When describing in the written contractual arrangements the ICT services to be provided by an ICT third-party service provider in accordance with Article 30(2) (a) of Regulation (EU) 2022/2554, financial entities shall identify which ICT services support critical or important functions and which of those are eligible for subcontracting and under which conditions. In particular, and without prejudice to the final responsibility of the financial entity, for each ICT service eligible for subcontracting the written contractual agreement shall specify:
a) that the ICT third-party service provider is required to monitor all subcontracted ICT services supporting a critical or important function to ensure that its contractual obligations with the financial entity are continuously met;
b) the monitoring and reporting obligations of the ICT third-party service provider towards the financial entity;
c) that the ICT third-party service provider shall assess all risks, including ICT risks, associat
…