Art. 8 Contractual clauses | RTS on ICT third-party service provider policy |

1. The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate.
1. The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; uses the following methods, without prejudice to the ultimate responsibility of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;:
  1. its own internal audit or an audit by an appointed third party;
  2. where appropriate, pooled audits and pooled ICT testing, including threat-led penetration testinga framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, that are organised jointly with other contracting financial entitiesas defined in Article 2, points (a) to (t) or firms that use ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; of the same ICT third-party service provider means an undertaking providing ICT services; and that are performed by those contracting financial entitiesas defined in Article 2, points (a) to (t) or firms or by a third party appointed by them;
  3. where appropriate, third-party certifications;
  4. where appropriate, internal or third-party audit reports made available by the ICT third-party service provider means an undertaking providing ICT services;.
1. The financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall not over time rely solely on certifications referred to in paragraph 2, point (c), or audit reports referred to in point (d) of that paragraph. The policy shall only permit the use of the methods referred to in paragraph 2, points (c) and d, where the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;:
  1. is satisfied with the audit plan of the ICT third-party service provider means an undertaking providing ICT services; for the relevant contractual arrangements;
  2. ensures that the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements;
  3. thoroughly assesses the content of the certifications or audit reports on an ongoing basis and verifies that the reports or certifications are not obsolete;
  4. ensures that key systems and controls are covered in future versions of the certification or audit report;
  5. is satisfied with the aptitude of the certifying or auditing party;
  6. is satisfied that the certifications are issued, and the audits are performed against widely recognised relevant professional standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). and include a test of the operational effectiveness of the key controls in place;
  7. has the contractual right to request, with a frequency that is reasonable and legitimate from a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls;
  8. has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency.
1. The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements.