In order to identify the risks that could arise before entering into an arrangement with an ICT subcontractor, the ICT third-party service providersan undertaking providing ICT services should follow an appropriate and proportionate process to select and assess the suitability of potential subcontractors in line with the ICT contractual arrangements concluded with the financial entity. The ICT contractual arrangements should therefore foresee that the ICT third-party service provideran undertaking providing ICT services, or where appropriate, the financial entity directly, assesses its resources including expertise and adequate financial, human and technical resources, information security, its organisational structure, including the risk management and internal controls that the subcontractor should have in place.