Article 6
Organisational requirements regarding outsourcing
A data reporting services provider shall remain responsible for any outsourced activity and shall adopt organisational measures to ensure:
that it assesses whether the third party service provider is carrying out outsourced activities effectively and in compliance with applicable laws and regulatory requirements and adequately addresses identified failures;
the identification of the risks in relation to outsourced activities and adequate periodic monitoring;
adequate control procedures with respect to outsourced activities, including effectively supervising the activities and their risks within the data reporting services provider;
adequate business continuity of outsourced activities;
For the purposes of point (d), the data reporting services provider shall obtain information on the business continuity arrangements of the third party service provider, assess its quality and, where needed, request improvements.
Where a data reporting services provider outsources any critical function, it shall provide the competent authority of its home Member State with:
the identification of the third party service provider;
the organisational measures and policies with respect to outsourcing and the risks posed by it as specified in paragraph 4;
internal or external reports on the outsourced activities.
For the purpose of the first sub paragraph 6, a function shall be regarded as critical if a defect or failure in its performance would materially impair the continuing compliance of the data reporting services provider with the conditions and obligations of its authorisation or its other obligations under Directive 2014/65/EU.