1A critical third party must be able to demonstrate to the regulators its ability to comply with CTPS.

1As part of its obligation under CTPS 5.1.1R (General evidence requirement), a critical third party must carry out regular scenario testing of its ability to continue providing each systemic third party service within its appropriate maximum tolerable level of disruption (set in accordance with CTPS 4.8.1R(2) (Requirement 7: Incident management)) in the event of a severe but plausible disruption to its operations.

1When carrying out the scenario testing required by CTPS 5.2.1R, a critical third party must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business, risk profile and supply chain and consider the risks to the delivery of the systemic third party service in those circumstances.

1As part of its obligation under CTPS 5.1.1R (General evidence requirement), a critical third party must assess the effectiveness of its incident management playbook regularly, including undertaking an appropriate incident management playbook exercise with a representative sample of the firms to which it provides systemic third party services within 12 months of the critical third party being designated by the Treasury and at least biennially thereafter.

1A critical third party must, as soon as is practicable, prepare and submit to the regulators a report of the incident management playbook exercise undertaken under CTPS 5.3.1R (including any actions taken in the light of the results of that exercise).