My organisation is not in the list of the organisations that have to comply with Part-IS but it does provide services to such organisations. Does my organisation have to comply with Part-IS?
Answer
Part-IS applies to organisations holding an approval according to any of the domain-specific regulations.
If an organisation provides services under an approval, that organisation has to comply with Part-IS requirements.
If an organisation does not hold an approval, it does not need to comply with Part-IS. However, if that organisation provides services to approved organisations, the organisation should be considered part of the functional chain to be risk-assessed as required by point IS.I.OR.205. Please refer to GM.IS.OR.205(a) for more information. Non-approved organisations must fulfill specific contractual requirements agreed with the (approved) organisation that has to comply with Part-IS. Please refer to GM1 IS.OR.205(b) for more information.