Contracts: Specific Information
Enter the function assignment, operational details, legal terms, data handling, resilience assessments, provider dependency, and supply chain information for this contractual arrangement.
Fields covered on this page:
Function
The business function of the reporting company that this contractual arrangement supports.
What to enter
Select the function from the existing function list.
The function record must exist before it can be assigned here. If one contract supports multiple functions, create a separate contract record for each function.
If you're having an issue, see Function and function identifier issues.
Critical function support
Whether the ICT service delivered under this contract supports a critical or important function of the reporting company.
What to enter
Select Yes if the function assigned to this contract has been assessed as critical or important.
Select No if it has not.
NOTE:
-
This field should align with the importance assessment of the function selected above.
-
If the function's importance assessment is
Yes, selectYeshere. -
If the assessment outcome is
NoorAssessment not performed, selectNo.
If you're having an issue, see Function and function identifier issues.
Notice period for termination of contract (buyer side)
The number of calendar days the reporting company must give to terminate this contract under normal conditions.
What to enter
Enter the number of calendar days as stated in the contract.
If no notice period is specified, enter 0.
If you're having an issue, see Contract date, renewal, and termination issues.
Notice period for termination of contract (vendor side)
The number of calendar days the ICT provider must give to terminate this contract under normal conditions.
What to enter
Enter the number of calendar days as stated in the contract.
If no notice period is specified, enter 0.
If you're having an issue, see Contract date, renewal, and termination issues.
Contract start date
The date on which this contractual arrangement entered into force.
What to enter
Enter the date in YYYY-MM-DD format, as stipulated in the contract.
If you're having an issue, see Contract date, renewal, and termination issues.
Contract end date
The date on which this contractual arrangement is scheduled to end.
What to enter
Enter the end date in YYYY-MM-DD format as stated in the contract.
If the contract is indefinite with no scheduled end date, enter 9999-12-31.
If the contract foresees renewal, enter the next renewal date as stipulated in the contract.
If the contract has been terminated before the original end date, enter the actual termination date.
NOTE:
-
Only active contracts belong in the register.
-
If a contract has ended, remove it rather than leaving it with a past end date.
If you're having an issue, see Contract date, renewal, and termination issues.
Termination reason
The reason for the termination or ending of this contractual arrangement.
What to enter
Select the applicable reason from the closed list.
Available options:
-
Termination not for cause
-
Termination for cause due to provider breach
-
Termination for cause due to provider capability impediments
-
Termination for cause due to data security weaknesses
-
Termination following a competent authority request
-
Other
NOTE:
-
This field applies only to contracts that have been terminated or ended. Leave it empty for active contracts.
If you're having an issue, see Contract date, renewal, and termination issues.
Service replaceability
The assessed ease or difficulty of replacing this specific ICT service if this contract were terminated.
What to enter
Select the option that reflects your entity's assessment
Available options: easily substitutable, medium complexity, highly complex, or not substitutable.
NOTE:
-
This assessment applies to the ICT service itself, not to the provider.
-
A provider may be replaceable while a specific service remains difficult to migrate.
If you're having issues, see ICT service assessment issues.
Reason if the provider is not replaceable
The reason why the ICT provider cannot be replaced, where the replaceability assessment is not substitutable or highly complex.
What to enter
Select the applicable reason from the available options.
This field is required only when Service replaceability is set to Not substitutable or Highly complex.
Does the exit plan exist?
Whether a documented exit plan exists for this contractual arrangement.
What to enter
Select Yes if an exit plan has been documented internally.
Select No if no exit plan exists.
If you're having issues, see ICT service assessment issues.
Contract's country of the governing law
The country whose law governs this contractual arrangement.
What to enter
Select the ISO 3166-1 alpha-2 country code for the jurisdiction whose laws apply to this contract, as specified in the contract itself.
Does provider handle sensitive data?
Whether the ICT provider handles or can access sensitive data belonging to the reporting company under this contract.
What to enter
Select Yes if the provider processes, stores, or has access to data that the entity considers sensitive.
Select No if the provider does not handle sensitive data under this arrangement.
Sensitivity level of handled data
The level of sensitivity of the data that the ICT provider handles or stores under this contract.
What to enter
Select Low, Medium, or High based on your entity's internal assessment.
Where more than one sensitivity level applies, select the highest level.
NOTE:
-
This field is required only when
Does provider handle sensitive data?isYes. -
Leave it empty otherwise.
If you're having issues, see Data storage, processing, and entry rule issues.
Data storage country
The country where the reporting company's data is stored at rest under this contractual arrangement.
What to enter
Select the ISO 3166-1 alpha-2 country code for the country where data is stored.
If data is stored in more than one country, create a separate row for each country.
NOTE:
-
If this ICT service does not involve data storage, select
Not Applicable. -
This field cannot be left empty.
If you're having issues, see Data storage, processing, and entry rule issues.
Data processing country
The country where the reporting company's data is processed under this contractual arrangement.
What to enter
Select the ISO 3166-1 alpha-2 country code for the country where data processing takes place.
If processing occurs in more than one country, create a separate row for each country.
NOTE:
-
If this ICT service does not involve data processing, select
Not Applicable. -
This field cannot be left empty.
If you're having issues, see Data storage, processing, and entry rule issues.
Function reintegration possibility
The assessed difficulty of integrating a substitute ICT provider for the function supported by this contract, if the contract were terminated.
What to enter
Select the option that reflects your entity's assessment.
Available options: easy, difficult, or highly complex.
If you're having issues, see ICT service assessment issues.
ICT provider's last audit date
The date of the most recent audit of the ICT services provided under this contract.
What to enter
Enter the date in YYYY-MM-DD format.
This must be the date of an actual audit — conducted by the entity's internal audit function, a pooled audit with other clients, or a third party appointed by the entity.
If no audit has been performed, enter 9999-12-31.
If you're having issues, see ICT service assessment issues.
ICT service reintegration possibility
The assessed difficulty of bringing this specific ICT service back in-house if this contract were terminated.
What to enter
Select the option that reflects your entity's assessment.
Available options: easy, difficult, or highly complex.
If you're having issues, see ICT service assessment issues.
ICT service discontinuation impact
The assessed impact on the reporting company if this ICT service is discontinued or becomes unavailable.
What to enter
Select Low, Medium, or High based on your entity's own assessment.
If you're having issues, see Criticality, RTO, RPO, and spepcial value issues.
Alternatives assessment
Whether the reporting company has assessed the availability of alternative ICT providers for this service.
What to enter
Select Yes if an alternatives assessment has been performed.
Select No if it has not.
If you're having issues, see ICT service assessment issues.
Alternative ICT providers
The name or names of alternative ICT providers the reporting company could use instead of the current provider.
What to enter
Enter the name of the alternative provider.
If there are multiple alternatives, separate each name with a space.
Leave this field empty if no alternatives assessment has been performed or if no alternatives were identified.
Type of data stored in the cloud
A description of the type of data the reporting company stores or processes in the cloud under this arrangement.
What to enter
Enter a plain-text description of the data stored or processed in the cloud.
For example, customer data, transaction records, or operational logs.
NOTE:
-
Leave this field empty if the service is not a cloud service.
Country from which the service is delivered
The country from which the ICT service is delivered to the reporting company.
What to enter
Select the ISO 3166-1 alpha-2 country code for the country where the ICT service is operationally delivered.
NOTE:
-
If the service is not supporting a critical or important function, select
Not Applicable. -
This field cannot be left empty.
If you're having issues, see Data storage, processing, and entry rule issues.
Level of reliance on ICT provider
The level of dependency the reporting company has on this ICT provider if its services are disrupted.
What to enter
Select the option that best describes the impact of disruption,
Available options:
-
Low reliance(function not significantly impacted, disruption resolved quickly) -
Material reliance(function significantly impacted, disruption lasting more than a few minutes or hours and potentially causing damages) -
Full reliance(function severely interrupted with damages incurred).
Level of this provider in ICT supply chain
The position of this provider within the ICT service supply chain for this contractual arrangement.
What to enter
Select rank 1 for the direct ICT third-party service provider — the provider your entity has a direct contractual relationship with.
Select rank 2 or higher for subcontractors. Rank 2 is a provider that the direct provider relies on; rank 3 is a provider that the rank 2 provider relies on, and so on.
NOTE:
-
Where multiple providers sit at the same level in the chain, assign the same rank number to each and report them in separate rows.
If you're having issues, see Supply chain, subcontractor, provider, and ultimate parent issues.
Subcontracted ICT service recipient's ID type
The type of identification code used for the provider that receives the subcontracted ICT services from the provider in this row.
What to enter
Select the identifier type — LEI, EUID, or applicable alternative — that matches the identifier used for the recipient provider in their own provider record.
This field applies only to subcontractors at rank 2 and above. Leave it empty for the direct provider at rank 1.
If you're having issues, see Supply chain, subcontractor, provider, and ultimate parent issues.
Subcontracted ICT service recipient's ID code
The identification code of the provider that receives the subcontracted ICT services from the provider in this row.
What to enter
Enter the identifier code of the provider directly above this one in the supply chain.
This field applies only to subcontractors at rank 2 and above. Leave it empty for the direct provider at rank 1.
NOTE:
-
This field is a key value in the register for subcontractors.
-
It cannot be left empty for any provider at rank 2 or above.
If you're having issues, see Supply chain, subcontractor, provider, and ultimate parent issues.
Subcontractor's rank in chain
The rank number assigned to this provider within the ICT service supply chain for this contract.
What to enter
Enter the natural number that reflects this provider's position in the chain.
The direct provider is always 1.
Each subcontractor level increments by 1.
Where two providers share the same position, enter the same rank number for both and report them in separate rows.
If you're having issues, see Supply chain, subcontractor, provider, and ultimate parent issues.
Subcontractor's function type
A description of the function or role this subcontractor performs within the ICT service arrangement.
What to enter
Enter a plain-text description of what this subcontractor does within the supply chain.
For example, cloud infrastructure hosting, data processing, or network management.
Subcontractor HQ country
The country where this subcontractor's headquarters are located.
What to enter
Select the ISO 3166-1 alpha-2 country code for the country where this subcontractor's global operating headquarters are located.
Subcontractor service countries
The countries from which this subcontractor performs and delivers its part of the ICT service.
What to enter
Select the ISO 3166-1 alpha-2 country code for each country from which this subcontractor delivers the service.
If the service is delivered from multiple countries, create a separate row for each country.
If you're having issues, see Supply chain, subonctractor, provider, and ultimate parent issues.
Subcontractor data storage countries
The countries where this subcontractor stores or processes data related to the ICT service.
What to enter
Select the ISO 3166-1 alpha-2 country code for each country where this subcontractor stores data.
If data is stored in multiple countries, create a separate row for each country.
If you're having issues, see Supply chain, subonctractor, provider, and ultimate parent issues.