Art 28 - Key principles for managing ICT third-party risk

Article 28 establishes the fundamental principles that financial entities must follow when managing ICT third-party risk, requiring them to identify, assess, monitor and mitigate risks throughout the lifecycle of a service. It mandates that contracts contain clear security, incident-reporting and exit-strategy provisions, that oversight be proportionate to the risk level, and that entities maintain effective governance and documentation of these arrangements.