1.   An applicant seeking authorisation to operate an APA or an ARM pursuant to Article 27d of Regulation (EU) No 600/2014 shall include in its application for authorisation evidence of compliance with the requirements on ICT risk management organisation and capabilities, operational resilience strategy and testing, incident management and ICT third-party risk management under Regulation (EU) 2022/2554.

2.   The information set out in paragraph 1 shall include documents regarding the applicant’s arrangements, in accordance with Regulation (EU) 2022/2554, on:

(a)	ICT risk-management;

(b)	ICT-related incident management;

(c)	digital operational resilience testing;

(d)	ICT third-party risk monitoring.

3.   The information set out in paragraph 1 shall take into account the size and overall risk profile, and the nature, scale and complexity of the applicant’s services, activities and operations.