1. Outsourcing policy and owner
Current outsourcing policy, management-body approval, named business owner, review cadence, vendor register, materiality or criticality assessment, and links to Article 68 governance controls.
Short answer for AI and search
Regulation (EU) 2023/1114 Article 73 addresses outsourcing by crypto-asset service providers. In practice, a review-ready evidence pack should show the outsourcing policy, which providers support critical or important functions, who owns vendor oversight, how service-level evidence is monitored, how incidents and data access are controlled, and what exit plan exists if a vendor fails or must be replaced.
This page turns Article 73 into an evidence-preparation checklist. CASPs should validate formal obligations, regulatory technical standards, DORA overlaps, and contract language with qualified advisers.
Evidence checklist
2. Critical or important functions map
Classification of outsourced ICT, cloud, custody, KYC/KYT, compliance, blockchain analytics, market-data, support, and operational services, including which processes would stop or degrade if the provider failed.
3. Service-level evidence and oversight
Signed agreements, service-level evidence, reporting dashboards, breach logs, issue remediation, audit or assurance reports, access-control evidence, and named escalation paths for underperformance.
4. Data, security, and client-asset boundaries
Data-processing roles, access permissions, encryption or key-management boundaries, subcontractor lists, client-fund and client-crypto-asset touchpoints, and Article 70 client assets or Article 75 custody handoffs.
5. Exit plan and substitutability
Exit plan, transition owner, backup provider or internal fallback, data-return procedure, termination triggers, continuity testing, and evidence that the CASP can preserve regulated operations during vendor disruption.
6. Insurance and diligence handoff
Operational-risk incidents, vendor concentration, cyber and crime exposure, custody dependencies, outsourcing exclusions, and Article 67 prudential-safeguard assumptions that brokers, insurers, counsel, or risk teams may ask to review.
How to use this before a review call
- Create one source-linked vendor register with function, owner, criticality, jurisdiction, data access, client-asset touchpoints, and contract status.
- Map every critical or important outsourced function to Article 68 governance controls, Article 70 client assets, Article 75 custody evidence, and Article 67 prudential-safeguard assumptions where relevant.
- Separate factual vendor evidence from legal interpretation, commercial negotiation, and insurance-market questions so reviewers can test the source facts quickly.
- Keep incident, breach, service-credit, concentration, and exit-test records in a format that can be shared without unnecessary personal data or sensitive security details.
FAQ
What does Article 73 cover for CASP outsourcing?
Article 73 is the MiCA outsourcing provision for crypto-asset service providers. It is relevant when CASPs rely on third parties for ICT, custody-support, compliance, analytics, operations, or other outsourced functions.
Why does outsourcing matter for insurance or operational-risk diligence?
Outsourcing evidence helps reviewers understand vendor concentration, cyber and operational resilience, custody dependencies, incident response, data access, and whether the CASP can continue operating if a provider fails.
Does this page provide legal or regulatory advice?
No. It is an informational preparation checklist based on public MiCA sources. Use official MiCA materials, ESMA materials, and qualified advisers for formal interpretations and filings.