Skip to Content

Terms and Conditions

1. Definitions2. Contractual Framework and Order of Precedence3. Legal and Regulatory Context4. Scope of vCISO Services5. Nature of the vCISO Role6. Express Exclusions7. Client Responsibilities8. Professional Standard and Obligation of Means9. Access to Client Systems and Security Rules10. Deliverables, Review and Acceptance11. GDPR and Data Protection12. NIS2 and Italian Legislative Decree No. 138/202413. Cyber Resilience Act Support14. DORA and Financial-Sector Resilience15. Security Incidents and Emergency Support16. Third-Party Services, Tools and Suppliers17. Use of Artificial Intelligence and Automation18. Confidentiality19. Intellectual Property20. Information Security Measures21. Fees, Invoicing and Payment22. Change Requests and Out-of-Scope Work23. Term, Renewal, Suspension and Termination24. Lawful Use and Ethical Restrictions25. Sanctions, Export Control and Public-Sector Requirements26. Publicity and References27. Non-Solicitation28. Warranties and Disclaimers29. Liability30. Indemnity31. Subcontracting32. Records and Audit Support33. Force Majeure34. Notices35. Assignment36. Severability37. Entire Agreement38. Governing Law and Jurisdiction

Blue Networks S.r.l. a socio unico

Last updated: [10/03/2026]

These Terms and Conditions for vCISO Services (“Terms”) govern the provision of Virtual Chief Information Security Officer services and related cybersecurity governance, risk, compliance, resilience and advisory services (“vCISO Services”) provided by Blue Networks S.r.l. a socio unico, VAT No. 03486300837, with offices in 98051 Barcellona Pozzo di Gotto, ME, Italy (“Blue Networks”, “Provider”, “we”, “us” or “our”) to the professional, business, corporate, institutional, regulated or public-sector client purchasing, receiving or using such services (“Client”, “you” or “your”).

These Terms apply exclusively to business-to-business and professional relationships. They are not intended for consumers. By accepting a quotation, proposal, statement of work, order form, purchase order, engagement letter, online order, written confirmation, electronic acceptance, or by allowing Blue Networks to begin performance of the vCISO Services, the Client accepts these Terms in full.

Where a separate master services agreement, statement of work, data processing agreement, security schedule, order form or other written document has been signed by the parties, such document shall prevail over these Terms only to the extent of any express inconsistency.

1. Definitions

For the purposes of these Terms:

“Applicable Law” means all laws, regulations, directives, decrees, binding authority decisions, supervisory guidance, court orders and mandatory rules applicable to the Client, Blue Networks or the relevant services, including, where applicable, Italian law, EU law and sector-specific cybersecurity, privacy, financial, public-sector or product-compliance rules.

“Client Data” means all data, documents, files, records, logs, system information, policies, business information, personal data, security information, credentials, configurations, risk registers, audit evidence, contractual information, vulnerability information and other materials provided or made available by the Client to Blue Networks.

“Confidential Information” means any non-public information disclosed by one party to the other, whether orally, visually, electronically or in writing, including technical, commercial, financial, contractual, operational, legal, security, architectural, strategic, vulnerability-related, personal, product-related or organisational information.

“Deliverables” means reports, assessments, policies, procedures, risk analyses, action plans, roadmaps, presentations, registers, matrices, templates, recommendations, minutes, training materials or other written outputs specifically prepared by Blue Networks for the Client under the applicable engagement.

“Order” means any quotation, proposal, purchase order, statement of work, order form, engagement letter, online order or other document accepted by the Client and Blue Networks that describes the vCISO Services.

“Scope” means the services, systems, entities, business units, assets, regulatory frameworks, deliverables, timing, assumptions and exclusions described in the applicable Order.

“Security Incident” means any actual or suspected event affecting the confidentiality, integrity, availability, authenticity or resilience of networks, information systems, data, products, services or business processes.

“vCISO Services” means the external cybersecurity leadership, advisory, governance, risk, compliance and coordination services provided by Blue Networks under these Terms.

“CRA” means Regulation (EU) 2024/2847, known as the Cyber Resilience Act, on horizontal cybersecurity requirements for products with digital elements.

“Product with Digital Elements” has the meaning given to it under the CRA and generally refers to hardware or software products made available on the EU market whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

2. Contractual Framework and Order of Precedence

2.1. The contractual relationship between the parties may consist of the following documents:

a. a master services agreement, if any;

b. the applicable Order or statement of work;

c. a data processing agreement, where required under Article 28 GDPR;

d. any security, confidentiality, technical or regulatory annex;

e. these Terms.

2.2. In case of conflict, the following order of precedence shall apply:

a. mandatory Applicable Law;

b. a signed master services agreement;

c. a signed data processing agreement, but only for personal data processing matters;

d. the applicable Order or statement of work;

e. these Terms;

f. any Client purchase order terms or procurement terms, which shall apply only if expressly accepted in writing by Blue Networks.

2.3. Any standard terms attached to or referenced in a Client purchase order, vendor portal, procurement platform or payment system are expressly rejected unless specifically signed by Blue Networks.

3. Legal and Regulatory Context

3.1. The vCISO Services may support the Client’s cybersecurity governance, risk management and compliance activities in relation to, where applicable, the GDPR, the Italian Privacy Code, NIS2, Italian Legislative Decree No. 138/2024, DORA, the Cyber Resilience Act, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO 22301, NIST Cybersecurity Framework, CIS Controls, ENISA guidance, ACN guidance and other relevant frameworks.

3.2. Any reference to laws, regulations, standards or frameworks is for advisory and scoping purposes only. Unless expressly agreed in writing, Blue Networks does not provide reserved legal services, does not act as legal counsel, does not represent the Client before courts or authorities, and does not issue legally binding opinions.

3.3. Blue Networks may provide operational, technical and organisational recommendations. The Client remains responsible for obtaining legal advice where legal interpretation, regulatory filings, formal notices, administrative defence, contractual negotiation or authority correspondence is required.

3.4. The vCISO Services do not guarantee certification, regulatory compliance, absence of sanctions, absence of incidents, successful audit outcomes, market approval, CE marking, conformity under the CRA, ISO certification, DORA compliance, NIS2 compliance or GDPR compliance.

4. Scope of vCISO Services

4.1. Subject to the applicable Order, the vCISO Services may include:

a. cybersecurity governance support;

b. cyber risk assessment and risk treatment planning;

c. information security policy drafting and review;

d. security programme design and maturity assessment;

e. executive and board-level cybersecurity reporting;

f. security roadmap and prioritisation support;

g. supplier and third-party risk management support;

h. incident response planning and tabletop exercises;

i. security awareness and training support;

j. ISO/IEC 27001 readiness and maintenance support;

k. GDPR security-measure advisory support;

l. NIS2 readiness, gap analysis and governance support;

m. DORA readiness and ICT third-party risk support, where relevant;

n. Cyber Resilience Act readiness and product-security governance support, where relevant;

o. secure development lifecycle governance;

p. vulnerability management process advisory;

q. business continuity and disaster recovery governance support;

r. support during internal audits, customer audits or certification-readiness activities;

s. preparation or review of cybersecurity documentation, registers, risk matrices and control evidence.

4.2. The specific services, deliverables, assumptions, timelines and exclusions are limited to the applicable Order. Any activity not expressly included in the Order is excluded.

4.3. Blue Networks may perform the services remotely, on-site or in hybrid mode, depending on the Order and operational needs.

4.4. Unless expressly agreed, the vCISO Services are provided during Blue Networks’ standard business hours and do not include 24/7 monitoring, on-call emergency support or guaranteed response times.

5. Nature of the vCISO Role

5.1. Blue Networks acts as an external advisor and professional services provider. Unless expressly agreed in writing, Blue Networks does not act as:

a. the Client’s statutory CISO;

b. director, officer, executive, manager or employee of the Client;

c. Data Protection Officer under Articles 37–39 GDPR;

d. system administrator;

e. IT manager;

f. legal representative;

g. compliance officer;

h. internal audit function;

i. notified body;

j. conformity assessment body;

k. manufacturer, importer, distributor or authorised representative under the Cyber Resilience Act;

l. ICT risk control function under DORA;

m. NIS2 accountable management body;

n. public authority liaison, unless expressly appointed for limited support.

5.2. Blue Networks does not assume decision-making powers, budget authority, hiring authority, disciplinary authority, signature authority, procurement authority, system ownership or operational control over the Client’s organisation.

5.3. All decisions regarding risk acceptance, remediation, budget, priorities, implementation, regulatory filings, incident notification, supplier selection, certification, product release, market placement and business continuity remain exclusively with the Client.

5.4. Any appointment of Blue Networks or its personnel to a specific formal role shall require a separate written agreement defining mandate, liability, authority, insurance, fees, duration and limitations.

6. Express Exclusions

Unless expressly included in a signed Order, the vCISO Services do not include:

a. SOC, MDR, XDR, SIEM or continuous security monitoring;

b. 24/7 incident response or emergency hotline;

c. penetration testing, red teaming, purple teaming or offensive security testing;

d. vulnerability scanning as a managed recurring service;

e. digital forensics, malware reverse engineering or expert witness work;

f. direct management of servers, networks, cloud environments, endpoints, firewalls, identity systems or production systems;

g. development, deployment or operation of software products;

h. legal representation or legal opinions reserved to qualified lawyers;

i. appointment as Data Protection Officer;

j. issuance of ISO certificates or audit certificates;

k. issuance of CRA declarations of conformity, CE marking, EU-type examination certificates or notified-body opinions;

l. filing of mandatory incident notifications to authorities, unless expressly authorised in writing;

m. insurance brokerage or cyber-insurance coverage;

n. guarantee that the Client will pass audits, obtain certifications or avoid sanctions;

o. guarantee that Client systems, products or processes are free from vulnerabilities;

p. activities on third-party systems without written authorisation from the lawful owner or controller.

7. Client Responsibilities

7.1. The Client shall cooperate in good faith and provide Blue Networks with timely, accurate, complete and non-misleading information.

7.2. The Client is responsible for:

a. identifying its legal, contractual and regulatory obligations;

b. identifying the systems, entities, products, services and assets within the Scope;

c. providing access to relevant documentation, personnel, systems and evidence;

d. maintaining backups, logs, business continuity arrangements and disaster recovery procedures;

e. implementing recommended measures where accepted by the Client;

f. approving risk treatment decisions and residual risk acceptance;

g. ensuring that Blue Networks has lawful authorisation to access any systems, data or documents;

h. obtaining third-party permissions where third-party environments are involved;

i. maintaining appropriate internal security controls;

j. managing user accounts, privileged access and credential rotation;

k. ensuring that personal data are processed lawfully;

l. ensuring that unnecessary, excessive or irrelevant personal data are not provided to Blue Networks;

m. making regulatory notifications and authority communications unless otherwise agreed;

n. ensuring that its staff, suppliers and affiliates cooperate with the engagement.

7.3. Delays caused by the Client, including failure to provide information, lack of access, unavailability of personnel, delayed approvals, incomplete evidence or inaccurate data, shall extend delivery timelines and shall not constitute breach by Blue Networks.

7.4. The Client shall designate a qualified internal representative with sufficient authority to coordinate the engagement, provide decisions, validate deliverables and escalate issues.

7.5. The Client remains solely responsible for deciding whether to implement, defer, reject or modify any recommendation made by Blue Networks.

8. Professional Standard and Obligation of Means

8.1. Blue Networks shall perform the vCISO Services with reasonable professional skill, care and diligence, taking into account the nature of the services, the Scope, the information available, the Client’s cooperation and the state of the art at the time of performance.

8.2. Unless expressly stated otherwise in a signed Order, the vCISO Services are obligations of means and not obligations of result.

8.3. Cybersecurity is inherently dynamic and uncertain. Blue Networks’ advice is based on the information available at the time and may become outdated due to changes in threats, systems, business processes, law, standards, vulnerabilities, technologies or Client circumstances.

8.4. Where the services involve the solution of technical problems of special difficulty, the parties acknowledge the relevance of the principles reflected in Article 2236 of the Italian Civil Code, without prejudice to mandatory law.

9. Access to Client Systems and Security Rules

9.1. Any access by Blue Networks to Client systems shall be authorised by the Client and limited to the minimum necessary for the Scope.

9.2. The Client shall ensure that access granted to Blue Networks is:

a. lawful;

b. documented;

c. role-based;

d. time-limited where appropriate;

e. protected by strong authentication;

f. logged where technically feasible;

g. revoked when no longer required.

9.3. Unless expressly agreed, Blue Networks shall not maintain permanent administrative access to Client systems.

9.4. The Client shall not provide shared credentials, plaintext passwords, uncontrolled privileged accounts or access to systems outside the agreed Scope.

9.5. Blue Networks may refuse or suspend activities that, in its reasonable opinion, could create unlawful access, disproportionate operational risk, safety risk, security risk, breach of third-party rights or violation of Applicable Law.

10. Deliverables, Review and Acceptance

10.1. Deliverables shall be prepared in the format and language agreed in the Order or, failing agreement, in Blue Networks’ standard professional format.

10.2. The Client shall review each Deliverable within ten business days of delivery and notify Blue Networks in writing of any specific, reasoned non-conformity with the agreed Scope.

10.3. If no written objection is received within that period, the Deliverable shall be deemed accepted.

10.4. A Deliverable shall not be considered non-conforming merely because the Client requests additional content, stylistic changes, additional legal analysis, expansion of Scope, different conclusions, new assumptions or updates caused by later changes.

10.5. Blue Networks may correct material errors or omissions in Deliverables within a reasonable period.

10.6. Deliverables are prepared for the Client’s internal use and for the Scope defined at the time of delivery. They shall not be treated as general legal advice, third-party certifications, product warranties or public statements unless expressly agreed.

11. GDPR and Data Protection

11.1. The parties shall comply with the GDPR, the Italian Privacy Code and other applicable data protection laws.

11.2. Where Blue Networks processes personal data on behalf of the Client and according to the Client’s documented instructions, the Client shall act as controller and Blue Networks shall act as processor. In that case, the parties shall enter into, or shall be deemed to apply, a data processing agreement compliant with Article 28 GDPR.

11.3. Where Blue Networks processes personal data for its own business purposes, including administration, invoicing, relationship management, security, compliance, legal defence or internal operations, Blue Networks shall act as an independent controller.

11.4. The Client warrants that it has a valid legal basis for providing personal data to Blue Networks and that all necessary notices, authorisations, impact assessments and internal approvals have been completed.

11.5. The Client shall avoid providing personal data that are not necessary for the services, including special-category data, criminal-offence data, employee monitoring data, health data, unnecessary identity documents, passwords or excessive logs.

11.6. Blue Networks shall implement appropriate technical and organisational measures proportionate to the nature of the services and the risks involved.

11.7. If Blue Networks becomes aware of a personal data breach affecting personal data processed on behalf of the Client, Blue Networks shall notify the Client in accordance with the applicable data processing agreement.

11.8. Unless expressly mandated in writing, Blue Networks shall not notify the Italian Data Protection Authority, data subjects, customers, regulators or other third parties on behalf of the Client.

11.9. The Client remains responsible for determining whether a personal data breach is notifiable under Articles 33 and 34 GDPR.

12. NIS2 and Italian Legislative Decree No. 138/2024

12.1. Where included in the Order, Blue Networks may support the Client with NIS2 and Italian Legislative Decree No. 138/2024 readiness, including:

a. applicability assessment;

b. essential or important entity classification support;

c. governance mapping;

d. risk management measure mapping;

e. incident management procedure drafting;

f. supplier risk management support;

g. policy and procedure review;

h. evidence preparation;

i. executive reporting;

j. remediation roadmap preparation.

12.2. The Client remains solely responsible for:

a. determining whether it falls within the scope of NIS2 or Italian implementing law;

b. completing any required registration, self-declaration or authority communication;

c. adopting required technical, organisational and governance measures;

d. ensuring management-body approval and supervision where required;

e. notifying significant incidents to ACN, CSIRT Italia or other competent authorities;

f. maintaining evidence of compliance;

g. obtaining legal advice on sector-specific obligations.

12.3. Blue Networks does not guarantee that the Client is or is not subject to NIS2, nor does it guarantee full compliance with Legislative Decree No. 138/2024.

12.4. Any NIS2-related advice is based on the information supplied by the Client and the Scope agreed by the parties.

13. Cyber Resilience Act Support

13.1. Where included in the Order, Blue Networks may support the Client with Cyber Resilience Act readiness and product-security governance, including:

a. preliminary CRA applicability assessment;

b. identification of Products with Digital Elements;

c. mapping of the Client’s potential role as manufacturer, importer, distributor, authorised representative or open-source software steward;

d. product-security governance assessment;

e. secure development lifecycle review;

f. vulnerability handling process review;

g. product cybersecurity risk assessment support;

h. software bill of materials governance support;

i. technical documentation readiness support;

j. support-period governance;

k. vulnerability disclosure process support;

l. reporting playbook preparation for actively exploited vulnerabilities or severe incidents;

m. mapping of essential cybersecurity requirements;

n. conformity-assessment pathway support;

o. supplier and component security questionnaire design;

p. market-surveillance preparedness support.

13.2. The Client acknowledges that the CRA establishes horizontal cybersecurity requirements for Products with Digital Elements made available on the EU market, including essential cybersecurity requirements, vulnerability handling obligations and obligations for economic operators. It generally applies from 11 December 2027, while Article 14 reporting obligations apply from 11 September 2026 and certain conformity-assessment-body provisions apply from 11 June 2026.

13.3. The Client remains solely responsible for determining whether any product, software, hardware, component, service, module, application, firmware, embedded system, cloud-dependent feature or digital element falls within the CRA.

13.4. Unless expressly agreed in writing, Blue Networks does not act as and does not assume the obligations of:

a. manufacturer;

b. importer;

c. distributor;

d. authorised representative;

e. open-source software steward;

f. notified body;

g. conformity assessment body;

h. market surveillance authority;

i. product owner;

j. product security incident response team.

13.5. Blue Networks does not place products on the market, make products available on the market, affix CE markings, issue EU declarations of conformity, maintain technical documentation as legal owner, conduct formal conformity assessment, certify products, warrant CRA compliance or act as a notified body.

13.6. Any CRA-related support provided by Blue Networks is advisory and is based on:

a. product information provided by the Client;

b. the Client’s declared intended purpose and foreseeable use;

c. the Client’s architecture, development, vulnerability management and release processes;

d. available documentation and evidence;

e. the Scope agreed in the Order.

13.7. The Client is solely responsible for:

a. product classification;

b. determining its role under the CRA;

c. performing and maintaining product cybersecurity risk assessments;

d. ensuring that products are designed, developed and produced in accordance with applicable essential cybersecurity requirements;

e. ensuring effective vulnerability handling during the support period;

f. preparing and maintaining technical documentation;

g. preparing and signing EU declarations of conformity, where required;

h. affixing CE markings, where required;

i. selecting and engaging notified bodies, where required;

j. managing product recalls, withdrawals or corrective actions;

k. responding to market surveillance authorities;

l. submitting mandatory notifications to ENISA, CSIRTs or other authorities;

m. ensuring supplier, component and open-source software governance.

13.8. If the Client asks Blue Networks to assist with CRA Article 14 reporting, such assistance shall require a specific written mandate or emergency written instruction. Even where Blue Networks assists, the Client remains responsible for the accuracy, completeness, timing and legal sufficiency of any notification.

13.9. Blue Networks is not responsible for vulnerabilities, insecure design, insecure code, inadequate development practices, third-party components, open-source dependencies, lack of product documentation, unsupported products, product misuse, supply-chain defects or market placement decisions made by the Client or third parties.

13.10. Any CRA roadmap, gap assessment or recommendation is not a certification, conformity statement, guarantee of marketability or legal opinion.

14. DORA and Financial-Sector Resilience

14.1. Where included in the Order and where the Client is a financial entity, ICT third-party service provider or supplier to financial entities, Blue Networks may support the Client with DORA readiness, including:

a. ICT risk management gap assessment;

b. ICT third-party risk governance;

c. policy and procedure review;

d. incident management process review;

e. digital operational resilience testing support;

f. outsourcing and supplier-security evidence support;

g. register of information support;

h. board and management reporting support.

14.2. The Client remains solely responsible for determining whether DORA applies to it and for complying with all DORA obligations, including ICT risk management, incident reporting, resilience testing, third-party risk management and regulatory communication.

14.3. Unless expressly agreed, Blue Networks does not act as a financial entity’s internal control function, regulated outsourcing provider, critical ICT third-party service provider, legal representative or regulatory reporting agent.

14.4. DORA-related support does not constitute a guarantee of compliance, supervisory acceptance, audit success or regulatory approval.

15. Security Incidents and Emergency Support

15.1. Security Incident support is included only where expressly stated in the Order or separately activated by written agreement.

15.2. Unless a specific incident response retainer or service-level agreement is in place, Blue Networks does not guarantee:

a. 24/7 availability;

b. immediate response;

c. response within a defined time;

d. forensic preservation;

e. malware analysis;

f. full containment;

g. restoration of systems;

h. crisis communications;

i. legal notification management.

15.3. In the event of a Security Incident, the Client shall:

a. notify Blue Networks promptly if assistance is requested;

b. preserve logs, evidence, affected assets and relevant timestamps;

c. avoid destroying or overwriting evidence;

d. activate internal incident response, legal, DPO, management and communications procedures;

e. maintain backups and restoration processes;

f. determine whether legal or regulatory notifications are required;

g. authorise any technical action in writing where needed.

15.4. Blue Networks may provide recommendations during an incident based on incomplete, changing and urgent information. The Client remains responsible for all operational, legal and business decisions.

15.5. Unless expressly authorised in writing, Blue Networks shall not communicate with law enforcement, regulators, data protection authorities, ACN, CSIRT Italia, ENISA, customers, data subjects, insurers, media or third parties on behalf of the Client.

16. Third-Party Services, Tools and Suppliers

16.1. Blue Networks may use third-party platforms, software, assessment tools, ticketing systems, documentation platforms, conferencing systems, cloud services, vulnerability databases, threat intelligence sources, project-management tools or other resources to perform the services.

16.2. Third-party tools may be subject to their own terms, licences, availability limits, security measures and data processing conditions.

16.3. Blue Networks is not liable for outages, vulnerabilities, breaches, errors, changes, price increases or discontinuation of third-party services outside its reasonable control.

16.4. Where a third-party tool requires a separate licence, subscription or fee, the Client shall bear such cost unless the Order states otherwise.

16.5. Any evaluation of the Client’s suppliers by Blue Networks is advisory only. The Client remains responsible for supplier selection, contracting, monitoring, audit rights, termination decisions and residual risk acceptance.

17. Use of Artificial Intelligence and Automation

17.1. Blue Networks may use automation, scripts, analysis tools, documentation tools, workflow tools or artificial intelligence-assisted tools to improve efficiency and quality, provided that such use is reasonably compatible with confidentiality, security and data protection obligations.

17.2. Blue Networks shall not intentionally submit Client Confidential Information, security-sensitive information, credentials, personal data or trade secrets into public or unmanaged AI systems where such submission would breach the agreed confidentiality or data protection obligations.

17.3. AI-assisted outputs shall be subject to reasonable human review where they materially affect a Deliverable.

17.4. The Client shall not rely solely on automated outputs for legal, regulatory, operational or product-release decisions.

18. Confidentiality

18.1. Each party shall protect the other party’s Confidential Information with at least the same degree of care it uses to protect its own similar information, and in any case with no less than reasonable care.

18.2. Confidential Information may be used only for performance of the services or enforcement of the parties’ rights.

18.3. Confidential Information may be disclosed only to employees, contractors, advisers, auditors or subcontractors who need to know it and are bound by confidentiality obligations.

18.4. Confidentiality obligations shall not apply to information that:

a. is or becomes public without breach of these Terms;

b. was lawfully known before disclosure;

c. is lawfully received from a third party without confidentiality restriction;

d. is independently developed without use of Confidential Information;

e. must be disclosed by law, court order or authority order.

18.5. Where disclosure is legally required, the receiving party shall, where legally permitted, provide prompt notice to the disclosing party and limit disclosure to what is legally required.

18.6. Confidentiality obligations shall last for five years after termination, except for trade secrets, credentials, vulnerability information, security architecture, personal data and highly sensitive security information, which shall remain protected for as long as they remain confidential or legally protected.

19. Intellectual Property

19.1. Blue Networks retains all rights, title and interest in its pre-existing and independently developed materials, methodologies, know-how, templates, frameworks, checklists, scripts, tools, models, processes, libraries, training materials, documentation structures and professional expertise.

19.2. Subject to full payment, Blue Networks grants the Client a non-exclusive, non-transferable, non-sublicensable licence to use the Deliverables internally for the Client’s own business and compliance purposes.

19.3. The Client shall not, without Blue Networks’ prior written consent:

a. resell Deliverables;

b. publish Deliverables;

c. distribute Deliverables to third parties, except advisers, auditors, regulators or insurers under confidentiality;

d. use Deliverables to provide services to third parties;

e. remove proprietary notices;

f. claim ownership of Blue Networks’ methodologies;

g. create competing template libraries or commercial products based on Blue Networks’ materials.

19.4. The Client may share Deliverables with auditors, regulators, legal counsel, insurers, customers or certification bodies where reasonably necessary, provided that confidentiality is preserved and the Deliverables are not altered in a misleading way.

19.5. Any software, scripts or code provided by Blue Networks are provided only for the specific Scope and are not warranted for production use unless expressly stated.

19.6. Feedback, suggestions or improvement requests provided by the Client may be used by Blue Networks without restriction, provided that Blue Networks does not disclose Client Confidential Information.

20. Information Security Measures

20.1. Blue Networks shall maintain reasonable technical and organisational security measures appropriate to the nature of the vCISO Services.

20.2. The Client acknowledges that no system, service or security measure can guarantee absolute security.

20.3. Blue Networks is not responsible for vulnerabilities, misconfigurations, unpatched systems, weak access controls, poor password practices, missing backups, unsupported systems, unmanaged assets or legacy infrastructure under the Client’s control.

20.4. Blue Networks may notify the Client of material security issues discovered during the engagement, but such notification does not create a duty to monitor all Client systems unless expressly agreed.

21. Fees, Invoicing and Payment

21.1. Fees shall be specified in the applicable Order.

21.2. Unless otherwise stated, all fees are exclusive of VAT, withholding taxes, duties, bank charges, travel expenses, accommodation, meals, third-party licences, tool subscriptions and other out-of-pocket expenses.

21.3. Fees may be calculated on a fixed-fee, monthly-retainer, time-and-materials, day-rate, package, milestone or subscription basis.

21.4. Unless the Order states otherwise, invoices are payable within [●] days from invoice date.

21.5. In case of late payment, Blue Networks may:

a. charge statutory default interest under Italian Legislative Decree No. 231/2002;

b. recover reasonable collection costs;

c. suspend services;

d. require advance payment;

e. withhold Deliverables;

f. terminate the engagement for non-payment.

21.6. Time packages, prepaid hours or retained days must be used within the period stated in the Order. Unless otherwise agreed, unused time caused by the Client’s delay, unavailability or non-cooperation is non-refundable.

21.7. Urgent, out-of-hours, weekend, holiday, emergency or out-of-scope work may be subject to increased rates.

21.8. Client procurement processes, purchase-order delays, vendor onboarding, internal approvals, budget approvals or portal issues do not suspend payment obligations unless accepted by Blue Networks in writing before performance begins.

22. Change Requests and Out-of-Scope Work

22.1. Any change to Scope, deliverables, assumptions, deadlines, legal frameworks, entities, systems, assets, products, suppliers, meetings or priorities must be agreed in writing.

22.2. Blue Networks may issue a revised quotation where:

a. the Client expands the Scope;

b. assumptions prove incorrect;

c. additional entities, systems or products are included;

d. urgent work is required;

e. additional regulatory analysis is requested;

f. the Client delays or changes priorities;

g. new facts materially affect the engagement.

22.3. Blue Networks is not required to perform out-of-scope work unless the parties agree on fees and timing.

23. Term, Renewal, Suspension and Termination

23.1. The term of the services shall be stated in the Order.

23.2. Unless expressly stated, services do not renew automatically.

23.3. Either party may terminate an ongoing engagement for convenience with 30 days’ written notice, unless the Order provides otherwise.

23.4. Blue Networks may suspend or terminate services immediately if:

a. payment is overdue;

b. the Client breaches confidentiality or data protection obligations;

c. the Client requests unlawful activity;

d. the Client fails to cooperate materially;

e. continued performance creates security, legal or reputational risk;

f. the Client provides false or misleading information;

g. a conflict of interest arises;

h. the Client infringes Blue Networks’ intellectual property;

i. the Client becomes insolvent or unable to pay debts.

23.5. Upon termination, the Client shall pay all fees for services performed, expenses incurred, committed third-party costs and non-cancellable scheduled work.

23.6. Termination shall not affect accrued rights, confidentiality, payment obligations, intellectual property, liability limits, indemnities, governing law or dispute resolution provisions.

24. Lawful Use and Ethical Restrictions

24.1. The Client shall use the vCISO Services and Deliverables only for lawful purposes.

24.2. The Client shall not request or use the services to:

a. gain unauthorised access to systems;

b. compromise third-party networks;

c. evade security controls unlawfully;

d. conceal breaches;

e. mislead regulators, auditors, customers or insurers;

f. infringe intellectual property rights;

g. violate privacy, employment or surveillance laws;

h. conduct offensive security activity without written authorisation.

24.3. Blue Networks may refuse any instruction that it reasonably believes is unlawful, unethical, unsafe, unauthorised or inconsistent with professional cybersecurity practice.

25. Sanctions, Export Control and Public-Sector Requirements

25.1. The Client warrants that it is not subject to sanctions prohibiting Blue Networks from providing services.

25.2. The Client shall not use the services in violation of export-control, dual-use, sanctions or cybersecurity laws.

25.3. Where the Client is a public authority, public-sector body, regulated entity or contractor subject to special procurement, security, classification, traceability or audit rules, the Client shall notify Blue Networks before the start of the engagement.

25.4. Blue Networks is not responsible for non-compliance with undisclosed public-sector, procurement, security-clearance, classified-information or regulated-outsourcing requirements.

26. Publicity and References

26.1. Blue Networks shall not publish the Client’s name, logo or case study without the Client’s prior written consent, unless the relationship is already public or disclosure is legally required.

26.2. The Client shall not use Blue Networks’ name, logo, reports or Deliverables in public statements, marketing materials, regulatory filings or customer communications in a misleading manner.

27. Non-Solicitation

27.1. During the engagement and for 12 months after its termination, the Client shall not directly or indirectly solicit, hire, engage or contract any Blue Networks employee, consultant or contractor materially involved in providing the services, without Blue Networks’ prior written consent.

27.2. In case of breach, the Client shall pay Blue Networks, without prejudice to greater damages, a contractual penalty equal to 30% of the annual gross remuneration or annualised compensation offered to the relevant person.

28. Warranties and Disclaimers

28.1. Blue Networks warrants that it will perform the vCISO Services with reasonable professional care and skill.

28.2. Except as expressly stated, all services and Deliverables are provided without any implied warranty of fitness for a particular purpose, uninterrupted protection, regulatory acceptance, audit success, market conformity, absence of vulnerabilities or freedom from cyber incidents.

28.3. Blue Networks does not warrant that:

a. all vulnerabilities will be identified;

b. all threats will be detected;

c. incidents will be prevented;

d. recommended measures will eliminate risk;

e. authorities, auditors, customers or certification bodies will accept the Client’s controls;

f. products will comply with the Cyber Resilience Act;

g. the Client will be compliant with GDPR, NIS2, DORA or any other framework;

h. the Client will avoid fines, claims or reputational harm.

29. Liability

29.1. Blue Networks shall be liable only for direct, immediate and foreseeable damages caused by its proven breach of these Terms, subject to the limitations below.

29.2. Nothing in these Terms excludes or limits liability for wilful misconduct, gross negligence or any liability that cannot be excluded or limited under mandatory law.

29.3. To the maximum extent permitted by law, Blue Networks shall not be liable for:

a. indirect, consequential, special, punitive or exemplary damages;

b. loss of profit, revenue, business, goodwill, opportunity or reputation;

c. business interruption or operational downtime;

d. loss, corruption or unavailability of data, where caused by Client systems, backups or infrastructure;

e. sanctions, fines, penalties or third-party claims caused by Client decisions, omissions or non-compliance;

f. failure to implement recommendations;

g. inaccurate, incomplete or delayed Client information;

h. pre-existing vulnerabilities or misconfigurations;

i. third-party products, suppliers, software, open-source components or services;

j. cyberattacks, zero-day vulnerabilities or threat actors not caused by Blue Networks;

k. Client personnel, affiliates, suppliers or contractors;

l. activities outside the agreed Scope.

29.4. To the maximum extent permitted by law, Blue Networks’ aggregate liability arising out of or in connection with the vCISO Services shall not exceed the fees actually paid by the Client to Blue Networks for the specific vCISO Services in the six months preceding the event giving rise to the claim.

29.5. If the engagement lasted less than six months, the liability cap shall equal the fees actually paid for the specific engagement.

29.6. The parties acknowledge that the liability limitations reflect the nature of advisory services, the fees agreed, the Client’s control over implementation and the impossibility of guaranteeing absolute cybersecurity.

30. Indemnity

30.1. The Client shall indemnify and hold harmless Blue Networks, its directors, employees, consultants, subcontractors and affiliates from claims, damages, losses, penalties, costs and expenses arising from:

a. unlawful or unauthorised use of the services;

b. Client instructions that violate Applicable Law;

c. lack of authorisation to access systems or data;

d. inaccurate, incomplete or misleading information provided by the Client;

e. Client breach of privacy, cybersecurity, employment, intellectual property or product-compliance laws;

f. Client failure to implement recommendations;

g. Client modification or misuse of Deliverables;

h. third-party claims relating to Client systems, products, suppliers or services;

i. Client’s failure to comply with GDPR, NIS2, DORA, CRA or other regulatory obligations.

31. Subcontracting

31.1. Blue Networks may use employees, consultants, partners, subcontractors or specialist providers to perform the services.

31.2. Blue Networks shall remain responsible for coordinating subcontracted services within the agreed Scope.

31.3. Where subcontractors process personal data on behalf of the Client, such processing shall be governed by the applicable data processing agreement.

32. Records and Audit Support

32.1. Blue Networks may maintain reasonable records of the services performed, including communications, deliverable versions, meeting notes, activity logs and administrative records.

32.2. Any Client audit of Blue Networks must be reasonable, proportionate, limited to the relevant services, subject to confidentiality and scheduled with reasonable prior notice.

32.3. Blue Networks may refuse audit requests that would compromise security, confidentiality, third-party rights, trade secrets, personal data or other clients’ information.

32.4. Audit assistance beyond standard information requests may be charged at Blue Networks’ then-current rates.

33. Force Majeure

33.1. Blue Networks shall not be liable for delay or failure to perform caused by events beyond its reasonable control, including natural disasters, war, terrorism, civil unrest, labour disputes, pandemics, power outages, internet failures, cloud provider outages, third-party service failures, authority orders, widespread cyberattacks or other events of similar nature.

33.2. The affected party shall use reasonable efforts to mitigate the impact of the force majeure event.

34. Notices

34.1. Operational notices may be sent by email, ticketing system, collaboration platform or other agreed communication channel.

34.2. Legal notices, including termination, formal breach notices, claims or dispute notices, must be sent by PEC, registered mail, courier or other method capable of proving receipt.

34.3. Notices to Blue Networks shall be sent to the address or contact details published by Blue Networks or stated in the Order.

35. Assignment

35.1. The Client may not assign or transfer the contract, rights, obligations or Deliverables without Blue Networks’ prior written consent.

35.2. Blue Networks may assign or transfer the contract in connection with a merger, demerger, corporate reorganisation, sale of business, transfer of assets or group restructuring, provided that the assignee assumes the relevant obligations.

36. Severability

36.1. If any provision of these Terms is held invalid, unlawful or unenforceable, the remaining provisions shall remain valid and enforceable.

36.2. The invalid provision shall be replaced, to the extent possible, by a valid provision that most closely reflects the economic and legal intent of the original provision.

37. Entire Agreement

37.1. These Terms, together with the applicable Order, any signed master agreement, data processing agreement and annexes, constitute the entire agreement between the parties regarding the vCISO Services.

37.2. Any prior discussions, proposals, presentations, marketing materials or informal communications are superseded unless expressly incorporated into a signed document.

38. Governing Law and Jurisdiction

38.1. These Terms and any dispute arising out of or in connection with them shall be governed by Italian law.

38.2. Subject to mandatory jurisdiction rules, the courts of Messina, Italy, shall have exclusive jurisdiction over any dispute relating to the validity, interpretation, performance, breach, termination or enforcement of these Terms or the vCISO Services.