Ensure the contract with ICT third-party service provider delivering critical or important services encompasses comprehensive service level descriptions, including updates and detailed reporting (both quantitative and qualitative). Evaluate the service provider's compliance with performance and quality standards by reviewing reports on activities and services, incident reports, security and business continuity measures, and testing. Assess performance using key performance indicators, key control indicators, audits, self-certifications, and independent reviews. Receive relevant information from the service provider regarding their activities and services and ensure timely notification and response to incidents. Conduct independent reviews and compliance audits with legal and regulatory requirements and policies. Specify notification periods for any material changes that may impact the entity or agreed service levels.

Secure rights for continuous performance monitoring, including unrestricted rights to access, inspection, and audit. This encompasses alternative assurance levels, cooperation with regulator inspections, and full disclosure of audit scope, procedures, and frequency. Include a mandatory transition period upon termination, allowing the service provider to continue services during migration, affording the entity time to transition to another provider or in-house solutions based on service complexity. Mandate the implementation and testing of business contingency plans and the establishment of a security management system by the service provider. 

When negotiating contractual arrangements, consider the use of standard contractual clauses developed by public authorities for specific services.

Require the service provider's participation in the entity's (advanced) testing program (TLPT), where required. Where participation of an ICT third-party service provider in TLPT may adversely impact services or data confidentiality for customers outside the scope of DORA, it may be agreed in writing to perform a pooled TLPT.

Delineate critical and important ICT services in contracts with third-party ICT service providers, specifying conditions for subcontracting. Require continual monitoring of subcontracted services supporting critical functions to ensure compliance with contractual obligations. Detail monitoring and reporting responsibilities of the third-party service provider to the financial entity, including risk assessments related to subcontractor locations and data ownership. Mandate incident response and business continuity plans for subcontractors, along with adherence to specified service levels and security standards. Retain termination rights for the financial entity in cases of unauthorized subcontracting or failure to meet agreed-upon service levels. Implement changes relative to contractual agreements as soon as possible and document the planned timeline for the implementation.