(a)

the due diligence processes on the ICT third-party service provider ensure that it is able to select and assess the operational and financial abilities of potential ICT subcontractors to provide the ICT services that support critical or important functions or material parts thereof, including by participating, when required to do so by the financial entity, in digital operational resilience testing as referred to in Chapter IV of Regulation (EU) 2022/2554;

(b)

the ICT third-party service provider is able to identify all subcontractors that provide ICT services that support critical or important functions or material parts thereof, to notify and inform the financial entity of those subcontractors, and is able to provide to the financial entity all information that may be necessary for the assessment of the conditions under this Article;

(c)

the ICT third-party service provider ensures that the contractual arrangements with the subcontractors that provide ICT services that support critical or important functions or material parts thereof enable the financial entity to comply with its own obligations stemming from Regulation (EU) 2022/2554 and applicable Union and national legislation;

(d)

the subcontractor grants the financial entity and competent and resolution authorities the same contractual rights of access and inspection as those granted by the ICT third-party service provider;

(e)

without prejudice to the financial entity’s final responsibility to comply with its legal and regulatory obligations, the ICT third-party service provider itself has sufficient ability, expertise, and adequate financial, human, and technical resources to monitor the ICT risks at the level of subcontractors, including by applying appropriate information security standards and by having in place an appropriate organisational structure, risk management and internal controls, and incidents reporting and responses;

(f)

the financial entity has sufficient abilities, expertise, and adequate financial, human and technical resources to monitor the ICT risks relating to the service supporting critical or important functions or material parts thereof that has been subcontracted, including by applying appropriate information security standards and by having in place an appropriate organisational structure and risk management, incident response, business continuity management and internal controls;

(g)

the financial entity has assessed the impact on the financial entity’s digital operational resilience and financial soundness of a possible failure of a subcontractor that provides ICT services that support critical or important functions or a material part thereof;

(h)

the financial entity has assessed the risks associated with the location of the potential subcontractors in relation to the ICT services that support critical or important functions or a material part thereof provided by the ICT third-party service provider;

(i)

the financial entity has assessed the ICT concentration risks at entity level in accordance with Article 29 of Regulation (EU) 2022/2554;

(j)

the financial entity has assessed whether there are any obstacles to the exercise of audit, inspection and access rights by the competent authorities, resolution authorities, or the financial entity, including persons appointed by them.