The European Commission has introduced Regulation (EU) 2024/2956, which became effective on November 29, 2024. This regulation aims to improve how financial institutions manage risks related to their IT services. It is part of the broader Regulation (EU) 2022/2554, which focuses on digital resilience in the financial sector.
Main Goals
The regulation has three main objectives:
- Better IT Risk Management: Financial companies must carefully document their use of IT services from third parties.
- Improved Oversight: Supervisors will have better tools to monitor these companies and their IT service providers.
- Standardized Reporting: All companies will use the same format to report IT service agreements, ensuring clarity and consistency.
What Financial Companies Must Do
Financial institutions must:
- Keep a register of all agreements with IT service providers, including contracts with companies within their own group.
- Assess the importance of IT services they use, especially for critical business functions.
- Ensure that the information in their registers is accurate and updated regularly.
Who Must Follow This Regulation
This rule applies to:
- Banks, insurance companies, and investment firms in the EU.
- Third-party IT providers, including subcontractors, who offer services to these financial institutions.
Key Features
The regulation introduces templates to help companies organize and report their IT service agreements. These templates:
- Link important details about contracts and operations.
- Use unique identification numbers, such as Legal Entity Identifiers (LEIs), to ensure precise record-keeping.
Why This Regulation Matters
By setting clear rules, the regulation helps reduce the risk of disruptions caused by IT issues. It also supports the stability of the financial system, making it safer for customers to use digital financial services.
Effective Date: The regulation will apply 20 days after its official publication, ensuring quick implementation across all EU member states.