ means the position of an ICT third-party service provider in the ICT service supply chain." }, { "number": "2", "title": "Ranking of ICT third-party providers in the supply chain", "text": "Financial entities shall assign a rank to each ICT third-party service provider. The rank shall be any natural number higher or equal to ‘1’ where the lower the natural number assigned to the rank, the closer the arrangement is to the financial entity.\n\nThe rank of the direct ICT third-party service provider in the ICT service supply chain shall always be ‘1’.\n\nThe rank of the subcontractor in the ICT service supply chain shall always be higher than ‘1’." }, { "number": "3", "title": "General requirements for the templates of the register of information", "text": "1.   Financial entities shall use the templates set out in Annex I to IV to maintain and update the register of information in accordance with Article 28(3) of Regulation (EU) 2022/2554, at entity level, or at sub-consolidated and consolidated level.\n\n2.   Financial entities shall ensure that the templates referred to in paragraph 1 include all of the following:\n\n(a)\n\nthe relevant information in relation to all the ICT services provided by direct ICT third-party providers;\n\n(b)\n\ninformation on all subcontractors that effectively underpin ICT services supporting critical or important functions or material parts thereof.\n\n3.   Financial entities shall ensure that the information contained in the templates referred to in paragraph 1 is accurate and consistent. Financial entities shall review the information contained in the templates regularly and shall promptly correct any errors or discrepancies detected.\n\nIn case of groups, financial entities responsible for maintaining and updating the register of information at sub-consolidated and consolidated level shall ensure that information in relation to entity level in the consolidation is correct and consistent with the information at the sub-consolidated and consolidated level.\n\n4.   Financial entities shall ensure that the information contained in the templates referred to in paragraph 1 adhere to the following principles of data quality:\n\n(a)\n\naccuracy;\n\n(b)\n\ncompleteness;\n\n(c)\n\nconsistency;\n\n(d)\n\nintegrity;\n\n(e)\n\nuniformity;\n\n(f)\n\nvalidity.\n\n5.   Financial entities shall use a valid and active legal entity identifier (LEI) or the European Unique Identifier referred to in Article 16 of Directive (EU) 2017/1132 (‘EUID’), and where available both of these identifiers, to identify all of their ICT third-party service providers that are legal persons, except for individuals acting in a business capacity.\n\n6.   Where an ICT service provided by a direct ICT third-party service provider is supporting a critical or important function of the financial entities, financial entities shall ensure through the direct ICT third-party service provider, that all the subcontractors of the direct ICT third-party service provider included in the register of information in accordance with paragraph 2, point (b), which effectively underpin/support ICT services supporting critical or important functions, use a valid and active LEI or provide their EUID, and where available both of these identifiers, except if those subcontractors are individuals acting in a business capacity." }, { "number": "4", "title": "Data format requirement", "text": "1.   Unless otherwise specified in the instructions, each template composing the register of information shall be a table with a predefined number of columns and an indefinite number of rows.\n\n2.   Financial entities shall complete each data element with a single value. Where more than one value is valid for a specific data element, financial entities shall add an additional row in the corresponding template for each valid value.\n\n3.   Financial entities shall complete all data elements in the register of information at entity level, sub-consolidated and consolidated level, as applicable." }, { "number": "5", "title": "Content of the register of information", "text": "1.   Financial entities shall include in the register of information, in accordance with the instructions set out in Annex I, the following information:\n\n(a)\n\ngeneral information on the financial entity maintaining and updating the register of information at entity, sub-consolidated and consolidated level, respectively, as specified in template B_01.01 of Annex I;\n\n(b)\n\ngeneral information on the entities in the consolidation as specified in template B_01.02 of Annex I;\n\n(c)\n\nidentification of the branches of financial entities located outside the home country listed in template B_01.02, where applicable, as specified in template B_01.03 of Annex I;\n\n(d)\n\ngeneral information on the contractual arrangements as specified in template B_02.01 of Annex I;\n\n(e)\n\nspecific information on the contractual arrangements as specified in template B_02.02 of Annex I;\n\n(f)\n\ninformation on the links between intra-group contractual arrangements and contractual arrangements with ICT third-party service providers which are not part of the group using the contractual reference numbers when part of the ICT service supply chain is intra-group as specified in template B_02.03 of Annex I;\n\n(g)\n\ninformation on the entities signing the contractual arrangements with the direct ICT third-party service providers for receiving ICT services or on behalf of the entities using the ICT services as specified in template B_03.01 of Annex I;\n\n(h)\n\nidentification of the ICT third-party service providers signing the contractual arrangements for providing ICT services as specified in template B_03.02 of Annex I;\n\n(i)\n\nidentification of the entities signing the contractual arrangements for providing ICT services to other entities in the consolidation as specified in template B_03.03 of Annex I;\n\n(j)\n\ninformation on the entities making use of the ICT services provided by the ICT third-party service providers as specified in template B_04.01 of Annex I;\n\n(k)\n\ninformation on the direct ICT third-party service providers and subcontractors, as specified in template B_05.01 of Annex I;\n\n(l)\n\ninformation on the ICT service supply chain, as specified in template B_05.02 of Annex I;\n\n(m)\n\ninformation on the identification of functions as specified in template B_06.01 of Annex I;\n\n(n)\n\ninformation on the assessment of the ICT services provided by ICT third-party service providers supporting a critical or important function or material parts thereof as specified in template B_07.01 of Annex I;\n\n(o)\n\ninformation on the terminology used by financial entities and the terms included in the closed lists and classification systems used when filling in the templates as specified in template B_99.01 of Annex I.\n\n2.   Where relevant for their risk management or contract management purposes, financial entities may include into the register of information additional information in the format that is most appropriate for the purposes of such additional information." }, { "number": "6", "title": "Scope of the register of information at sub-consolidated and consolidated level", "text": "1.   In the case of groups, the parent undertakings shall take into account the relevant sectorial Union legislation when determining which entities to be included in the register of information.\n\n2.   A register of information maintained and updated at sub-consolidated and consolidated levels shall include all financial entities and ICT intra-group service providers, which are part of the sub-group and group." }, { "number": "7", "title": "Entry into force", "text": "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.\n\nThis Regulation shall be binding in its entirety and directly applicable in all Member States.\n\nDone at Brussels, 29 November 2024.\n\nFor the Commission\n\nThe President\n\nUrsula VON DER LEYEN\n\n(1)\n\nOJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj.\n\n(2)  Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj).\n\n(3)  Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj).\n\n(4)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010 p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).\n\n(5)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).\n\nANNEX I\n\nInstructions for completing the register of information\n\nPART 1\n\nGENERAL INSTRUCTIONS\n\nFinancial entities while maintaining and updating the register of information at entity, sub-consolidated and consolidated level, shall fill-in the templates of the register of information with data using the formats set out in the instructions in Part 2.\n\nPart 2 lays down instructions to be followed by financial entities to complete each column of each template. When completing the information of certain columns, financial entities shall refer to Annexes II, III and IV or other external sources. In such cases, the reference to the relevant Annexes or external sources is indicated in the instructions.\n\nList of the templates\n\nTemplate Code\n\nTemplate Name\n\nShort Description\n\nB_01.01\n\nEntity maintaining the register of information\n\nThis template identifies the entity maintaining and updating the register of information at entity, sub-consolidated and consolidated level, respectively.\n\nB_01.02\n\nList of entities within the scope of consolidation\n\nThis template identifies all the entities belonging to the group. Where the financial entity responsible for maintaining and updating the register of information does not belong to a group, only that financial entity shall be reported in this template.\n\nB_01.03\n\nList of branches\n\nThis template identifies the branches of the financial entities referred to in template B_01.02.\n\nB_02.01\n\nContractual arrangements – general information\n\nThis template lists all contractual arrangements with direct ICT third-party service providers.\n\nFor each contractual arrangement with a direct ICT third-party service provider, the financial entity maintaining the register of information shall assign a unique ‘contractual arrangement reference number’ to identify unambiguously the contractual arrangement itself.\n\nB_02.02\n\nContractual arrangements – specific information\n\nThis template provides details in relation to each contractual arrangement listed in template B_02.01 with regard to:\n\n(a)\n\nthe ICT services included in the scope of the contractual arrangement;\n\n(b)\n\nthe functions of the financial entities supported by those ICT services;\n\n(c)\n\nother important information in relation to the specific ICT services provided (e.g. notice period, law governing the arrangement, etc.).\n\nB_02.03\n\nList of intra-group contractual arrangements\n\nThis template identifies the links between intra-group contractual arrangements and contractual arrangements with ICT third-party service providers which are not part of the group using the contractual reference numbers when part of the ICT service supply chain.\n\nB_03.01\n\nEntities signing the contractual arrangements for receiving ICT service(s) or on behalf of the entities making use of the ICT service(s)\n\nThis template provides information on the entity signing the contractual arrangements with the direct ICT third-party service provider for the entity making use of the ICT services.\n\nWhere the register of information is maintained and updated at entity level, the entity signing the contractual arrangement and the entity making use of the ICT services is the financial entity maintaining and updating the register of information.\n\nIn the context of sub-consolidation and consolidation, the financial entity making use of the ICT services provided is not necessarily the entity signing the contractual arrangement with the ICT third-party service providers.\n\nB_03.02\n\nICT third-party service providers signing the contractual arrangements for providing ICT service(s)\n\nThis template identifies all the ICT third-party service providers referred to in template B_05.01 signing the contractual arrangements referred to in template B_02.01 for providing the ICT services.\n\nB_03.03\n\nEntities signing the contractual arrangements for providing ICT service(s) to other entities within the scope of consolidation\n\nThis template identifies all the entities referred to in template B_01.02 signing the contractual arrangements referred to in template B_02.01 for providing the ICT services to other entities in the consolidation.\n\nB_04.01\n\nEntities making use of the ICT services\n\nThis template identifies all entities making uses of the ICT services provided by ICT third-party service providers and registered in the register of information.\n\nThe entities making use of the ICT services shall be either the financial entities in scope, or the ICT intra-group service providers.\n\nWhere the register of information is maintained and updated at entity level, the entity signing the contractual arrangement and the entity making use of the ICT services are the financial entity maintaining the register.\n\nB_05.01\n\nICT third-party service providers\n\nThis template lists and provides general information to identify:\n\n(a)\n\nthe direct ICT third-party service providers;\n\n(b)\n\nthe ICT intra-group service providers;\n\n(c)\n\nall subcontractors included in template B_05.02 on ICT service supply chain;\n\n(d)\n\nthe ultimate parent undertaking of the ICT third-party service providers listed in points (a), (b) and (c).\n\nB_05.02\n\nICT service supply chain\n\nThis template identifies and links the ICT third-party service providers that are part of the same ICT service supply chain.\n\nFinancial entities shall identify and rank the ICT third-party service providers for each ICT service included in each contractual arrangement.\n\nExample: a financial entity has a contractual arrangement with an ICT third-party service provider (‘ICT third-party service provider X’) to receive 2 specific ICT services (‘ICT service A’ and ‘ICT service B’) and the service provider makes use of a subcontractor (‘ICT third-party service provider Y’) to provide one of those services (‘ICT service B’).\n\n—\n\nIn relation to ICT service A, the ICT service supply chain is composed of one ICT third-party service provider, ICT third-party service provider X, which will be ranked as number 1 in the template. ICT third-party service provider X is the direct ICT third-party service provider.\n\n—\n\nIn relation to ICT service B, the ICT service supply chain is composed of two ICT third-party service providers:\n\n(a)\n\nICT third-party service provider X, which will be ranked number 1 in the template. ICT third-party service provider X is the direct ICT third-party service provider.\n\n(b)\n\nICT third-party service provider Y, which will be ranked number 2 in the template. ICT third-party service provider Y is a subcontractor.\n\nAll ICT third-party service providers belonging to the same ICT service supply chain share the same ‘contractual arrangement reference number’ as referred to in template B_02.01 and the same type of ICT services\n\nB_06.01\n\nFunctions identification\n\nThis template identifies and provides information on the functions of the financial entity making use of the ICT services.\n\nIn the information to be provided in this template, financial entities shall include a unique identifier, the ‘function identifier’ for each combination of a financial entity’s LEI, licenced activity and function.\n\nExample: a financial entity (LEI: 21USLEIC20231109J3Z8) which operates under two licensed activities (‘activity A’ and ‘activity B’) will be given two unique ‘function identifiers’ for the same function X (e.g. sales) performed for activity A and activity B, respectively. The function identifier will be:\n\nF1 for the combination of “21USLEIC20231109J3Z8”“Activity A” and ‘Function X”\n\nF2 for the combination of “21USLEIC20231109J3Z8”“Activity B” and ‘Function X”\n\nB_07.01\n\nAssessments of the ICT services\n\nThis template captures information in relation to the risk assessment of the ICT services (e.g. substitutability, date of last audit, etc.) when those ICT services are supporting a critical or important function or material part thereof.\n\nB_99.01\n\nDefinitions from entities making use of the ICT Services\n\nThis template captures entity-internal explanations, meanings, and definitions of the closed set of indicators used by the financial entity in the register of information.\n\nExample: In template B_07.01 the financial entity shall provide an indication of the impact of discontinuation of the ICT services by using a closed set of options (low, medium, high). In template B_99.01 the financial entity shall specify the meaning of those options.\n\nPART 2\n\nTEMPLATE-SPECIFIC INSTRUCTIONS\n\nInstructions to complete template B_01.01 — Financial entity maintaining the register of information\n\nIdentify the financial entity maintaining and updating the register of information.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_01.01.0010\n\nLEI of the financial entity maintaining the register of information\n\nAlphanumerical\n\nIdentify the financial entity maintaining and updating the register of information using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard\n\nMandatory\n\nB_01.01.0020\n\nName of the financial entity\n\nAlphanumerical\n\nLegal name of the financial entity maintaining and updating the register of information\n\nMandatory\n\nB_01.01.0030\n\nCountry of the financial entity\n\nCountry\n\nIdentify the ISO 3166–1 alpha–2 code of the country where the license or the registration of the entity reported in the register of information has been issued.\n\nMandatory\n\nB_01.01.0040\n\nType of financial entity\n\nClosed set of options\n\nIdentify the type of financial entity using one of the options in the following closed list:\n\n1.\n\ncredit institutions;\n\n2.\n\npayment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council (1);\n\n3.\n\naccount information service providers;\n\n4.\n\nelectronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC of the European Parliament and of the Council (2);\n\n5.\n\ninvestment firms;\n\n6.\n\ncrypto-asset service providers authorised under Regulation (EU) 2023/1114 of the European Parliament and of the Council (3)\n\n7.\n\nissuers of asset-referenced tokens authorised under Regulation (EU) 2023/1114;\n\n8.\n\ncentral securities depositories;\n\n9.\n\ncentral counterparties;\n\n10.\n\ntrading venues;\n\n11.\n\ntrade repositories;\n\n12.\n\nmanagers of alternative investment funds;\n\n13.\n\nmanagement companies;\n\n14.\n\ndata reporting service providers;\n\n15.\n\ninsurance and reinsurance undertakings;\n\n16.\n\ninsurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;\n\n17.\n\ninstitutions for occupational retirement provision;\n\n18.\n\ncredit rating agencies;\n\n19.\n\nadministrators of critical benchmarks;\n\n20.\n\ncrowdfunding service providers;\n\n21.\n\nsecuritisation repositories.\n\n22.\n\nother financial entity;\n\nWhere the register of information is maintained at the group level by the parent undertaking, which is not itself subject to the obligation to maintain such register, i.e. it does not fall under the definition of financial entities set out in Article 2 of the Regulation (EU) 2022/2554 (e.g., financial holding company, mixed financial holding company or mixed-activity holding company) ‘Other financial entity’ option shall be chosen.\n\nMandatory\n\nB_01.01.0050\n\nCompetent authority\n\nAlphanumerical\n\nIdentify the competent authority referred to in Article 46 of Regulation (EU) 2022/2554 to which the register of information is reported.\n\nMandatory in case of reporting\n\nB_01.01.0060\n\nDate of the reporting\n\nDate\n\nIdentify the date using ISO 8601 (yyyy–mm–dd) code of the date of reporting\n\nMandatory in case of reporting\n\nInstructions to complete template B_01.02 —List of financial entities within the scope of the register of information\n\nWhere the register of information is maintained and updated at sub-consolidated and consolidated level, this template identifies all the financial entities belonging to the sub-group and group. Where the financial entity responsible for maintaining and updating the register of information does not belong to a group, only that financial entity shall be reported in this template and the entry of this template shall be the same as template B_01.01.\n\nWhere an entity is acting on behalf of a financial entity for all the activities of the financial entity (including the ICT services), the direct ICT third-party service providers to that entity should be recorded in the relevant templates of the register of information of the financial entity. In such case, that entity is only registered as an entity maintaining the register and shall not be reported in this template.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_01.02.0010\n\nLEI of the financial entity\n\nAlphanumerical\n\nIdentify the financial entity reported in the register of information using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard\n\nMandatory\n\nB_01.02.0020\n\nName of the financial entity\n\nAlphanumerical\n\nLegal name of the financial entity reported in the register of information\n\nMandatory\n\nB_01.02.0030\n\nCountry of the financial entity\n\nCountry\n\nIdentify the ISO 3166–1 alpha–2 code of the country where the license or the registration of the financial entity reported in the register of information has been issued.\n\nMandatory\n\nB_01.02.0040\n\nType of financial entity\n\nClosed set of options\n\nIdentify the type of financial entity using one of the options in the following closed list:\n\n1.\n\ncredit institutions;\n\n2.\n\npayment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;\n\n3.\n\naccount information service providers;\n\n4.\n\nelectronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;\n\n5.\n\ninvestment firms;\n\n6.\n\ncrypto-asset service providers authorised under Regulation (EU) 2023/1114;\n\n7.\n\nissuers of asset-referenced tokens authorised under Regulation (EU) 2023/1114;\n\n8.\n\ncentral securities depositories;\n\n9.\n\ncentral counterparties;\n\n10.\n\ntrading venues;\n\n11.\n\ntrade repositories;\n\n12.\n\nmanagers of alternative investment funds;\n\n13.\n\nmanagement companies;\n\n14.\n\ndata reporting service providers;\n\n15.\n\ninsurance and reinsurance undertakings;\n\n16.\n\ninsurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;\n\n17.\n\ninstitutions for occupational retirement provision;\n\n18.\n\ncredit rating agencies;\n\n19.\n\nadministrators of critical benchmarks;\n\n20.\n\ncrowdfunding service providers;\n\n21.\n\nsecuritisation repositories;\n\n22.\n\nother financial entity;\n\n23.\n\nnon-financial entity: ICT intra-group service provider;\n\n24.\n\nnon-financial entity: other.\n\nMandatory\n\nB_01.02.0050\n\nHierarchy of the financial entity within the group (where applicable)\n\nClosed set of options\n\nDetermine the hierarchy of the financial entity in the consolidation using one of the options in the following closed list:\n\n1.\n\nThe financial entity is the ultimate parent undertaking in the consolidation;\n\n2.\n\nThe financial entity is the parent undertaking of a sub-consolidated part in the consolidation;\n\n3.\n\nThe financial entity is a subsidiary in the consolidation and is not a parent undertaking of a sub-consolidated part;\n\n4.\n\nThe financial entity is not part of a group;\n\n5.\n\nThe financial entity is a service provider to which the financial entity (or the third-party service provider acting on its behalf) is outsourcing all its operational activities.\n\nWhere an entity fulfils more than one options from the closed list above, the higher-level option applicable to this entity shall be selected.\n\nMandatory\n\nB_01.02.0060\n\nLEI of the direct parent undertaking of the financial entity\n\nAlphanumerical\n\nIdentify the direct parent undertaking of the financial entity reported in the register of information using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard\n\nMandatory\n\nB_01.02.0070\n\nDate of last update\n\nDate\n\nIdentify the date using ISO 8601 (yyyy–mm–dd) code of the date of the last update or modification made in the register of information in relation to the financial entity.\n\nMandatory\n\nB_01.02.0080\n\nDate of integration in the register of information\n\nDate\n\nIdentify the date using ISO 8601 (yyyy–mm–dd) code of the date of integration of the financial entity into the register of information\n\nMandatory\n\nB_01.02.0090\n\nDate of deletion in the register of information\n\nDate\n\nIdentify the date using ISO 8601 (yyyy–mm–dd) code of the date of deletion of the financial entity from the register of information.\n\nWhere the financial entity has not been deleted, ‘9999-12-31’ shall be reported.\n\nMandatory\n\nB_01.02.0100\n\nCurrency\n\nCurrency\n\nIdentify the ISO 4217 alphabetic code of the currency used for the preparation of the financial entity’s financial statements.\n\nThe currency reported shall be the same currency used by the financial entity for the preparation of the financial statements at entity, sub-consolidated or consolidated level, as applicable.\n\nMandatory only if B_01.02.0110 is reported\n\nB_01.02.0110\n\nValue of total assets of the financial entity\n\nMonetary\n\nMonetary value of total assets of the financial entity as reported in the financial entity’s annual financial statement of the year before the date of the last update of the register of information. Monetary value shall be reported in units.\n\nRefer to Annex IV for the filling in this column.\n\nMandatory if the entity is a financial entity\n\nInstructions to complete template B_01.03 — List of branches\n\nWhere a financial entity has branches located outside its home country, identify those branches through this template.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_01.03.0010\n\nIdentification code of the branch\n\nAlphanumerical\n\nIdentify a branch of a financial entity located outside its home country using a unique code for each branch. One of the options in the following closed list shall be used:\n\n(a)\n\nLEI of the branch if unique for this branch and different from B_01.03.0020;\n\n(b)\n\nother identification code used by the financial entity to identify the branch (where the LEI of the branch is equivalent to the one in template B_01.03.0020 or equivalent to the LEI of another branch).\n\nMandatory\n\nB_01.03.0020\n\nLEI of the financial entity head office of the branch\n\nAlphanumerical\n\nAs reported in B_01.02.0010\n\nIdentify the financial entity head office of the branch, using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard\n\nMandatory\n\nB_01.03.0030\n\nName of the branch\n\nAlphanumerical\n\nIdentify the name of the branch\n\nMandatory\n\nB_01.03.0040\n\nCountry of the branch\n\nCountry\n\nIdentify the ISO 3166–1 alpha–2 code of the country where the branch is located.\n\nMandatory\n\nInstructions to complete template B_02.01 — Contractual arrangements – General information\n\nFinancial entities shall designate a ‘contractual arrangement reference number’ for each contractual arrangement in the register of information. Where the external ICT third-party service provider is making use of subcontractors, financial entities shall not include in the register of information a ‘contractual arrangement reference number’ for arrangements between the external ICT third-party service providers and their subcontractors. In case of an ICT intra-group service provider, financial entities shall include the ‘contractual arrangement reference number’ between this ICT intra-group service provider and its ICT third-party service providers in this template and shall populate the template B_02.03 (List of intra-group contractual arrangements) accordingly.\n\nThe ‘contractual arrangement reference number’ shall refer to the following type of contractual arrangements:\n\n(a)\n\nany kind of standalone arrangements;\n\n(b)\n\nany kind of ‘overarching or framework arrangements’, including master and framework arrangements;\n\n(c)\n\nany kind of ‘subsequent or associated arrangements’, including implementing arrangements, subservice arrangements, order forms.\n\nThe contract reference number does not refer to any kind of service level agreement subordinated to any of the types of contractual arrangements referred to in points (a), (b) and (c) above.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill -in Instruction\n\nFill-in Option\n\nB_02.01.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nIdentify the contractual arrangement between the financial entity or, in case of a group, the group subsidiary and the direct ICT third-party service provider.\n\nThe contractual arrangement reference number is the internal reference number of the contractual arrangement assigned by the financial entity.\n\nThe contractual arrangement reference number shall be unique and consistent over time at entity, sub-consolidated and consolidated level, where applicable.\n\nThe contractual arrangement reference number shall be used consistently across all templates of the register of information when referring to the same contractual arrangement.\n\nFor the case where an entity is acting on behalf of a financial entity for all the activities of the financial entity including the ICT services (refer to recital 7) the contractual arrangement reference number can be the contractual arrangement between the entity and its direct ICT third-party service provider.\n\nMandatory\n\nB_02.01.0020\n\nType of contractual arrangement\n\nClosed set of options\n\nIdentify the type of contractual arrangement by using one of the options in the following closed list:\n\n1.\n\nstandalone arrangement;\n\n2.\n\noverarching / master contractual arrangement;\n\n3.\n\nsubsequent or associated arrangement.\n\nMandatory\n\nB_02.01.0030\n\nOverarching contractual arrangement reference number\n\nAlphanumerical\n\nNot applicable if the contractual arrangement is the ‘overarching contractual arrangement’ or a ‘standalone arrangement’. In the other cases, report the contractual arrangement reference number of the overarching arrangement, which shall be equal to the value as reported in column B_02.01.0010 when reporting the overarching contractual arrangement.\n\nMandatory\n\nB_02.01.0040\n\nCurrency of the amount reported in B_02.01.0050\n\nCurrency\n\nIdentify the ISO 4217 alphabetic code of the currency used to express the amount in B_02.01.0050.\n\nMandatory\n\nB_02.01.0050\n\nAnnual expense or estimated cost of the contractual arrangement for the past year\n\nMonetary\n\nAnnual expenses or estimated costs (or intragroup transfer) of the ICT services contractual arrangement for the past year. Monetary value shall be reported in units.\n\nThe annual expense or estimated cost shall be expressed in the currency reported in B_01.02.0040.\n\nIn case of an overarching arrangement with subsequent or associated arrangements, the sum of the annual expenses or estimated costs reported for the overarching arrangement and the subsequent or associated arrangements shall be equal to the total expenses or estimated costs for the overall contractual arrangement. There shall be no repetition or duplication of annual expenses or estimated costs. The following cases should be reflected:\n\n(a)\n\nwhere the annual expenses or estimate costs are not determined at the level of the overarching arrangement (i.e. they are 0), the annual expenses or estimated costs shall be reported at the level of each subsequent or associated arrangements.\n\n(b)\n\nwhere the annual expenses or estimated costs cannot be reported for each of the subsequent or associated arrangements, the total annual expenses or estimated costs shall be reported at the level of the overarching arrangement.\n\n(c)\n\nwhere there are annual expenses or estimated costs related to each level of the arrangement, i.e. overarching and subsequent or associated, and that information is available, the annual expenses or estimated costs shall be reported without duplication at each level of the contractual arrangement.\n\nMandatory\n\nInstructions to complete template B_02.02 — Contractual arrangements – Specific information\n\nFinancial entities shall fill in this template with the maximum level of granularity possible. Where the contractual arrangement includes multiple ICT services supporting multiple functions, financial entities shall use as many rows as the elements in the template by combining the ICT services covered in the contractual arrangement and the financial entity’s functions.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_02.02.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nAs reported in B_02.01.0010\n\nMandatory\n\nB_02.02.0020\n\nLEI of the financial entity making use of the ICT service(s)\n\nAlphanumerical\n\nAs reported in B_04.01.0020\n\nIdentify the financial entity making use of the ICT service(s) using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard\n\nMandatory\n\nB_02.02.0030\n\nIdentification code of the ICT third-party service provider\n\nAlphanumerical\n\nAs reported in B_05.01.0010\n\nCode to identify the ICT third-party service provider as reported in B_05.01.0010 for that provider.\n\nMandatory\n\nB_02.02.0040\n\nType of code to identify the ICT third-party service provider\n\nPattern\n\nAs reported in B_05.01.0020\n\nType of code to identify the ICT third-party service provider in B_02.02.0030 as reported in B_05.01.0020 for that provider.\n\nMandatory\n\nB_02.02.0050\n\nFunction identifier\n\nPattern\n\nAs defined by the financial entity in B_06.01.0010\n\nMandatory\n\nB_02.02.0060\n\nType of ICT services\n\nClosed set of options\n\nOne of the types of ICT services referred to in Annex III\n\nMandatory\n\nB_02.02.0070\n\nStart date of the contractual arrangement\n\nDate\n\nIdentify the date of entry into force of the contractual arrangement as stipulated in the contractual arrangement using the ISO 8601 (yyyy–mm–dd) code\n\nMandatory\n\nB_02.02.0080\n\nEnd date of the contractual arrangement\n\nDate\n\nIdentify the end date as stipulated in the contractual arrangement using the ISO 8601 (yyyy–mm–dd) code. Where the contractual arrangement is indefinite, it shall be filled in with ‘9999-12-31’. Where the contractual arrangement has been terminated on a date different than the end date, this shall be filled in with the termination date.\n\nWhere the contractual arrangement foresees a renewal, this shall be filled in with the date of the contract renewal as stipulated in the contractual arrangement.\n\nMandatory\n\nB_02.02.0090\n\nReason of the termination or ending of the contractual arrangement\n\nClosed set of options\n\nWhere the contractual arrangement has been terminated or ended, identify the reason of the termination or ending of the contractual arrangements using one of the options in the following closed list:\n\n1.\n\nTermination not for cause: The contractual arrangement has expired/ended and has not been renewed by any of the parties;\n\n2.\n\nTermination for cause: The contractual arrangement has been terminated, the ICT third-party service provider being in a breach of applicable law, regulations or contractual provisions;\n\n3.\n\nTermination for cause: The contractual arrangement has been terminated, due to the fact that impediments of the ICT third-party service provider capable of altering the supported function have been identified;\n\n4.\n\nTermination for cause: The contractual arrangement has been terminated due to weaknesses of the ICT third-party service provider regarding the management and security of sensitive data or information of any of the counterparties;\n\n5.\n\nTermination following a request by a competent authority: The contractual arrangement has been terminated following a request by a competent Authority.\n\n6.\n\nOther: The contractual arrangement has been terminated by any of the parties for any other reason than the reasons referred to in points 1 to 5.\n\nMandatory if the contractual arrangement is terminated\n\nB_02.02.0100\n\nNotice period for the financial entity making use of the ICT service(s)\n\nNatural number\n\nIdentify the notice period for terminating the contractual arrangement by the financial entity in a business-as-usual case. The notice period shall be expressed as number of calendar days from the counterparty’s receipt of the request to terminate the ICT service.\n\nMandatory if the ICT service is supporting a critical or important function\n\nB_02.02.0110\n\nNotice period for the ICT third-party service provider\n\nNatural number\n\nIdentify the notice period for terminating the contractual arrangement by the direct ICT third-party service provider in a business-as-usual case. The notice period shall be expressed as number of calendar days from the counterparty’s receipt of the request to terminate the ICT service.\n\nMandatory if the ICT service is supporting a critical or important function\n\nB_02.02.0120\n\nCountry of the governing law of the contractual arrangement\n\nCountry\n\nIdentify the country of the governing law of the contractual arrangement using the ISO 3166–1 alpha–2 code.\n\nMandatory if the ICT service is supporting a critical or important function\n\nB_02.02.0130\n\nCountry of provision of the ICT services\n\nCountry\n\nIdentify the country from where the ICT services are provided using the ISO 3166–1 alpha–2 code.\n\nMandatory if the ICT service is supporting a critical or important function\n\nB_02.02.0140\n\nStorage of data\n\n[Yes/No]\n\nIs the ICT service related to (or does it foresee) storage of data (even temporarily)?\n\nOne of the options provided in the following closed list:\n\n1.\n\nYes;\n\n2.\n\nNo.\n\nMandatory if the ICT service is supporting a critical or important function\n\nB_02.02.0150\n\nLocation of the data at rest (storage)\n\nCountry\n\nIdentify the country of location of the data at rest (storage) using the ISO 3166–1 alpha–2 code.\n\nIf there are several countries of location, additional row(s) shall be used for each country.\n\nMandatory if ’Yes’ is reported in B_02.02.0140\n\nB_02.02.0160\n\nLocation of management of the data (processing)\n\nCountry\n\nIdentify the country of location of the management of the data (processing) using the ISO 3166–1 alpha–2 code.\n\nIf there are several countries of location, additional row(s) shall be used for each country.\n\nMandatory if the ICT service is based on or foresees data processing\n\nB_02.02.0170\n\nSensitiveness of the data stored by the ICT third-party service provider\n\nClosed set of options\n\nIdentify the level of sensitiveness of the data stored or processed by the ICT third-party service provider using one of the options provided in the following closed list:\n\n1.\n\nLow\n\n2.\n\nMedium;\n\n3.\n\nHigh.\n\nThe most sensitive data take precedence: e.g. if both ‘Medium’ and ‘High’ apply, then ‘High’ shall be selected.\n\nMandatory if the ICT third-party service provider stores data and if the ICT service is supporting a critical or important function or material part thereof\n\nB_02.02.0180\n\nLevel of reliance on the ICT service supporting the critical or important function.\n\nClosed set of options\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nNot significant;\n\n2.\n\nLow reliance: in case of disruption of the services, the supported functions would not be significantly impacted (no interruption, no important damage) or disruption can be resolved quickly and with minimal impact on the functions supported;\n\n3.\n\nMaterial reliance: in case of disruption of the services, the supported functions would be significantly impacted if the disruption lasts more than a few minutes/few hours, and the disruption may cause damages, but is still manageable;\n\n4.\n\nFull reliance: in case of disruption of the services, the supported functions would be immediately and severely interrupted/damaged, for a long period.\n\nMandatory if the ICT service is supporting a critical or important function or material part thereof\n\nInstructions to complete template B_02.03 — List of intra-group contractual arrangements\n\nTemplate B_02.03 identifies contractual arrangements from the same ICT service supply chain using the intra-group contractual reference numbers in cases where the ICT service supply chain contains ICT intra-group service providers, i.e. where at least one of the ICT third-party service providers in the ICT service supply chain is an entity belonging to the same group of the entity making use of the ICT services.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_02.03.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nReference number of the contractual arrangement between the entity making use of the ICT service(s) provided and the ICT intra-group service provider.\n\nThe contractual arrangement reference number shall be unique and consistent over time and across all the group.\n\nMandatory\n\nB_02.03.0020\n\nContractual arrangement linked to the contractual arrangement referred in B_02.03.0010\n\nAlphanumerical\n\nContractual arrangement reference number of the contractual arrangement between the ICT intra-group service provider of the contractual arrangement in B_02.03.0010 and its direct ICT third-party service provider.\n\nMandatory\n\nInstructions to complete template B_03.01 — Entities signing the contractual arrangements for receiving ICT service(s) on behalf of the financial entities making use of the ICT service(s)\n\nIdentify all the financial entities referred to in template B_01.02 signing the contractual arrangements referred to in template B_02.01 for receiving the ICT services. Where the register of information is maintained and updated at entity level the financial entity signing the contractual arrangements is the financial entity maintaining and updating the register of information itself.\n\nThe entities signing the contractual arrangement is not necessarily a financial entity nor the financial entity making use of the ICT services provided by the ICT third-party service provider.\n\nFor example, the entity signing the contractual arrangement referred to in the second subparagraph can be an ICT intra-group service provider, a financial or non-financial entity belonging to the same group of the financial entities making use of the ICT services provided by the ICT third-party service provider.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_03.01.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nAs reported in B_02.02.0010\n\nIdentify the contractual arrangement reference number signed by the undertaking\n\nMandatory\n\nB_03.01.0020\n\nLEI of the entity signing the contractual arrangement\n\nAlphanumerical\n\nIdentify the undertaking signing the contractual arrangement using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard or the EUID.\n\nMandatory\n\nInstructions to complete template B_03.02 — ICT third-party service providers signing the contractual arrangements for providing ICT service(s)\n\nIdentify all the ICT third-party service providers referred to in template B_05.01 signing the contractual arrangements referred to in template B_02.01 for providing the ICT services.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_03.02.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nAs reported in B_02.02.0010\n\nIdentify the contractual arrangement reference number signed by the ICT third-party service provider\n\nMandatory\n\nB_03.02.0020\n\nIdentification code of ICT third-party service provider\n\nAlphanumerical\n\nAs reported in B_05.01.0010\n\nCode to identify the ICT third-party service provider as reported in B_05.01.0020 for that provider.\n\nMandatory\n\nB_03.02.0030\n\nType of code to identify the ICT third-party service provider\n\nPattern\n\nAs reported in B_05.01.0020\n\nType of code to identify the ICT third-party service provider in B_03.02.0020 as reported in B_05.01.0020 for that provider.\n\nMandatory\n\nInstructions to complete template B_03.03 — Financial entities signing the contractual arrangements for providing ICT service(s) to other financial entities in the consolidation.\n\nIdentify all financial entities referred to in template B_01.02 that have signed contractual arrangements as referred to in template B_02.01 for providing ICT services to other entities in the consolidation referred to in template B_01.02.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_03.03.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nAs reported in B_02.02.0010\n\nIdentify the reference number of the contractual arrangement signed by the entity for providing ICT service(s)\n\nMandatory\n\nB_03.03.0020\n\nLEI of the financial entity providing ICT services\n\nAlphanumerical\n\nAs reported in B_01.02.0010\n\nIdentify the entity providing ICT services using LEI, 20-character, alpha-numeric code based on the ISO 17442 standard.\n\nMandatory\n\nInstructions to complete template B_04.01 —Financial entities making use of the ICT services\n\nAll financial entities referred to in template B_01.02 and branches of financial entities referred to in template B_01.03 that are making use of the ICT services provided by an ICT third-party provider shall be reported in this template.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_04.01.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nAs reported in B_02.01.0010\n\nIdentify the reference number of the contractual arrangement in relation to the financial entity making use of the ICT services provided\n\nMandatory\n\nB_04.01.0020\n\nLEI of the financial entity making use of the ICT service(s)\n\nAlphanumerical\n\nIdentify the financial entity making use of the ICT service(s) using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard\n\nMandatory\n\nB_04.01.0030\n\nNature of the financial entity making use of the ICT service(s)\n\nClosed set of options\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nThe financial entity making use of the ICT service(s) is a branch of a financial entity\n\n2.\n\nThe financial entity making use of the ICT service(s) is not a branch\n\nMandatory\n\nB_04.01.0040\n\nIdentification code of the branch\n\nAlphanumerical\n\nIdentification code of the branch as reported in B_01.03.0010\n\nMandatory if the financial entity making use of the ICT service(s) is a branch of a financial entity (B_04.01.0030)\n\nInstructions to complete template B_05.01 — ICT third-party service provider\n\nFinancial entities shall identify all the relevant ICT third-party service providers, including:\n\n(a)\n\nall the direct ICT third-party service providers;\n\n(b)\n\nall ICT intra-group service provider;\n\n(c)\n\nall subcontractors that are identified in template B_05.02 on the ICT service supply chain;\n\n(d)\n\nall ultimate parent undertakings of the ICT third-party service providers referred to in points (a), (b) and (c) above.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_05.01.0010\n\nIdentification code of ICT third-party service provider\n\nAlphanumerical\n\nCode to identify the ICT third-party service provider.\n\nWhere LEI is used, it shall be provided as a 20-character, alpha-numeric code based on the ISO 17442 standard.\n\nWhere EUID is used, it shall be provided as specified in Article 9 of the Commission Implementing Regulation (EU) 2021/1042.\n\nMandatory\n\nB_05.01.0020\n\nType of code to identify the ICT third-party service provider\n\nPattern\n\nType of code to identify the ICT third-party service provider reported in B_05.01.0010\n\n1.\n\n‘LEI’ for LEI\n\n2.\n\n‘EUID’ for EUID\n\n3.\n\n‘Country Code’+Underscore+’Type of Code’ for non LEI and non EUID code\n\nCountry Code: Identify the ISO 3166–1 alpha–2 code of the country of issuance of the other code to identify the ICT third-party service provider\n\nType of Code:\n\n1.\n\nCRN for Corporate registration number\n\n2.\n\nVAT for VAT number\n\n3.\n\nPNR for Passport Number\n\n4.\n\nNIN for National Identity Number\n\nOnly LEI or EUID shall be used for legal persons, as identified in B_05.01.0070, whereas alternative code may be used only for an individual acting in a business capacity.\n\nOnly LEI shall be used for legal persons that are not established in the Union.\n\nMandatory\n\nB_05.01.0030\n\nAdditional identification code of ICT third-party service provider\n\nAlphanumerical\n\nAdditional code to identify the ICT third-party service provider, where available.\n\nOptional\n\nB_05.01.0040\n\nType of additional identification code to identify the ICT third-party service provider\n\nPattern\n\nThe type of additional code to identify the ICT third-party service provider reported in B_05.01.0030:\n\n1.\n\n‘LEI’ for LEI\n\n2.\n\n‘EUID’ for EUID\n\n3.\n\nCRN for Corporate registration number\n\n4.\n\nVAT for VAT number\n\n5.\n\nPNR for Passport Number\n\n6.\n\nNIN for National Identity Number\n\nLEI or EUID shall be used for legal persons, as identified in B_05.01.0070, whereas alternative code may be used only for an individual acting in a business capacity.\n\nOnly LEI shall be used for legal persons that are not established in the Union.\n\nMandatory, if B_05.01.0030 is reported\n\nB_05.01.0050\n\nLegal name of the ICT third-party service provider\n\nAlphanumerical\n\nLegal name of the ICT third-party service provider as registered in business register in Latin, Cyrillic or Greek alphabets.\n\nMandatory\n\nB_05.01.0060\n\nName of the ICT third-party service provider in Latin alphabet\n\nAlphanumerical\n\nName of the ICT third-party service provider in Latin alphabet.\n\nWhere the name of the ICT third-party service provider reported in B_05.01.0050 is in Latin alphabet, it shall be repeated also in this data field.\n\nMandatory\n\nB_05.01.0070\n\nType of person of the ICT third-party service provider\n\nClosed set of options\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nLegal person, excluding individuals acting in business capacity\n\n2.\n\nIndividual acting in a business capacity\n\nMandatory\n\nB_05.01.0080\n\nCountry of the ICT third-party service provider’s headquarters\n\nCountry\n\nIdentify the ISO 3166–1 alpha–2 code of the country in which the global operating headquarters of ICT third-party service provider are located (usually, this country is the country of tax residence).\n\nMandatory\n\nB_05.01.0090\n\nCurrency of the amount reported in B_05.01.0070\n\nCurrency\n\nIdentify the ISO 4217 alphabetic code of the currency used to express the amount in B_05.01.0100.\n\nThe currency reported shall be the same currency used by the financial entity for the preparation of the financial statements at entity, sub-consolidated or consolidated level, as applicable.\n\nMandatory if B_05.01.0100 is reported\n\nB_05.01.0100\n\nTotal annual expense or estimated cost of the ICT third-party service provider\n\nMonetary\n\nAnnual expense or estimated cost for using the ICT services provided by the ICT third-party service provider to the entities making use of the ICT services. Monetary value shall be reported in units.\n\nMandatory if the ICT third-party service provider is a direct ICT third-party service provider\n\nB_05.01.0110\n\nIdentification code of the ICT third-party service provider’s ultimate parent undertaking\n\nAlphanumerical\n\nCode to identify the ICT third-party service provider’s ultimate parent undertaking.\n\nThe code used to identify ultimate parent undertaking in this field shall match the identification code provided in B_05.01.0010 for that ultimate parent undertaking.\n\nWhere the ICT third-party service provider is not part of a group, the identification code used to identify that ICT third-party service provider in B_05.01.0010 shall be repeated also in this data field.\n\nMandatory if the ICT third-party service provider is not the ultimate parent undertaking\n\nB_05.01.0120\n\nType of code to identify the ICT third-party service provider’s ultimate parent undertaking\n\nPattern\n\nType of code to identify the ICT third-party service provider’s ultimate parent undertaking in B_05.01.0110.\n\nThe type of the code used to identify ultimate parent undertaking in this field shall match the identification code provided in B_05.01.0020 for that ultimate parent undertaking.\n\nWhere the ICT third-party service provider is not part of a group, the type of the identification code used to identify that ICT third-party service provider in B_05.01.0020 shall be repeated also in this data field.\n\nMandatory if the ICT third-party service provider is not the ultimate parent undertaking\n\nInstructions to complete template B_05.02 — ICT service supply chains\n\nThis template identifies and links the ICT third-party service providers that are part of the same ICT service supply chain together.\n\nThe ICT service supply chain shall include, where applicable:\n\n(a)\n\nall direct ICT third-party service providers;\n\n(b)\n\nall ICT intragroup service providers;\n\n(c)\n\nfor the ICT services supporting a critical or important function or material part thereof, all subcontractors that effectively underpin the provision of those ICT services (i.e. all the subcontractors providing ICT services whose disruption would impair the security or the continuity of the service provision);\n\n(d)\n\nwhere an ICT intragroup service provider uses subcontractors to provide their ICT services to the financial entity, at least the first extra-group subcontractor even if the ICT services provided do not support a critical or important function or material parts thereof.\n\nAll ICT third-party service providers belonging to the same ICT service supply chain share:\n\n(a)\n\nthe same ‘contractual arrangement reference number’ as referred to in template B_02.01;\n\n(b)\n\nthe same ‘type of ICT services’ as referred to in Annex III;\n\nEach ICT third-party service provider that belongs to the same ICT service supply chain is assigned with a ‘rank’ (template B_05.02.0050) to identify its position within the ICT service supply chain. Where multiple ICT third-party service providers have the same position within the same ICT service supply chain, those providers shall be assigned with the same ‘rank’. In accordance with Article 2, the direct ICT third-party service providers are therefore at rank 1. If the rank is higher than 1, the ICT third-party service providers are subcontractors.\n\nTo link the ICT third-party service providers that belong to the same ICT service supply chain together, for each ICT subcontractor (i.e. where the ‘rank’ is higher than 1) financial entities shall identify the ICT third-party service provider that receives its subcontracted services. The identification of the ICT third-party service provider that receives the subcontracted services shall be carried out by using the columns B_05.02.0060 and B_05.02.0070.\n\nFor each ICT service supply chain (i.e., a combination of a \"contractual arrangement reference number\" and a \"type of ICT services\", where there are multiple ICT third-party service providers receiving the subcontracted services, all of those service providers shall be reported in separate rows in the template. The same logic applies at each rank of the ICT service supply chain.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_05.02.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nAs reported in B_02.01.0010\n\nMandatory\n\nB_05.02.0020\n\nType of ICT services\n\nClosed set of options\n\nOne of the types of ICT services referred to in Annex III\n\nMandatory\n\nB_05.02.0030\n\nIdentification code of the ICT third-party service provider\n\nAlphanumerical\n\nAs reported in B_05.01.0010 for that ICT third-party service provider.\n\nExamples:\n\n—\n\nThe identification code of the direct ICT third-party service provider providing ICT service to the financial entity making use of it;\n\n—\n\nThe identification code of the subcontractor at rank 2 providing service to the direct ICT third-party service provider.\n\nMandatory\n\nB_05.02.0040\n\nType of code to identify the ICT third-party service provider\n\nPattern\n\nAs reported in B_05.01.0020 for that ICT third-party service provider.\n\nMandatory\n\nB_05.02.0050\n\nRank\n\nNatural number\n\nWhere the ICT third-party service provider is signing the contractual arrangement with the financial entity, it is considered as a direct ICT third-party service provider and the ‘rank’ to be reported shall be 1;\n\nWhere the ICT third-party service provider is signing the contract with the direct ICT third-party service provider, it is considered as a subcontractor and the ‘rank’ to be reported shall be 2;\n\nThe same logic apply to all the following subcontractors by incrementing the ‘rank’.\n\nWhere multiple ICT third-party service providers have the same ‘rank’ in the ICT service supply chain, financial entities shall report the same ‘rank’ for all those ICT third-party service providers.\n\nMandatory\n\nB_05.02.0060\n\nIdentification code of the recipient of sub-contracted ICT services\n\nAlphanumerical\n\nTo be left blank if the ICT third-party service provider (template B_05.02.0030) is a direct ICT third-party service provider i.e. at ‘rank’ r = 1 (template B_05.02.0050);\n\nWhere the ICT third-party service provider is at ‘rank’ r = n where n>1, indicate the ‘Identification code of the recipient of the sub-contracted services’ at ‘rank’ r=n-1 that subcontracted the ICT service (even partially) to the ICT third-party service provider at ‘rank’ r=n.\n\nExamples:\n\n—\n\nThe identification code of the direct ICT third-party service provider receiving the service from the subcontractor at rank 2;\n\n—\n\nThe identification code of the subcontractor at rank 2 receiving the service from the subcontractor at rank 3.\n\nThe code used to identify the recipient of sub-contracted ICT services shall match the identification code provided in B_05.01.0010 for that provider.\n\nMandatory Not applicable for rank 1\n\nB_05.02.0070\n\nType of code to identify the recipient of sub-contracted ICT services\n\nPattern\n\nTo be left blank where the ICT third-party service provider template B_05.02.0030) is at rank r = 1 (template B_05.02.0050);\n\nWhere the ICT third-party service provider is at ‘rank’ r = n where n>1, indicate the ‘Type of code to identify the recipient of the sub-contracted service’ at ‘rank’ r=n-1 that subcontracted the ICT service (even partially) to the ICT third-party service provider at ‘rank’ r=n.\n\n1.\n\n‘LEI’ for LEI\n\n2.\n\n‘EUID’ for EUID\n\n3.\n\nCRN for Corporate registration number\n\n4.\n\nVAT for VAT number\n\n5.\n\nPNR for Passport Number\n\n6.\n\nNIN for National Identity Number\n\nThe type of code used to identify the recipient of sub-contracted ICT services shall match the identification code provided in B_05.01.0020 for that provider.\n\nMandatory Not applicable for rank 1\n\nInstructions to complete template B_06.01 — Functions identification\n\nFinancial entities shall identify and provide information on all functions of the financial entity according to the financial entity’s internal organisation supported by an ICT service provided by ICT third-party service providers.\n\nEach combination of the following items shall have a unique function identifier assigned:\n\n(a)\n\n‘LEI of the financial entity making use of the ICT service(s)’ column B_06.01.0040;\n\n(b)\n\n‘Licenced activity’ column B_06.01.0020;\n\n(c)\n\n‘Function name’ column B_06.01.0030.\n\nFinancial entities shall use as many rows as the elements in the template by combining the two items above to fill-in this template.\n\nColumn Code\n\nColumn Name\n\nType\n\nInstruction\n\nFill-in Option\n\nB_06.01.0010\n\nFunction Identifier\n\nPattern\n\nThe function identifier shall be composed by the letter F (capital letter) followed by a natural number (e.g. “F1” for the 1st function identifier and “Fn” for the nth function identifier with “n” being a natural number).\n\nEach combination between ‘LEI of the financial entity making use of the ICT service(s)’ (B_06.01.0040), ‘Function name’ (B_06.01.0030) and ‘Licenced activity’ (B_06.01.0020) shall have a unique function identifier.\n\nExample: a financial entity which operates under two licensed activities (‘activity A’ and ‘activity B’) will be given two unique ‘function identifiers’ for the same function X (e.g. Sales) performed for activity A and activity B.\n\nMandatory\n\nB_06.01.0020\n\nLicenced activity\n\nClosed set of options\n\nOne of the licenced activities referred to in the underlying legal acts listed in Annex II for the different types of financial entities.\n\nWhere the function is not linked to a registered or licenced activity, ‘support functions’ shall be reported.\n\nMandatory\n\nB_06.01.0030\n\nFunction name\n\nAlphanumerical\n\nFunction name according to the financial entity’s internal organisation.\n\nMandatory\n\nB_06.01.0040\n\nLEI of the financial entity\n\nAlphanumerical\n\nAs reported in B_04.01.0020\n\nIdentify the financial entity using the LEI, 20-character, alpha-numeric code based on the ISO 17442 standard\n\nMandatory\n\nB_06.01.0060\n\nCriticality or importance assessment\n\nClosed set of options\n\nUse this column to indicate whether the function is critical or important according to the financial entity’s assessment. One of the options in the following closed list shall be used:\n\n1.\n\nYes;\n\n2.\n\nNo;\n\n3.\n\nAssessment not performed.\n\nMandatory\n\nB_06.01.0070\n\nReasons for criticality or importance\n\nAlphanumerical\n\nBrief explanation on the reasons for classifying the function as critical or important (300 characters maximum)\n\nOptional\n\nB_06.01.0080\n\nDate of the last assessment of criticality or importance\n\nDate\n\nIdentify the date using ISO 8601 (yyyy–mm–dd) code of the date of the last assessment of criticality or importance in case the function is supported by ICT services provided by ICT third-party service providers.\n\nWhere the assessment of the function’s criticality or importance is not performed, it shall be filled in with ‘9999-12-31’\n\nMandatory\n\nB_06.01.0090\n\nRecovery time objective of the function\n\nNatural number\n\nIn number of hours. Where the recovery time objective is less than 1 hour, ‘1’ shall be reported. Where the recovery time objective of the function is not defined, ‘0’ shall be reported.\n\nMandatory\n\nB_06.01.0100\n\nRecovery point objective of the function\n\nNatural number\n\nIn number of hours. Where the recovery point objective is less than 1 hour, ‘1’ shall be reported. Where the recovery point objective of the function is not defined, ‘0’ shall be reported.\n\nMandatory\n\nB_06.01.0110\n\nImpact of discontinuing the function\n\nClosed set of options\n\nUse this column to indicate the impact of discontinuing the function according to the financial entity’s assessment. One of the options in the following closed list shall be used:\n\n1.\n\nLow\n\n2.\n\nMedium;\n\n3.\n\nHigh;\n\n4.\n\nAssessment not performed.\n\nMandatory\n\nInstructions to complete template B_07.01 — Assessment of the ICT services\n\nWhen supporting a critical or important function or material parts thereof, this template enables further assessments of the ICT services provided by ICT third-party service providers, including the first extra-group subcontractor in the ICT service supply chain when the prior ICT third-party service providers are intra-group, to the financial entity.\n\nColumn Code\n\nColumn Name\n\nType\n\nFill-in Instruction\n\nFill-in Option\n\nB_07.01.0010\n\nContractual arrangement reference number\n\nAlphanumerical\n\nAs reported in B_02.01.0010\n\nMandatory\n\nB_07.01.0020\n\nIdentification code of the ICT third-party service provider\n\nAlphanumerical\n\nAs reported in B_05.01.0010\n\nMandatory\n\nB_07.01.0030\n\nType of code to identify the ICT third-party service provider\n\nPattern\n\nAs reported in B_05.01.0020\n\nMandatory\n\nB_07.01.0040\n\nType of ICT services\n\nClosed set of options\n\nOne of the types of ICT services referred to in Annex III\n\nMandatory\n\nB_07.01.0050\n\nSubstitutability of the ICT third-party service provider\n\nClosed set of options\n\nUse this column to provide the results of the financial entity’s assessment in relation to the degree of substitutability of the ICT third-party service provider to perform the specific ICT services supporting a critical or important function.\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nNot substitutable;\n\n2.\n\nHighly complex substitutability;\n\n3.\n\nMedium complexity in terms of substitutability;\n\n4.\n\nEasily substitutable.\n\nMandatory\n\nB_07.01.0060\n\nReason where the ICT third-party service provider is considered not substitutable or difficult to be substitutable\n\nClosed set of options\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nThe lack of real alternatives, even partial, due to the limited number of ICT third-party service providers active on a specific market, or the market share of the relevant ICT third-party service provider, or the technical complexity or sophistication involved, including in relation to any proprietary technology, or the specific features of the ICT third-party service provider’s organisation or activity;\n\n2.\n\nDifficulties in relation to a partial or full migration of the relevant data and workloads from the relevant ICT third- party service provider to another ICT third-party service provider or by reintegrating them in the financial entity’s operations, due either to significant financial costs, time or other resources that the migration process may entail, or to an increased ICT risk or other operational risks to which the financial entity might be exposed;\n\n3.\n\nBoth reasons referred to in points 1 and 2.\n\nMandatory in case “not substitutable” or “highly complex substitutability” is selected in B_07.01.0041\n\nB_07.01.0070\n\nDate of the last audit on the ICT third-party service provider\n\nDate\n\nUse this column to provide the date of the last audit on the specific ICT services provided by the ICT third-party service provider.\n\nThis column relates to audits conducted by any of the following:\n\n(a)\n\nthe internal audit department or any other additional qualified personnel of the financial entity;\n\n(b)\n\na joint team together with other clients of the same ICT third-party service provider (‘pooled audit’);\n\n(c)\n\na third party appointed by the supervised entity to audit the service provider.\n\nThis column does not relate to the reception or reference date of third-party certifications or internal audit reports of the ICT third-party service provider, the annual monitoring date of the arrangement by the financial entity or the date of review of the risk assessment performed by the financial entity.\n\nThis column shall be used to report all types of audits performed by any of the subjects referred to in points (a), (b) and (c) concerning fully or partially the ICT services provided by the ICT third-party service provider.\n\nTo report the date, the ISO 8601 (yyyy–mm–dd) code shall be used.\n\nWhere no audit has been performed, it shall be filled in with ‘9999-12-31’.\n\nMandatory\n\nB_07.01.0080\n\nExistence of an exit plan\n\n[Yes/No]\n\nUse this column to report the existence of an exit plan from the ICT third-party service provider in relation to the specific ICT service provided.\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nYes;\n\n2.\n\nNo.\n\nMandatory\n\nB_07.01.0090\n\nPossibility of reintegration of the contracted ICT service\n\nClosed set of options\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nEasy;\n\n2.\n\nDifficult;\n\n3.\n\nHighly complex.\n\nUse this column where the ICT service is provided by an ICT third-party service provider that is not an ICT intra-group service provider\n\nMandatory\n\nB_07.01.0100\n\nImpact of discontinuing the ICT services\n\nClosed set of options\n\nUse this column to provide the impact for the financial entity of discontinuing the ICT services provided by the ICT third-party service provider according to the financial entity’s assessment.\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nLow\n\n2.\n\nMedium;\n\n3.\n\nHigh;\n\n4.\n\nAssessment not performed.\n\nMandatory\n\nB_07.01.0110\n\nAre there alternative ICT third-party service providers identified?\n\nClosed set of options\n\nOne of the options in the following closed list shall be used:\n\n1.\n\nYes;\n\n2.\n\nNo;\n\n7.\n\nAssessment not performed.\n\nFor each ICT third-party service provider supporting a critical or important function, the assessment to identify an alternative service provider shall be performed.\n\nMandatory\n\nB_07.01.0120\n\nIdentification of alternative ICT TPP\n\nAlphanumerical\n\nIf ‘Yes’ is reported in B_07.01.0110, additional information may be provided in this column\n\nOptional\n\nInstructions to complete template B_99.01 — Terminology used by financial entities using the ICT services\n\nFinancial entities shall provide entity-internal explanations, meanings, and definitions of the closed set of indicators and options used by them in the register of information.\n\nB_99.01.C0010\n\nB_99.01.C0020\n\nB_99.01.C0030\n\nB_99.01.C0040\n\nColumn Code\n\nColumn Name\n\nOption\n\nDescription/Internal definition of the option\n\nB_99.01.R0010\n\nB_02.01.0020\n\nType of contractual arrangement\n\n1.\n\nStandalone arrangement\n\nB_99.01.R0020\n\n2.\n\nOverarching arrangement\n\nB_99.01.R0030\n\n3.\n\nSubsequent or associated arrangement\n\nB_99.01.R0040\n\nB_02.02.0170\n\nSensitiveness of the data stored by the ICT third-party service provider\n\n1.\n\nLow\n\nB_99.01.R0050\n\n2.\n\nMedium\n\nB_99.01.R0060\n\n3.\n\nHigh\n\nB_99.01.R0070\n\nB_06.01.0110\n\nImpact of discontinuing the function\n\n1.\n\nLow\n\nB_99.01.R0080\n\n2.\n\nMedium\n\nB_99.01.R0090\n\n3.\n\nHigh\n\nB_99.01.R0100\n\nB_07.01.0050\n\nSubstitutability of the ICT third-party service provider\n\n1.\n\nNot substitutable\n\nB_99.01.R0110\n\n2.\n\nHighly complex substitutability\n\nB_99.01.R0120\n\n3.\n\nMedium complexity in terms of substitutability\n\nB_99.01.R0130\n\n4.\n\nEasily substitutable\n\nB_99.01.R0140\n\nB_07.01.0090\n\nPossibility of reintegration of the contracted ICT service\n\n1.\n\nEasy\n\nB_99.01.R0150\n\n2.\n\nDifficult\n\nB_99.01.R0160\n\n3.\n\nHighly complex\n\nB_99.01.R0170\n\nB_07.01.0100\n\nImpact of discontinuing the ICT services\n\n1.\n\nLow\n\nB_99.01.R0180\n\n2.\n\nMedium\n\nB_99.01.R0190\n\n3.\n\nHigh\n\n(1)  Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35, ELI: http://data.europa.eu/eli/dir/2015/2366/oj).\n\n(2)  Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (OJ L 267, 10.10.2009, p. 7, ELI: http://data.europa.eu/eli/dir/2009/110/oj).\n\n(3)  Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40, ELI: http://data.europa.eu/eli/reg/2023/1114/oj).\n\nANNEX II\n\nList of activities by type of entity\n\nType of entity\n\nList of activities and services\n\n(a)\n\ncredit institutions\n\nActivities listed in Annex I to Directive 2013/36/EU and activities listed in Section A and B of Annex I to Directive 2014/65/EU\n\n(b)\n\npayment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366\n\nActivities listed in Annex I to Directive (EU) 2015/2366\n\n(c)\n\naccount information service providers\n\nAccount information services as referred to in point (8) of Annex I to Directive (EU) 2015/2366\n\n(d)\n\nelectronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC\n\nIssuing electronic money in accordance with Directive 2009/110/EC and the activities listed in Annex I to Directive (EU) 2015/2366\n\n(e)\n\ninvestment firms\n\nInvestment services and activities listed in Section A and B of Annex I to Directive 2014/65/EU\n\n(f)\n\ncrypto-asset service providers authorised under Regulation (EU) 2023/1114\n\nServices and activities listed in Article 3, point (16), of Regulation (EU) 2023/1114\n\n(g)\n\nissuers of asset-referenced tokens authorised under Regulation (EU) 2023/1114\n\nActivities referred to in Article 16(1) of Regulation (EU) 2023/1114\n\n(h)\n\ncentral securities depositories\n\nActivities listed in Annex to Regulation (EU) No 909/2014 of the European Parliament and of the Council (1)\n\n(i)\n\ncentral counterparties\n\nActivity of central counterparties as defined in Article 2, point (1), of Regulation (EU) No 648/2012\n\n(j)\n\ntrading venues\n\nActivity of trading venues as defined in Article 4(21-24), of Directive 2014/65/EU\n\n(k)\n\ntrade repositories\n\nActivities of trade repositories as defined in Article 2, point (2), of Regulation (EU) No 648/2012 and in Article 3, point (1), of Regulation (EU) No 2015/2365 of the European Parliament and of the Council (2)\n\n(l)\n\nmanagers of alternative investment funds\n\nActivities listed in Article 6(4) and in Annex I to Directive 2011/61/EU of the European Parliament and of the Council (3)\n\n(m)\n\nmanagement companies\n\nActivities listed in Article 6(3) and in Annex II to Directive 2009/65/EC of the European Parliament and of the Council (4)\n\n(n)\n\ndata reporting service providers\n\nServices referred to in Article 2(1), points (34), (35) and (36), of Regulation (EU) No 600/2014 of the European Parliament and of the Council (5)\n\n(o)\n\ninsurance and reinsurance undertakings\n\nActivities authorised for (i) the classes of non-life insurance as referred to in Section B of Annex I to Directive 2009/138/EC of the European Parliament and of the Council (6): (ii) classes of life insurance as referred to in Annex II to that Directive: (iii) non-life reinsurance activities and (iv) life reinsurance activities as referred to in article 15(5) of that Directive.\n\n(p)\n\ninsurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries\n\nActivities of insurance and reinsurance distribution as defined in Article 2(1), points (1) and (2), of Directive (EU) 2016/97 of the European Parliament and of the Council (7)\n\n(q)\n\ninstitutions for occupational retirement provision\n\nActivities of institutions for occupational retirement provision as referred to in Article 7 of Directive (EU) 2016/2341 of the European Parliament and of the Council (8)\n\n(r)\n\ncredit rating agencies\n\nActivities of credit rating agencies as referred to in Article 3(1), points (a) and (b), of Regulation (EC) No 1060/2009 of the European Parliament and of the Council (9)\n\n(s)\n\nadministrators of critical benchmarks\n\nProvision of benchmarks by administrators as defined in Article 3(1)(5) and 3(1)(6) of Regulation (EU) 2016/1011 of the European Parliament and of the Council, referring to critical benchmarks defined in Article 3(1), point (25), of that Regulation.\n\n(t)\n\ncrowdfunding service providers\n\nProvision of crowdfunding services in accordance with Article 3 of Regulation (EU) 2020/1503 of the European Parliament and of the Council (10)\n\n(u)\n\nsecuritisation repositories\n\nActivity of securitisation repositories as defined in Article 2, point (23), of Regulation (EU) 2017/2402 of the European Parliament and of the Council (11) and Article 1(4-5) of Commission Delegated Regulation (EU) 2020/1230 (12)\n\nNon-financial entity: ICT intra-group service provider\n\nNot applicable\n\nNon-financial entity: Other intra-group entity\n\nNot applicable\n\nNon-financial entity: ICT third-party service provider\n\nNot applicable\n\n(1)  Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1, ELI: http://data.europa.eu/eli/reg/2014/909/oj).\n\n(2)  Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse and amending Regulation (EU) No 648/2012 (OJ L 337, 23.12.2015, p. 1, ELI: http://data.europa.eu/eli/reg/2015/2365/oj).\n\n(3)  Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010 (OJ L 174, 1.7.2011, p. 1, ELI: http://data.europa.eu/eli/dir/2011/61/oj).\n\n(4)  Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32, ELI: http://data.europa.eu/eli/dir/2009/65/oj).\n\n(5)  Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84, ELI: http://data.europa.eu/eli/reg/2014/600/oj).\n\n(6)  Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1, ELI: http://data.europa.eu/eli/dir/2009/138/oj).\n\n(7)  Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (OJ L 26, 2.2.2016, p. 19, ELI: http://data.europa.eu/eli/dir/2016/97/oj).\n\n(8)  Directive (EU) 2016/2341 of the European Parliament and of the Council of 14 December 2016 on the activities and supervision of institutions for occupational retirement provision (IORPs) (OJ L 354, 23.12.2016, p. 37, ELI: http://data.europa.eu/eli/dir/2016/2341/oj).\n\n(9)  Regulation (EC) No 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies (OJ L 302, 17.11.2009, p. 1, ELI: http://data.europa.eu/eli/reg/2009/1060/oj).\n\n(10)  Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business, and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937 (OJ L 347, 20.10.2020, p. 1, ELI: http://data.europa.eu/eli/reg/2020/1503/oj).\n\n(11)  Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012 (OJ L 347, 28.12.2017, p. 35, ELI: http://data.europa.eu/eli/reg/2017/2402/oj).\n\n(12)  Commission Delegated Regulation (EU) 202/1230 of 29 November 2019 supplementing Regulation (EU) 2017/2402 of the European Parliament and of the Council with regard to regulatory technical standards specifying the details of the application for registration of a securitisation repository and the details of the simplified application for an extension of registration of a trade repository (OJ L 289, 03.09.2020 p. 345) ELI: http://data.europa.eu/eli/reg/2020/1230/oj).\n\nANNEX III\n\nType of ICT services\n\nWhen referring to a type of ICT services in the templates of the register of information, only the identifier (from S01 to S19) of the relevant type of ICT services shall be reported.\n\nIdentifier\n\nType of ICT services\n\nDescription\n\nS01\n\n1.\n\nICT project management\n\nProvision of services related to Project Management Officer (PMO).\n\nS02\n\n2.\n\nICT Development\n\nProvision of services related to: business analysis, software design and development, testing.\n\nS03\n\n3.\n\nICT help desk and first level support\n\nProvision of services related to: helpdesk support and first level support on ICT incident\n\nS04\n\n4.\n\nICT security management services\n\nProvision of services related to: ICT security (protection, detection, response and recovering), including security incident handling and forensics.\n\nS05\n\n5.\n\nProvision of data\n\nSubscription to the services of data providers. (digital data service)\n\nS06\n\n6.\n\nData analysis\n\nProvision of services related to the support for data analysis. (digital data service)\n\nS07\n\n7.\n\nICT, facilities and hosting services (excluding Cloud services)\n\nProvision of ICT infrastructure, facilities and hosting services, including the provision of utilities (energy, heat management etc.), telecom access and physical security (excluding cloud services), payment-processing activities, or operating payment infrastructures\n\nS08\n\n8.\n\nComputation\n\nProvision of digital processing capabilities (including data computation), excluding the computation services performed in the context of a cloud environment.\n\nS09\n\n9.\n\nNon-Cloud Data storage\n\nProvision of data storage platform (excluding cloud services).\n\nS10\n\n10.\n\nTelecom carrier\n\nOperations for telecommunication systems and flow management. Traditional analogue telephone services are explicitly excluded pursuant to Article 3, point (21), of Regulation (EU) 2022/2554\n\nS11\n\n11.\n\nNetwork infrastructure\n\nProvision of network infrastructure\n\nS12\n\n12.\n\nHardware and physical devices\n\nProvision of workstations, phones, servers, data storage devices, appliances, etc. in a form of a service\n\nS13\n\n13.\n\nSoftware licencing (excluding SaaS)\n\nProvision of software run on premises.\n\nS14\n\n14.\n\nICT operation management (including maintenance)\n\nProvision of services related to: infrastructure (systems and hardware except network) configuration, maintenance, installing, capacity management, business continuity management, etc.\n\nIncluding Managed Service Providers (MSP)\n\nS15\n\n15.\n\nICT Consulting\n\nProvision of intellectual / ICT expertise services.\n\nS16\n\n16.\n\nICT Risk management\n\nVerification of compliance with ICT risk management requirements in accordance with Article 6(10) of Regulation (EU) 2022/2554\n\nS17\n\n17.\n\nCloud services: IaaS\n\nInfrastructure-as-a-Service\n\nS18\n\n18.\n\nCloud services: PaaS\n\nPlatform-as-a-Service\n\nS19\n\n19.\n\nCloud services: SaaS\n\nSoftware-as-a-Service\n\nANNEX IV\n\nInstruction to report the “value of total assets”\n\nType of entity\n\nInstruction to report value of total assets in column B_01.02.0110\n\n(a)\n\ncredit institutions\n\nInformation as specified in Template C40.00, Row 0410, Column 0010 of Annex X to Commission Implementing Regulation (EU) 2021/451 (1)\n\n(b)\n\npayment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366\n\nValue of the total assets in the statutory accounts\n\n(c)\n\naccount information service providers\n\nValue of the total assets in the statutory accounts\n\n(d)\n\nelectronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC\n\nValue of the total assets in the statutory accounts\n\n(e)\n\ninvestment firms\n\nInformation as specified in template Z01.00, column 0090 of Annex I to Commission Implementing Regulation (EU) 2018/1624 (2)\n\n(f)\n\ncrypto-asset service providers authorised under Regulation (EU) 2023/1114\n\nValue of the total assets in the statutory accounts\n\n(g)\n\nissuers of asset-referenced tokens authorised under Regulation (EU) 2023/1114\n\nValue of the total assets in the statutory accounts\n\n(h)\n\ncentral securities depositories\n\nValue of the total assets in the audited financial statements reported to competent authorities pursuant to Article 41, point (a), of Commission Delegated Regulation (EU) 2017/392 (3)\n\n(i)\n\ncentral counterparties\n\nInformation as reported in \"Public quantitative disclosure standards for central counterparties\" of BIS/IOSCO, field 15.2\n\n(j)\n\ntrading venues\n\nValue of the total assets in the statutory accounts\n\n(k)\n\ntrade repositories\n\nValue of the total assets in the statutory accounts\n\n(l)\n\nmanagers of alternative investment funds\n\nValue of the total assets in the statutory accounts\n\n(m)\n\nmanagement companies\n\nValue of the total assets in the statutory accounts\n\n(n)\n\ndata reporting service providers\n\nValue of the total assets in the statutory accounts\n\n(o)\n\ninsurance and reinsurance undertakings\n\nInformation as specified in Annex II and Template S02.01, Row 0500, Column 0010, of Annex III to Commission Implementing Regulation (EU) 2023/894 (4)\n\n(p)\n\ninsurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries\n\nValue of the total assets in the statutory accounts\n\n(q)\n\ninstitutions for occupational retirement provision\n\nTotal assets must equal the sum of all items separately identified on the assets side of the balance sheet and must also equal total liabilities\n\n(r)\n\ncredit rating agencies\n\nValue of the total assets in the statutory accounts\n\n(s)\n\nadministrators of critical benchmarks\n\nValue of the total assets in the statutory accounts\n\n(t)\n\ncrowdfunding service providers\n\nValue of the total assets in the statutory accounts\n\n(u)\n\nsecuritisation repositories\n\nValue of the total assets in the statutory accounts\n\nNon-financial entity: ICT intra-group service provider\n\nNot applicable\n\nNon-financial entity: Other intra-group entity\n\nNot applicable\n\nNon-financial entity: ICT third-party service provider\n\nNot applicable\n\n(1)  Commission Implementing Regulation (EU) 2021/451 of 17 December 2020 laying down implementing technical standards for the application of Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to supervisory reporting of institutions and repealing Implementing Regulation (EU) No 680/2014 (OJ L 97, 19.3.2021, p. 1, ELI: http://data.europa.eu/eli/reg_impl/2021/451/oj).\n\n(2)  Commission Implementing Regulation (EU) 2018/1624 of 23 October 2018 laying down implementing technical standards with regard to procedures and standard forms and templates for the provision of information for the purposes of resolution plans for credit institutions and investment firms pursuant to Directive 2014/59/EU of the European Parliament and of the Council, and repealing Commission Implementing Regulation (EU) 2016/1066 (OJ L 277, 7.11.2018, p. 1, ELI: http://data.europa.eu/eli/reg_impl/2018/1624/oj).\n\n(3)  Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to regulatory technical standards on authorisation, supervisory and operational requirements for central securities depositories (OJ L 65, 10.3.2017, p. 48, ELI: http://data.europa.eu/eli/reg_del/2017/392/oj).\n\n(4)  Commission Implementing Regulation (EU) 2023/894 of 4 April 2023 laying down implementing technical standards for the application of Directive 2009/138/EC of the European Parliament and the Council with regard to the templates for the submission by insurance and reinsurance undertakings to their supervisory authorities of information necessary for their supervision and repealing Implementing Regulation (EU) 2015/2450 (OJ L 120, 5.5.2023, p. 1, ELI: http://data.europa.eu/eli/reg_impl/2023/894/oj).\n\nELI: http://data.europa.eu/eli/reg_impl/2024/2956/oj\n\nISSN 1977-0677 (electronic edition)\n\n////////////////////////$(document).ready(function(){generateTOC(true,'', 'Top','false');scrollToCurrentUrlAnchor();});" } ], "definitions": [], "recitals": [ { "recital_number": 1, "text": "It is necessary to establish standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by information and communication technology (ICT) third-party service providers referred to in Article 28(3) of Regulation (EU) 2022/2554. Information gathered from that register is essential for the financial entities’ internal ICT risk management, for the effective supervision of the financial entities by their competent authorities, and for the establishment and conduct of oversight of the critical ICT third-party providers by the Lead Overseer. Furthermore, that information is essential for the annual process to designate critical ICT third-party service providers by the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority (collectively ‘European Supervisory Authorities’ (ESAs))." }, { "recital_number": 2, "text": "To ensure supervisory outcomes which are consistent with the existing supervisory frameworks, the parent undertaking of financial entities that are part of a group as defined in Regulation (EU) 2022/2554 should determine the entities to be included in the register of information at sub-consolidated and consolidated level in accordance with Union financial services legislation. To reduce administrative costs of groups, groups should have the possibility to develop a single register of information at entity, sub-consolidated and consolidated levels in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers to all the financial entities that are part of that group. In such cases, the single register of information should allow each financial entity to comply with its obligation to maintain and update the register of information at entity and sub-consolidated level, where applicable, including its reporting to its competent authority." }, { "recital_number": 3, "text": "Pursuant to Article 28(1), point (b), of Regulation (EU) 2022/2554, the financial entities’ management of ICT third-party risks is to take into account the nature, scale, complexity and importance of ICT-related dependencies, and the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers. That risk assessment should take into account the criticality or importance of the service, process or function of the financial entity and the potential impact on the continuity and availability of financial services and activities, at entity level and at group level." }, { "recital_number": 4, "text": "Certain sector-specific Union financial services legislation contains requirements on outsourcing. Those requirements have been further developed in guidelines issued by the ESAs. Under those guidelines, some financial entities are expected to record specific information on their outsourcing arrangements, in some cases also in the form of registers, as part of their outsourcing risk management. In recent years, several national competent authorities and the ECB have collected information included in such registers as part of their supervision of financial entity compliance with the outsourcing requirements. Based on the lessons learned from the different data collection exercises of outsourcing registers performed in the recent years by the ESAs and competent authorities, the standard templates should be designed in a technology-neutral manner with open tables, which have a predefined number of columns and an indefinite number of rows. In addition, the standard templates should be linked to one another by using different specific keys forming a relational structure between those templates." }, { "recital_number": 5, "text": "To receive ICT services from an ICT third-party service provider, including ICT intra-group service providers, financial entities conclude a written contract with the ICT third-party service provider. In case of groups, ICT intra-group service providers may conclude a contract with ICT third-party providers that are external to the group to provide ICT services to one or more financial entities of the group. To capture the full ICT service supply chain, financial entities maintaining the register of information should report both information on the contractual arrangement with their ICT intra-group service provider and information on the arrangement stipulated by the ICT intra-group service provider and the ICT third-party providers that are external to the group as subcontractors. Therefore, the register of information should include a specific template enabling the reconciliation between the intra-group contracts and the contracts with ICT third-party service providers that are external to the group." }, { "recital_number": 6, "text": "The provision of ICT services to financial entities may rely on potentially long or complex chains of subcontracting which should be monitored by the financial entities. Financial entities should assess the associated risks, including ICT third-party concentration risks with regard to the ICT third-party service providers supporting a critical or important function or material parts thereof, considering a risk-based approach and the principle of proportionality. To enable that assessment, financial entities should be required to record in the register of information only those subcontractors that effectively underpin ICT services supporting critical or important functions or material parts thereof, including all the subcontractors providing ICT services whose disruption would impair the security or the continuity of the service provision. When identifying those subcontractors, financial entities should consider business and ICT service continuity and ICT security aspects." }, { "recital_number": 7, "text": "A register of information should be maintained and updated by financial entities including where a financial entity outsources all its activities to another entity, as the maintenance of the register of information contributes to the operational resilience of that financial entity. Therefore, where an entity is acting on behalf of a financial entity for all the activities of the financial entity (including the ICT services), the direct ICT third-party service providers to that entity should be recorded in the relevant templates of the register of information of the financial entity. In such case, the entity is only registered as an entity maintaining the register." }, { "recital_number": 8, "text": "To allow transparency and comparability of contractual arrangements and the ongoing monitoring of those arrangements, the register of information should focus on the operational links between the financial entities and the ICT third-party service providers. To that end, the register of information should use four keys, which, among others, linking relevant data to each other across the templates of the register of information: (i) the reference number of the contractual arrangement between the financial entity signing that arrangement and the direct ICT third-party service provider, (ii) an appropriate identifier of financial entities and ICT third-party service providers, (iii) the function identifier, and (iv) the type of ICT services." }, { "recital_number": 9, "text": "To appropriately document the contractual arrangements between the financial entities and the ICT third-party service providers as required by Regulation (EU) 2022/2554, it is understood that ICT third-party service providers should provide for an identification number which allows for their consistent and accurate identification by the financial entities and by the ESAs, the Oversight Forum, and the competent authorities, when exercising their supervisory powers, including for the designation of critical ICT third-party service providers under Article 31 of that Regulation. Concerning legal persons, the LEI and EUID are recognised international and European identifiers ensuring the consistent, unique and robust identification of companies. Consequently, either of these two identifiers should be used for the identification of the ICT third-party service providers established in the Union for the purposes of the application of that Regulation and should be considered as information that is common to all contractual arrangements, whereas the ICT third-party service providers established in third-countries should be identified with LEI only. The templates used for the register of information about the ICT third-party service providers should require information on either of these two identifiers for ICT service providers that are legal persons, while allowing natural persons acting in the capacity of ICT service providers to use alternative identification codes." }, { "recital_number": 10, "text": "Each financial entity, including financial entities from the same group, have their own internal taxonomy of functions depending on their specific business models and internal organisations. To allow for a clear monitoring distinguishing between the functions of the financial entities and the ICT services, financial entities should themselves designate relevant functions by using the function identifier at individual level and at group level." }, { "recital_number": 11, "text": "To enable the operability of the register of information at entity, sub-consolidated and consolidated level across all the financial entities that are part of the same group, financial entities should ensure the correctness and consistency of all the data in that register. In particular, to enable such operability, it is necessary to ensure consistency in the consolidation of the identifiers, namely the contractual arrangement reference numbers, the function identifier, LEI of the financial entities and identifiers of the ICT third-party service providers." }, { "recital_number": 12, "text": "To ensure consistency and harmonisation and to avoid burdensome reprocessing of data for reporting purposes, the structure of the templates and the requirements of the data elements should consider data management and reporting perspectives. To ensure full comparability of the information reported in the register of information with the information provided in other regulatory or statistical reporting, financial entities should adhere to data quality principles, when maintaining and updating that register." }, { "recital_number": 13, "text": "This Regulation is based on the draft implementing technical standards submitted to the Commission by the ESAs." }, { "recital_number": 14, "text": "The ESAs have conducted open public consultations on the draft implementing technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the ESAs’ Stakeholder Groups established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (2), Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (3) and Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4)" }, { "recital_number": 15, "text": "The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5).\n\nHAS ADOPTED THIS REGULATION:" }, { "recital_number": 15, "text": "The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5).\n\nHAS ADOPTED THIS REGULATION:" } ], "effective_date": "2025-01-17" }