With reference to EIOPA's Guidelines on outsourcing to cloud services providers, and in particular Guideline 1.16 thereof (which provides that "In cases where the undertaking outsources operational functions or activities to service providers which are not cloud service providers but rely significantly on cloud infrastructures to deliver their services (for example, where the cloud service provider is part of a sub-outsourcing chain), the arrangement for such outsourcing falls within the scope of these Guidelines.", we kindly ask EIOPA to advise on whether: 1. the provision cited above requires a three party agreement to be concluded directly between (a) the insurance undertaking; (b) the primary provider and (c) the sub-contractor/cloud services provider? or 2. it is sufficient for the contract between the insurance undertaking and the primary provider to include the provider's obligation to cascade the requirements related to the provision of cloud services (as provided in the Guidelines) down to the cloud services provider? or 3. is there any other structure that complies with the Guidelines (e.g. the cloud provider submitting some form of acknowledgement/ confirmation that it will abide with the requirements under the main contract between the insurance undertaking and the provider insofar as it relates to the provision of the cloud services; or the cloud provider submitting proof of relevant certifications (e.g. ISO 27001, ISO 27017 or ISO 27018) to demonstrate sound practices).