1.   An applicant seeking authorisation to operate a CT pursuant to Article 27db of Regulation (EU) No 600/2014 shall include in its application for authorisation evidence of compliance with the requirements on ICT risk management organisation and capabilities, operational resilience strategy and testing, incident management and ICT third-party risk monitoring under Regulation (EU) 2022/2554.

2.   The information set out in paragraph 1 shall include documents regarding the applicant’s arrangements, in accordance with Regulation (EU) 2022/2554, on:

(a)	ICT risk management;

(b)	ICT-related incident management;

(c)	digital operational resilience testing;

(d)	ICT third-party risk monitoring.

3.   The information set out in paragraph 1 shall take into account the size and overall risk profile, and the nature, scale and complexity of the applicant’s services, activities and operations.