<Date>{07/12/2021}7.12.2021</Date>
<NoDocSe>A9-0341/2021</NoDocSe>
PDF 481kWORD 172k

<TitreType>REPORT</TitreType>     <RefProcLect>***I</RefProcLect>

<Titre>on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014</Titre>

<DocRef>(COM(2020)0595 – C9‑0304/2020 – 2020/0266(COD))</DocRef>


<Commission>{ECON}Committee on Economic and Monetary Affairs</Commission>

Rapporteur: <Depute>Billy Kelleher</Depute>

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION
 PROCEDURE – COMMITTEE RESPONSIBLE
 FINAL VOTE BY ROLL CALL IN COMMITTEE RESPONSIBLE

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014

(COM(2020)0595 – C9‑0304/2020 – 2020/0266(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

 having regard to the Commission proposal to Parliament and the Council (COM(2020)0595),

 having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C9‑0304/2020),

 having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

 having regard to the opinion of the European Economic and Social Committee of 24 February 2021[1],

 having regard to Rule 59 of its Rules of Procedure,

 having regard to the report of the Committee on Economic and Monetary Affairs (A9-0341/2021),

1. Adopts its position at first reading hereinafter set out;

2. Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal

2. Instructs its President to forward its position to the Council, the Commission and the national parliaments.

 

 

Amendment  1

AMENDMENTS BY THE EUROPEAN PARLIAMENT[*]

to the Commission proposal

---------------------------------------------------------

2020/0266(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Central Bank,[2]

Having regard to the opinion of the European Economic and Social Committee,[3]

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1) In the digital age, information and communication technology (ICT) supports complex systems used for everyday societal activities. It keeps our economies running in key sectors, including finance, and enhances the functioning of the single market. Increased digitalisation and interconnectedness also amplify ICT risks making society as a whole - and the financial system in particular - more vulnerable to cyber threats or ICT disruptions. While the ubiquitous use of ICT systems and high digitalisation and connectivity are nowadays core features of all activities of Union financial entities, digital resilience has yet to be sufficiently built in their operational frameworks.

(2) The use of ICT has in the last decades gained a pivotal role in finance, assuming today critical relevance in the operation of typical daily functions of all financial entities. Digitalisation covers, for instance, payments, which have increasingly moved from cash and paper-based methods to the use of digital solutions, as well as securities clearing and settlement, electronic and algorithmic trading, lending and funding operations, peer-to-peer finance, credit rating, ▌claim management and back-office operations. The insurance sector has also been transformed by the use of ICT, from the emergence of digital insurance intermediaries operating with InsurTech, to digital insurance underwriting and contract distribution. Finance has not only become largely digital throughout the whole sector, but digitalisation has also deepened interconnections and dependencies within the financial sector and with third-party infrastructure and service providers.

(3) The European Systemic Risk Board (ESRB) has reaffirmed in a 2020 report addressing systemic cyber risk[4] how the existing high level of interconnectedness across financial entities, financial markets and financial market infrastructures, and particularly the interdependencies of their ICT systems, may potentially constitute a systemic vulnerability since localised cyber incidents could quickly spread from any of the approximately 22 000 Union financial entities[5] to the entire financial system, unhindered by geographical boundaries. Serious ICT breaches occurring in finance do not merely affect financial entities taken in isolation. They also smooth the way for the propagation of localised vulnerabilities across the financial transmission channels and potentially trigger adverse consequences for the stability of the Union’s financial system, generating liquidity runs and an overall loss of confidence and trust in financial markets.

(4) In recent years, ICT risks have attracted the attention of national, European and international policy makers, regulators and standard-setting bodies in an attempt to enhance resilience, set standards and coordinate regulatory or supervisory work. At international level, the Basel Committee on Banking Supervision, the Committee on Payments and Markets Infrastructures, the Financial Stability Board, the Financial Stability Institute, as well as the G7 and G20 groups of countries aim to provide competent authorities and market operators across different jurisdictions with tools to bolster the resilience of their financial systems. Consequently, it is necessary to consider ICT risk in the context of a highly interconnected global financial system in which the consistency of international regulation and cooperation between competent authorities globally needs to be prioritised.

(5) Despite national and European targeted policy and legislative initiatives, ICT risks continue to pose a challenge to the operational resilience, performance and stability of the Union financial system. The reform that followed the 2008 financial crisis primarily strengthened the financial resilience of the Union financial sector and aimed at safeguarding the Union’s competitiveness and stability from economic, prudential and market conduct perspectives. Though ICT security and digital resilience are part of operational risk, they have been less in the focus of the post-crisis regulatory agenda, and have only developed in some areas of the Union’s financial services policy and regulatory landscape, or only in a few Member States.

(6) The Commission’s 2018 Fintech action plan[6] highlighted the paramount importance of making the Union financial sector more resilient also from an operational perspective to ensure its technological safety and good functioning, its quick recovery from ICT breaches and incidents, ultimately enabling financial services to be effectively and smoothly delivered across the whole Union, including under situations of stress, while also preserving consumer and market trust and confidence.

(7) In April 2019, the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) (jointly called “European Supervisory Authorities” or “ESAs”) jointly issued two pieces of technical advice calling for a coherent approach to ICT risk in finance and recommending to strengthen, in a proportionate way, the digital operational resilience of the financial services industry through a Union sector-specific initiative.

(8) The Union financial sector is regulated by a harmonised Single Rulebook and governed by a European system of financial supervision. Nonetheless, provisions tackling digital operational resilience and ICT security are not fully or consistently harmonised yet, despite digital operational resilience being vital for ensuring financial stability and market integrity in the digital age, and no less important than for example common prudential or market conduct standards. The Single Rulebook and system of supervision should therefore be developed to also cover this component, by strengthening the mandates of financial supervisors to manage ICT risks in the financial sector, to protect the integrity and efficiency of the single market, and to facilitate its orderly functioning.

(9) Legislative disparities and uneven national regulatory or supervisory approaches on ICT risk trigger obstacles to the single market in financial services, impeding the smooth exercise of the freedom of establishment and the provision of services for financial entities with cross-border presence. Competition between the same type of financial entities operating in different Member States may equally be distorted. Notably for areas where Union harmonisation has been very limited - such as the digital operational resilience testing - or absent - such as the monitoring of ICT third-party risk - disparities stemming from envisaged developments at national level could generate further obstacles to the functioning of the single market to the detriment of market participants and financial stability.

(10) The partial way in which the ICT-risk related provisions have until now been addressed at Union level shows gaps or overlaps in important areas, such as ICT-related incident reporting and digital operational resilience testing, and creates inconsistencies due to emerging divergent national rules or cost-ineffective application of overlapping rules. This is particularly detrimental for an ICT-intensive user like finance since technology risks have no borders and the financial sector deploys its services on a wide cross-border basis within and outside the Union.

Individual financial entities operating on a cross-border basis or holding several authorisations (e.g. one financial entity can have a banking, an investment firm, and a payment institution licence, every single one issued by a different competent authority in one or several Member States) face operational challenges in addressing ICT risks and mitigating adverse impacts of ICT incidents on their own and in a coherent cost-effective way.

(10a) Establishing and maintaining adequate network and information system infrastructures is also a fundamental precondition for effective risk data aggregation and risk reporting practices, which are in turn an essential requisite for the sound and sustainable risk management and decision-making processes of credit institutions. In 2013, the Basel Committee on Banking Supervision (BCBS) published a set of principles for effective risk data aggregation and risk reporting (BCBS 239) based on two overarching principles of governance and IT infrastructure, to be implemented by the beginning of 2016. In accordance with the Report of the European Central Bank (ECB) of May 2018 on the Thematic Review on effective risk data aggregation and risk reporting of May 2018 and the BCBS Progress Report of April 2020, the implementation progress made by global systemically important banks was unsatisfactory and a source of concern. In order to facilitate compliance and alignment with international standards, the Commission, in close cooperation with the ECB and after consulting EBA and ESRB, should produce a report in order to assess how the BCBS 239 principles interact with the provisions of this Regulation and, if appropriate, how those principles should be incorporated into Union law.

(11) As the Single Rulebook has not been accompanied by a comprehensive ICT or operational risk framework further harmonisation of key digital operational resilience requirements for all financial entities is required. The capabilities and overall resilience which financial entities, based on such key requirements, would develop with a view to withstand operational outages, would help preserving the stability and integrity of the Union financial markets and thus contribute to ensuring a high level of protection of investors and consumers in the Union. Since this Regulation aims at contributing to the smooth functioning of the single market it should be based on the provisions of Article 114 TFEU as interpreted in accordance with the consistent case law of the Court of Justice of the European Union.

(12) This Regulation aims first at consolidating and upgrading the ICT risk requirements addressed so far separately in the different Regulations and Directives. While those Union legal acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they could not comprehensively tackle, at the time of their adoption, all components of operational resilience. The operational risk requirements, when further developed in these Union legal acts, often favoured a traditional quantitative approach to addressing risk (namely setting a capital requirement to cover ICT risks) rather than enshrining targeted qualitative requirements to boost capabilities through requirements aiming at the protection, detection, containment, recovery and repair capabilities against ICT-related incidents or through setting out reporting and digital testing capabilities. Those Directives and Regulations were primarily meant to cover essential rules on prudential supervision, market integrity or conduct.

Through this exercise, which consolidates and updates rules on ICT risk, all provisions addressing digital risk in finance would for the first time be brought together in a consistent manner in a single legislative act. This initiative should thus fill in the gaps or remedy inconsistencies in some of those legal acts, including in relation to the terminology used therein, and should explicitly refer to ICT risk via targeted rules on ICT risk management capabilities, reporting and testing and third party risk monitoring. This initiative also intends to raise awareness of ICT risks and acknowledges that ICT incidents and a lack of operational resilience might jeopardise the financial soundness of financial entities.

(13) Financial entities should follow the same approach and the same principle-based rules when addressing ICT risk according to their size, nature, complexity and risk profile. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of high reliance on ICT systems, platforms and infrastructures, which entails increased digital risk.

The respect of a basic cyber hygiene should also avoid imposing heavy costs on the economy by minimising the impact and costs of ICT disruptions.

(14) The use of a regulation helps reducing regulatory complexity, fosters supervisory convergence, increases legal certainty, while also contributing to limiting compliance costs, especially for financial entities operating cross-border, and to reducing competitive distortions. The choice of a Regulation for the establishment of a common framework for the digital operational resilience of financial entities appears therefore the most appropriate way to guarantee a homogenous and coherent application of all components of the ICT risk management by the Union financial sectors.

(14a) However, the implementation of this Regulation should not hamper innovation with regard to how financial entities deal with digital operational resilience issues while complying with its provisions, nor with regard to the services they offer or the services offered by ICT third-party service providers.

(15) Besides the financial services legislation, Directive (EU) 2016/1148 of the European Parliament and of the Council[7] is the current general cybersecurity framework at Union level. Among the seven critical sectors, that Directive also applies to three types of financial entities, namely credit institutions, trading venues and central counterparties. However, since Directive (EU) 2016/1148 sets out a mechanism of identification at national level of operators of essential services, only certain credit institutions, trading venues and central counterparties identified by the Member States are in practice brought into its scope and thus required to comply with the ICT security and incident notification requirements laid down in it.

(16) As this Regulation raises the level of harmonisation on digital resilience components, by introducing requirements on ICT risk management and ICT-related incident reporting that are more stringent in respect to those laid down in the current Union financial services legislation, this constitutes an increased harmonisation also by comparison to requirements laid down in Directive (EU) 2016/1148. Consequently, for financial entities, this Regulation constitutes lex specialis to Directive (EU) 2016/1148.

It is crucial to maintain a strong relation between the financial sector and the Union horizontal cybersecurity framework  to ensure consistency with the cyber security strategies already adopted by Member States, and allow financial supervisors to be made aware of cyber incidents affecting other sectors covered by Directive (EU) 2016/1148.

(17) To enable a cross-sector learning process and effectively draw on experiences of other sectors in dealing with cyber threats, financial entities referred to in Directive (EU) 2016/1148 should remain part of the ‘ecosystem’ of that Directive (e.g. NIS Cooperation Group and CSIRTs).

ESAs and national competent authorities, respectively should be able to participate in the strategic policy discussions and the technical workings of the NIS Cooperation Group, respectively, exchanges information and further cooperate with the single points of contact designated under Directive (EU) 2016/1148. The Joint Oversight Body, the Lead Overseers and the competent authorities under this Regulation should also consult and cooperate with the national CSIRTs designated in accordance with Article 9 of Directive (EU) 2016/1148.

Moreover, this Regulation should ensure that the CSIRTs network established by Directive (EU) 2016/1148 is provided with the details of major ICT-related incidents.

(18) It is also important to ensure consistency with both the European Critical Infrastructure (ECI) Directive, which is currently being reviewed in order to enhance the protection and resilience of critical infrastructures against non-cyber related threats, and the Directive on Resilience of Critical Entities[8] with possible implications for the financial sector.

(19) Cloud computing service providers are one category of digital service providers covered by Directive (EU) 2016/1148. As such they are subject to ex-post supervision carried out by the national authorities designated according to that Directive, which is limited to requirements on ICT security and incident notification laid down in that act. Since the Oversight Framework established by this Regulation applies to all critical ICT third-party service providers, including cloud computing service providers, when they provide ICT services to financial entities, it should be considered complementary to the supervision that is taking place under Directive (EU) 2016/1148, and both substantive and procedural requirements applicable to critical ICT third-party service providers under this Regulation should be coherent and seamless with those applicable under that Directive. Moreover, the Oversight Framework established by this Regulation should cover cloud computing service providers in the absence of a Union horizontal sector-agnostic framework establishing a Digital Oversight Authority.

(20) To remain in full control of ICT risks, financial entities need to have in place comprehensive capabilities enabling a strong and effective ICT risk management, alongside specific mechanisms and policies for ICT-related incident reporting, testing of ICT systems, controls and processes, as well as for managing ICT third-party and ICT intra-group risk. The digital operational resilience bar for the financial system should be raised while allowing for a proportionate application of requirements taking into account their nature, scale, complexity and overall risk profile.

(21) ICT-related incident reporting thresholds and taxonomies vary significantly at national level. While common ground may be achieved through relevant work undertaken by the European Union Agency for Cybersecurity (ENISA)[9] and the NIS Cooperation Group for the financial entities under Directive (EU) 2016/1148, divergent approaches on thresholds and taxonomies still exist or can emerge for the remainder of financial entities. This entails multiple requirements that financial entities must abide to, especially when operating across several Union jurisdictions and when part of a financial group. Moreover, these divergences may hinder the creation of further Union uniform or centralised mechanisms speeding up the reporting process and supporting a quick and smooth exchange of information between competent authorities, which is crucial for addressing ICT risks in case of large scale attacks with potentially systemic consequences.

(21a) In order to reduce the administrative burden and avoid complexity and duplicative reporting requirements for payment service providers that fall within the scope of this Regulation, the incident reporting requirements under Directive (EU) 2015/2366 should cease to apply. As such, credit institutions, e-money institutions and payment institutions should report, under this Regulation, all operational or security payment-related and non-payment-related incidents that were previously reported under Directive (EU) 2015/2366, irrespective of whether the incidents are ICT-related or not.

(22) To enable competent authorities to fulfil their supervisory roles by obtaining a complete overview of the nature, frequency, significance and impact of ICT-related incidents and to enhance the exchange of information between relevant public authorities, including law enforcement authorities and resolution authorities, it is necessary to lay down rules in order to achieve a robust ICT-related incident reporting regime with the requirements that address the gaps in sectoral financial services legislation and remove any existing overlaps and duplications to alleviate costs. It is therefore essential to harmonise the ICT-related incident reporting regime by requiring all financial entities to report to their competent authorities through a single streamlined framework as set out in this Regulation. In addition, the ESAs should be empowered to further specify ICT-related incident reporting elements such as taxonomy, timeframes, data sets, templates and applicable thresholds.

(23) Digital operational resilience testing requirements have developed in some financial subsectors within several and sometimes uncoordinated, national frameworks addressing the same issues in a different way. This leads to duplication of costs for cross-border financial entities and could hamper  the mutual recognition of results. Uncoordinated testing can therefore segment the single market.

(24) In addition, where no testing is required, vulnerabilities remain undetected putting the financial entity and ultimately the financial sector’s stability and integrity at higher risk. Without Union intervention, digital operational resilience testing would continue to be patchy and there would be no mutual recognition of testing results across different jurisdictions. Also, as it is unlikely that other financial subsectors would adopt such schemes on a meaningful scale, they would miss out on the potential benefits, such as revealing vulnerabilities and risks, testing defence capabilities and business continuity, and increased trust of customers, suppliers and business partners. To remedy such overlaps, divergences and gaps, it is necessary to lay down rules aiming at coordinated testing by financial entities and competent authorities, thus facilitating the mutual recognition of advanced testing for significant financial entities.

(25) Financial entities’ reliance on ICT services is partly driven by their need to adapt to an emerging competitive digital global economy, to boost their business efficiency and to meet consumer demand. The nature and extent of such reliance has been continuously evolving in the past years, driving cost reduction in financial intermediation, enabling business expansion and scalability in the deployment of financial activities while offering a wide range of ICT tools to manage complex internal processes.

(26) This extensive use of ICT services is evidenced by complex contractual arrangements, whereby financial entities often encounter difficulties in negotiating contractual terms that are tailored to the prudential standards or other regulatory requirements they are subject to, or otherwise in enforcing specific rights, such as access or audit rights, when the latter are enshrined in the agreements. Moreover, many such contracts do not provide for sufficient safeguards allowing for a fully-fledged monitoring of subcontracting processes, thus depriving the financial entity of its ability to assess these associated risks. In addition, as ICT third-party service providers often provide standardised services to different types of clients, such contracts may not always adequately cater for the individual or specific needs of the financial industry actors.

(27) Despite some general rules on outsourcing in some of the Union’s financial services pieces of legislation, the monitoring of the contractual dimension is not fully anchored into Union legislation. In the absence of clear and bespoke Union standards applying to the contractual arrangements concluded with ICT third-party service providers, the external source of ICT risk is not comprehensively addressed. Consequently, it is necessary to set out certain key principles to guide financial entities’ management of ICT third-party risk, accompanied by a set of core contractual rights in relation to several elements in the performance and termination of contracts with a view to enshrine certain minimum safeguards underpinning financial entities’ ability to effectively monitor all risk emerging at ICT third party level.

(28) There exists a lack of homogeneity and convergence on ICT third party risk and ICT third-party dependencies. Despite some efforts to tackle the specific area of outsourcing such as the 2017 recommendations on outsourcing to cloud service providers[10], the issue of systemic risk which may be triggered by the financial sector’s exposure to a limited number of critical ICT third-party service providers is barely addressed in Union legislation. This lack at Union level is compounded by the absence of specific mandates and tools allowing national supervisors to acquire a good understanding of ICT third-party dependencies and adequately monitor risks arising from concentration of such ICT third-party dependencies.

(29) Taking into account the potential systemic risks entailed by the increased outsourcing practices and by the ICT third-party concentration, and mindful of the insufficiency of national mechanisms enabling financial superiors to quantify, qualify and redress the consequences of ICT risks occurring at critical ICT third-party service providers, it is necessary to establish an appropriate Union oversight framework allowing for a continuous monitoring of the activities of ICT third-party service providers that provide critical services  to financial entities. As intra-group provision of ICT services does not carry the same risks, ICT service providers that are part of the same group or institutional protection scheme should not be defined as critical ICT third-party service providers.

(30) With ICT threats becoming more complex and sophisticated, good detection and prevention measures depend to a great extent on regular threat and vulnerability intelligence sharing between financial entities. Information sharing contributes to increased awareness on cyber threats, which, in turn, enhances financial entities’ capacity to prevent threats from materialising into real incidents and enables financial entities to better contain the effects of ICT-related incidents and recover more efficiently. In the absence of guidance at Union level, several factors seem to have inhibited such intelligence sharing, notably uncertainty over the compatibility with the data protection, anti-trust and liability rules. It is therefore important to strengthen cooperation arrangements and reporting amongst financial entities and the competent authorities as well as information-sharing with the public, with a view to developing an open intelligence sharing framework and a 'security by design' approach, which are essential in order to increase the operational resilience and preparedness of the financial sector with regard to ICT risks. Information-sharing arrangements should always give due consideration to potential risks related to cyber security, data protection or commercial confidentiality.

(31) In addition, hesitations about the type of information that  can be shared with other market participants, or with non-supervisory authorities (such as ENISA, for analytical input, or Europol, for law enforcement purposes) lead to useful information being withheld. The extent and quality of information sharing remains limited, fragmented, with relevant exchanges being done mostly locally (via national initiatives) and with no consistent Union-wide information sharing arrangements tailored to the needs of an integrated financial sector. It is therefore important to strengthen those communication channels and have input from non-supervisory authorities, when necessary and relevant, throughout the supervisory cycle.

(32) Financial entities should also be encouraged to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhance their capabilities to adequately assess, monitor, defend against, and respond to, cyber threats. It is thus necessary to enable the emergence at Union level of mechanisms for voluntary information sharing arrangements which, when conducted in trusted environments, would help the financial community to prevent and collectively respond to threats by quickly limiting the spread of ICT risks and impeding potential contagion throughout the financial channels. Those mechanisms should be conducted in full compliance with the applicable competition law rules of the Union[11] as well as in a way that guarantees the full respect of Union data protection rules, mainly Regulation (EU) 2016/679 of the European Parliament and of the Council[12], in particular in the context of the processing of personal data that is necessary for the purposes of the legitimate interest pursued by the controller or by a third party, as referred to in point (f) of Article 6(1) of that Regulation.

(33) Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience rules, including the risk management framework requirements, should take into consideration significant differences between financial entities in terms of size, nature, complexity and risk profile. As a general principle, when directing resources and capabilities to the implementation of the ICT risk management framework, financial entities should duly balance their ICT-related needs to their size, nature, complexity, business profile and relative risk profile, while competent authorities should continue to assess and review the approach of such distribution.

(34) As larger financial entities may enjoy wider resources and could swiftly deploy funds to develop governance structures and set up various corporate strategies, only financial entities that are not micro enterprises in the sense of this Regulation should be required to establish more complex governance arrangements. Such entities are better equipped in particular to set up dedicated management functions for supervising arrangements with ICT third-party service providers or for dealing with crisis management, to organise their ICT risk management according to the three lines of defence model, or to adopt a human resources document comprehensively explaining access rights policies.

By the same token, only such financial entities should be called to perform in-depth assessments after major changes in the network and information system infrastructures and processes, to regularly conduct risk analyses on legacy ICT systems, or expand the testing of business continuity and response and recovery plans to capture switchovers scenarios between primary ICT infrastructure and redundant facilities.

(35) Moreover, as solely those financial entities identified as significant for the purposes of the advanced digital resilience testing should be required to conduct threat led penetration tests, the administrative processes and financial costs entailed by the performance of such tests should be devolved to a small percentage of financial entities. Finally, with a view to ease regulatory burdens, only financial entities other than micro enterprises should be asked to regularly report to the competent authorities all estimated costs and losses caused by significant ICT disruptions, major ICT-related incidents and the results of post-incident reviews after such ICT disruptions.

(36) To ensure full alignment and overall consistency between financial entities’ business strategies, on the one hand, and the conduct of ICT risk management, on the other hand, the management body should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital resilience strategy. The approach to be taken by the management body should not only focus on the means to ensure the resilience of the ICT systems, but should also cover people and processes through a set of policies which cultivate, at each corporate layer, and for all staff, a strong sense of awareness over cyber risks and a commitment to respect a strict cyber hygiene at all levels.

The ultimate responsibility of the management body in managing a financial entity’s ICT risks should be an overarching principle of that comprehensive approach, further translated into the continuous engagement of the management body in the control of the monitoring of the ICT risk management.

(37) Moreover, the management body’s full accountability goes hand in hand with securing a level of ICT investments and overall budget for the financial entity to be able to achieve its digital operational resilience baseline.

(38) Inspired by relevant international, national and industry-set standards, guidelines, recommendations or approaches towards the management of cyber risk[13], this Regulation promotes a set of functions facilitating the overall structuring of the ICT risk management. As long as the main capabilities which financial entities put in place answer the needs of the objectives foreseen by the functions (identification, protection and prevention, detection, response and recovery, learning and evolving and communication) set out in this Regulation, financial entities remain free to use ICT risk management models that are differently framed or categorised.

(39) To keep pace with an evolving cyber threat landscape, financial entities should maintain updated ICT systems that are reliable and endowed with sufficient capacity not only to guarantee the processing of data as it is necessary for the performance of their services, but also to ensure technological resilience allowing financial entities to adequately deal with additional processing needs which stressed market conditions or other adverse situations may generate. While this Regulation does not entail any standardization of specific ICT systems, tools or technologies, it relies on the financial entities’ suitable use of European and internationally recognised technical standards (e.g. ISO) or industry best practices, insofar as such use is fully compliant with specific supervisory instructions on the use and incorporation of international standards.

(40) Efficient business continuity and recovery plans are required to allow financial entities to promptly and quickly resolve ICT-related incidents, in particular cyber-attacks, by limiting damage and giving priority to the resumption of activities and recovery actions, taking into account whether the function is a critical or important function. However, while backup systems should begin processing without undue delay, such start should in no way jeopardise the integrity and security of the network and information systems or the confidentiality of data.

(41) While this Regulation allows financial entities to determine recovery time objectives in a flexible manner and hence set such objectives by fully taking into account the nature and the criticality of the relevant function and any specific business needs, an assessment on the potential overall impact on market efficiency should also be required when determining such objectives.

(42) The significant consequences of cyber-attacks are amplified when occurring in the financial sector, an area much more at risk of being the target of malicious propagators pursuing financial gains directly at the source. To mitigate such risks and to prevent ICT systems losing integrity or becoming unavailable and confidential data being breached or physical ICT infrastructure suffering damage, the reporting of major ICT-related incidents by financial entities should be significantly improved.

ICT-related incident reporting should be harmonised for all financial entities by requiring them to report to their competent authorities only. While all financial entities would be subject to this reporting, not all of them should be affected in the same manner, since relevant materiality thresholds and time frames should be calibrated to only capture major ICT-related incidents. Direct reporting would enable financial supervisors’ access to information on ICT-related incidents. Nevertheless, financial supervisors should pass on this information to non-financial public authorities (NIS competent authorities, national data protection authorities and law enforcement authorities for incidents of criminal nature). The ICT-related incident information should be mutually channelled: financial supervisors should provide all necessary feedback or guidance to the financial entity while the ESAs should share anonymised data on threats and vulnerabilities relating to an event to aid wider collective defence.

(43) Further reflection on the possible centralisation of ICT-related incident reports should be envisaged, by means of a single  EU Hub for major ICT-related incident reporting, either directly receiving the relevant reports and automatically notifying national competent authorities, or merely centralising reports forwarded by the national competent authorities and fulfilling a coordination role. The ESAs should be required to prepare, in consultation with ECB and ENISA, by a certain date a joint report exploring the feasibility of setting up such a central EU Hub.

(44) In order to achieve robust digital operational resilience, and in line with international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testing, financial entities, other than microenterprises, should regularly test their ICT systems and staff with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities. To respond to differences across and within the financial subsectors regarding the financial entities’ cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from an assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing (e.g. TLPT for those financial entities mature enough from an ICT perspective to be capable of carrying out such tests). Digital operational resilience testing should thus be more demanding for significant financial entities (such as large credit institutions, stock exchanges, central securities depositories, central counterparties, etc.). At the same time, digital operational resilience testing should also be more relevant for some subsectors playing a core systemic role (e.g. payments, banking, clearing and settlement), and less relevant for other subsectors (e.g. asset managers, credit rating agencies, etc.). Cross-border financial entities exercising their freedom of establishment or provision of services within the Union should comply with a single set of advanced testing requirements (e.g. TLPT) in their home Member State, and that test should include the ICT infrastructures in all jurisdictions where the cross-border group operates within the Union, thus allowing cross-border groups to incur testing costs in one jurisdiction only. Furthermore, in order to strengthen cooperation with trusted third countries in the field of resilience of financial entities, the Commission and competent authorities should seek to establish a framework for mutual recognition of TLPTs results.

Member States should designate a single public authority to be responsible for TLPT in the financial sector at national level. The single public authority could be, inter alia, a national competent authority, or a public authority designated in accordance with Article 8 of Directive (EU) 2016/1148 (NIS). The single public authority should be responsible for issuing attestations that TLPT was undertaken in compliance with the requirements. Such attestations should facilitate mutual recognition of testing amongst competent authorities.

Some financial entities have the capacity to conduct internal advanced testing, whilst others will contract external testers from within the Union or from a third country. As such, it is important that all testers are subject to the same clear requirements. In order to ensure the independence of internal testers, their use should be subject to the approval of the competent authority.

The methodology for TLPT should not be mandated but the use of the existing TIBER-EU framework should be considered as complying with the requirements of TLPT as set out in this Regulation.

Until the entry into force of this Regulation and the development and adoption by the ESAs of the mandated regulatory technical standards in respect of TLPT, financial entities should follow the relevant Union guidelines and frameworks that apply to intelligence-based penetration tests, as those will continue to apply after this Regulation comes into force.

(44a) The responsibility for conducting TLPT – and for cyber security management in general and cyber-attack prevention – should remain fully with the financial entity, and attestations provided by authorities should be solely for the purpose of mutual recognition and should not preclude any follow-up action on the level of ICT risk to which the financial entity is exposed nor be seen as an endorsement of its ICT risk management and mitigation capabilities.

(45) To ensure a sound monitoring of ICT third-party risk, it is necessary to lay down a set of principle-based rules to guide financial entities’ monitoring of risk arising in the context of outsourced functions to ICT third-party services providers, particularly regarding the provision of critical or important functions by ICT third-party service providers, and, more generally, in the context of ICT third-party dependencies.

(46) A financial entity should at all times remain fully responsible for complying with obligations under this Regulation. A proportionate monitoring of risk emerging at the level of the ICT third-party service provider should be organised by duly considering the nature, scale, complexity and importance of ICT-related dependencies, the criticality or importance of the services, processes or functions subject to the contractual arrangements and, ultimately, on the basis of a careful assessment of any potential impact on the continuity and quality of financial services at individual and at group level, as appropriate, as well as whether the ICT services are provided by an intra-group or third-party service provider.

(47) The conduct of such monitoring should follow a strategic approach to ICT third-party risk formalised through the adoption by the financial entity’s management body of a dedicated strategy, rooted in a continuous screening of all such ICT third-party dependencies. To enhance supervisory awareness over ICT third-party dependencies, and with a view to further support the Oversight Framework established by this Regulation, financial supervisors should regularly receive essential information from the Registers and should be able to request extracts thereof on an ad-hoc basis.

(48) A thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements, while corrective and remedial measures, which may include partial or whole termination of contracts should be  taken in the case of at least a set of circumstances that show severe shortfalls at the ICT third-party service provider.

(49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements▐. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The Joint Oversight Body  conducting the oversight for each critical ICT third-party provider and the ESA designated to conduct day-to-day oversight (“the Lead Overseer”) should in the exercise of oversight tasks pay particular attention to fully grasp the magnitude of interdependences and discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and should provide instead for a dialogue with critical ICT third-party service providers where that risk is identified[14].

(50) To be able to evaluate and monitor on a regular basis the ability of the ICT third-party service provider to securely provide services to the financial entity without adverse effects on the latter’s resilience, there should be a harmonisation of key contractual elements throughout the performance of contracts with ICT third-party providers. Those elements only cover minimum contractual aspects considered crucial for enabling full monitoring by the financial entity from the perspective of ensuring its digital resilience reliant on the stability and security of the ICT service.

(51) Contractual arrangements should in particular provide for a specification of complete descriptions of functions and services, of locations where such functions are provided and where data are processed, as well as an indication of full service level descriptions accompanied by quantitative and qualitative performance targets within agreed service levels to allow an effective monitoring by the financial entity. In the same vein, provisions on accessibility, availability, integrity, security and protection of personal data, as well as guarantees for access, recover and return in the case of insolvency, resolution, discontinuation of the business operations of the ICT third-party service provider or termination of the contractual arrangements should also be considered essential elements for a financial entity’s ability to ensure the monitoring of third party risk.

(52) To ensure that financial entities remain in full control of all developments that may impair their ICT security, notice periods and reporting obligations of the ICT third-party service provider should be set out in case of developments with a potential material impact on the ICT third-party service provider’s ability to effectively carry out critical or important functions, including the provision of assistance by the latter in case of an ICT-related incident relevant to the services being provided by the ICT third-party service provider to the financial entity at the agreed service levels at no additional cost or at a cost that is determined ex-ante. Ancillary ICT services on which the financial entities are not operationally dependent are not covered by this Regulation.

Furthermore, the definition of ‘critical or important function’ provided for in this Regulation should encompass the definition of ‘critical functions’ as provided for in Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014[15]. Accordingly, functions that are critical functions pursuant to Directive (EU) 2014/59/EU should be critical or important functions within the meaning of this Regulation.

 

(53) In the case of contractual arrangements for critical or important functions, rights of access, inspection and audit by the financial entity or an appointed third party are crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the latter’s full cooperation during inspections. In the same vein, the Joint Oversight Body and Lead Overseer of the financial entity should have those rights, based on notices, to inspect and audit the ICT third-party service provider, subject to confidentiality and whilst exercising caution not to disrupt the services provided to other customers of the ICT third-party service provider. The financial entity and the ICT third-party service provider should be able to agree that the rights of access, inspection and audit can be delegated to an independent third party.

(54) Contractual arrangements should provide for clear termination rights and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the relevant functions with a view to reduce the risk of disruptions at the level of the financial entity or allow the latter to effectively switch to other ICT third-party service providers, or alternatively resort to the use of in-house solutions, consistent with the complexity of the provided service. Moreover, credit institutions should ensure that the relevant ICT contracts are robust and fully enforceable in the event of resolution of the credit institution. In line with the resolution authorities’ expectations, credit institutions should ensure that the relevant contracts for ICT services are resolution-resilient. As long as critical or important ICT functions continue to be performed, those financial entities should ensure that the contracts contain, among other requirements, non-termination, non- suspension and non-modification clauses on the grounds of restructuring or resolution.

(55) Moreover, the voluntary use of standard contractual clauses developed by the Commission for cloud computing services may provide further comfort to the financial entities and their ICT third-party providers, by enhancing the level of legal certainty on the use of cloud computing services by the financial sector, in full alignment with requirements and expectations set out by the financial services regulation. This work builds on measures already envisaged in the 2018 Fintech Action Plan  that announced Commission’s intention to encourage and facilitate the development of standard contractual clauses for the use of cloud computing services outsourcing by financial entities, drawing on cross-sectorial cloud computing services stakeholders efforts, which the Commission has facilitated with the help of the financial sector’s involvement.

(55a) The ESAs should be mandated to draft implementing technical and regulatory standards specifying the expectations of the policies on managing ICT third-party risk and on contractual requirements. Until the entry into force of those standards, financial entities should follow relevant guidelines and other measures issued by the ESAs and competent authorities.

(56) With a view to promote convergence and efficiency in relation to supervisory approaches to ICT third-party risk to the financial sector, strengthen the digital operational resilience of financial entities that rely on critical ICT third-party service providers for the performance of operational functions, and thus to contribute to preserving the Union’s financial system stability, the integrity of the single market for financial services, critical ICT third-party service providers should be subject to a Union Oversight Framework.

(57) Since only critical third-party service providers warrant a special treatment, a designation mechanism for the purposes of applying the Union Oversight Framework should be put in place to take into account the dimension and nature of the financial sector’s reliance on such ICT third-party service providers, which translates into a set of quantitative and qualitative criteria that would set the criticality parameters as a basis for inclusion into the Oversight Framework. Critical ICT third-party service providers that are not automatically designated by virtue of the application of the above-mentioned criteria should have the possibility to voluntary opt-in to the Oversight Framework, while those ICT third-party providers already subject to oversight mechanisms frameworks supporting the fulfilment of the tasks of the Eurosystem level as  referred to in Article 127(2) of the Treaty on the Functioning of the European Union should consequently be exempted. Similarly, undertakings that are part of a financial group and that provide ICT services exclusively to financial entities within the same financial group should not be subject to the mechanism for being designated as critical.

(58) The requirement of legal incorporation in the Union of ICT third-party service providers that have been designated as critical does not amount to data localisation since this Regulation does not entail any further requirement on data storage or processing to be undertaken in Union. The requirement to have an undertaking, such as a subsidiary constituted in the Union under the law of a Member State is intended to provide a contact point between the ICT third-party service provider, on the one hand, and the Lead Overseer and Joint Oversight Body, on the other, and to ensure that the Lead Overseer and Joint Oversight Body are able to carry out their duties and exercise their powers of oversight and enforcement as provided for in this Regulation. The contracted services of the ICT third-party service provider do not need to be performed by its entity in the Union.

(58a) Due to the significant impact that designation as critical could have on ICT third-party service providers, prior hearing rights should be established as an obligation imposed on the ESAs and Joint Oversight Body to duly take into consideration any additional information provided by ICT third-party service providers in the course of the designation process.

(59) The Oversight framework should be without prejudice to Member States’ competence to conduct own oversight missions in respect to ICT third-party service providers that are not critical under this Regulation but could be deemed important at national level.

(60) To leverage the current multi-layered institutional architecture in the financial services area, the Joint Committee of the ESAs should continue to ensure the overall cross-sectoral coordination in relation to all matters pertaining to ICT risk, in accordance with its tasks on cybersecurity, through  the newly established Joint Oversight Body issuing both individual decisions addressed to critical ICT third-party service providers and collective recommendations, notably on benchmarking the oversight programs of critical ICT third-party service providers, and identifying best practices for addressing ICT concentration risk issues.

(61) To ensure that ICT third-party service providers fulfilling a critical role to the functioning of the financial sector are commensurately overseen on a Union scale, the Joint Oversight Body should be established to conduct direct oversight of ICT third-party service providers. Moreover, one of the ESAs should be designated as Lead Overseer for each critical ICT third-party service provider to conduct and coordinate day-to-day oversight and investigative work, to act as a single point of contact, and to ensure continuity. The Joint Oversight Body and Lead Overseer should work seamlessly to ensure efficient daily oversight as well as a holistic approach to decision-making and recommendations.

(62) Lead Overseers should enjoy the necessary powers to conduct investigations, onsite inspections at critical ICT third-party service providers, access all relevant premises and locations and obtain complete and updated information to enable them to acquire real insight into the type, dimension and impact of the ICT third-party risk posed to the financial entities and ultimately to the Union’s financial system.

(62a) Entrusting the Joint Oversight Body with direct oversight is a prerequisite for grasping and addressing the systemic dimension of ICT risk in finance. The Union footprint of critical ICT third-party service providers and the potential issues of ICT concentration risk attached to it call for taking a collective approach exercised at Union level. The exercise of multiple audits and access rights, conducted by numerous competent authorities in separation with little or no coordination would not lead to a complete overview on ICT third-party risk while creating unnecessary redundancy, burden and complexity at the level of critical ICT third-party providers facing such numerous requests.

(63) The Joint Oversight Body should be able to issue recommendations on ICT risk matters and suitable remedies, including opposing certain contractual arrangements ultimately affecting the stability of the financial entity or the financial system. Compliance with such substantive recommendations laid down by the Joint Oversight Body should be duly taken into account by national competent authorities as part of their function relating to the prudential supervision of financial entities. Prior to the finalisation of such recommendations, critical ICT third-party service providers should be given the opportunity to provide information which they reasonably believe should be taken into account before the recommendation is finalised and issued.

(63a) In order to avoid duplication and contradictions with the technical and organisational measures that apply to critical ICT third-party service providers, Lead Overseers and the Joint Oversight Body should take due account of the framework established by Directive (EU) 2016/1148 in the exercise of their powers in accordance with the Oversight Framework in this Regulation. Before exercising such powers, the Joint Oversight Body and the Lead Overseer should consult the relevant competent authorities that have jurisdiction under Directive (EU) 2016/1148.

(64) The Oversight Framework shall not replace, or in any way nor for any part substitute the management by financial entities of the risk entailed by the use of ICT third-party service providers, including the obligation of ongoing monitoring of their contractual arrangements concluded with critical ICT third-party service providers, and shall not affect the full responsibility of the financial entities in complying with, and discharging of, all requirements under this Regulation and relevant financial services legislation. To avoid duplications and overlaps, competent authorities should refrain from individually taking any measures aimed at monitoring the critical ICT third-party service provider’s risks. Any such measures should be previously coordinated and agreed in in the context of the Oversight Framework.

(65) To promote convergence at international level on best practices to be used in the review of ICT third-party service providers’ digital risk-management, the ESAs should be encouraged to conclude cooperation arrangements with the relevant supervisory and regulatory third-country competent authorities to facilitate the development of best practices addressing ICT third-party risk.

(66) To leverage technical expertise of competent authorities’ experts on operational and ICT risk management, Lead Overseers, when conducting general investigations or on-site inspections, should draw on national supervisory experience and set up dedicated examination teams for each individual critical ICT third-party service provider, pooling together multidisciplinary teams to supporting both the preparation and the actual execution of oversight activities, including onsite inspections of critical ICT third-party service providers, as well as needed follow-up thereof.

(67) Competent authorities should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant competent authorities, including ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/2013[16] , and consultation with the ESAs should be ensured by the mutual exchange of information and provision of assistance in the context of supervisory activities. The Single Resolution Board, although not a competent authority for the purposes of this Regulation, should nevertheless be involved in the mechanisms for the mutual exchange of information for entities that fall within the scope of Regulation (EU) No 806/2014 of the European Parliament and of the Council[17].

 

(68) In order to further quantify and qualify the designation criteria for critical ICT third-party service providers and to harmonise oversight fees, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of: further specifying the systemic impact that a failure of an ICT third-party provider could have on the financial entities it serves, the numbers of global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs) that rely on the respective ICT third-party service provider, the number of ICT third-party service providers active on a specific market, the costs of migrating to another ICT third-party service provider, the number of Member States in which the relevant ICT third-party service provider provides services and in which financial entities using the relevant ICT third-party service provider are operating, as well as the amount of the oversight fees and the way in which they are to be paid.

It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making[18]. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(69) Since this Regulation, together with Directive (EU) 20xx/xx of the European Parliament and of the Council[19], entails a consolidation of the ICT risk management provisions spanning across multiple regulations and directives of the Union’s financial services acquis, including Regulations (EC) No 1060/2009, (EU) No 648/2012 (EU) No 600/2014 and (EU) No 909/2014, in order to ensure full consistency, those Regulations should be amended to clarify that the relevant ICT risk-related provisions are laid down in this Regulation.

Relevant guidelines issued or currently being prepared by the ESAs on the application of those Regulations and Directives should be reviewed and revised as part of the consolidation process so that the legal basis for ICT risk requirements in Union law exclusively derive from this Regulation, its implementing acts and the decisions and recommendations taken in accordance therewith, concerning entities within its scope.

(69a) Technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation. As bodies with highly specialised expertise, the ESAs should be mandated to develop draft regulatory technical standards that do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk. When developing draft regulatory technical standards, the ESAs should take due consideration of their mandate in relation to proportionality aspects, and seek advice from their respective Advisory Committees on Proportionality, in particular in relation to the application of this Regulation to SMEs and mid-caps.

(70) It is of particular importance that the Commission carries out appropriate consultations during its preparatory work, including at expert level. The Commission and the ESAs should ensure that those standards and requirements can be applied by all financial entities in a manner that is proportionate to the nature, scale and complexity of those entities and their activities.

(71) To facilitate the comparability of major ICT-related incident reports and to ensure transparency on contractual arrangements for the use of ICT services provided by ICT third-party service providers, the ESAs should be mandated to develop draft implementing technical standards establishing standardised templates, forms and procedures for financial entities to report a major ICT-related incident, as well as standardized templates for the register of information. When developing those standards, the ESAs should take into account the nature, size, complexity and business profile of financial entities, as well as the nature and level of risk of their activities. The Commission should be empowered to adopt those implementing technical standards by means of implementing acts pursuant to Article 291 TFEU and in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively. Since further requirements have already been specified through delegated and implementing acts based on technical regulatory and implementing technical standards in Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, respectively, it is appropriate to mandate the ESAs, either individually or jointly through the Joint Committee, to submit regulatory and implementing technical standards to the Commission for adoption of delegated and implementing acts carrying over and updating existing ICT risk management rules.

(72) This exercise will entail the subsequent amendment of existing delegated and implementing acts adopted in different areas of the financial services legislation. The scope of the operational risk articles upon which empowerments in those acts had mandated the adoption of delegated and implementing acts should be modified with a view to carry over into this Regulation all provisions covering digital operational resilience which are today part of those Regulations.

(73) Since the objectives of this Regulation, namely to achieve a high level of digital operational resilience applicable to all financial entities, cannot be sufficiently achieved by the Member States because they require the harmonisation of a multitude of different rules, currently existing either in some Union acts, either in the legal systems of the various Member States, but can rather, because of its scale and effects, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

HAVE ADOPTED THIS REGULATION:


 

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

1. This Regulation lays down the following uniform requirements concerning the security of network and information systems supporting the business processes of financial entities needed to achieve a high common level of digital operational resilience, as follows:

(a) requirements applicable to financial entities in relation to:

 Information and Communication Technology (ICT) risk management;

 reporting of major ICT-related incidents to the competent authorities;

 reporting of major operational or security payment-related incidents to   the competent authorities by financial entities referred to in Article 2  (1), points (a) to (c);

 digital operational resilience testing;

 information and intelligence sharing in relation to cyber threats and vulnerabilities;

 measures for the sound management of ICT third-party risk by financial entities;

(b) requirements in relation to the contractual arrangements concluded between ICT   third-party service providers and financial entities;

(c) the oversight framework for critical ICT third-party service providers when     providing services to financial entities;

(d) rules on cooperation among competent authorities and rules on supervision and     enforcement by competent authorities in relation to all matters covered by this Regulation.

2. In relation to financial entities identified as operators of essential services pursuant to national rules transposing Article 5 of Directive (EU) 2016/1148, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 1(7) of that Directive.

2a.  This Regulation is without prejudice to the competences of Member States concerning the maintenance of public security, defence and national security.

Article 2

Personal scope

1. This Regulation applies to the following entities:

 (a) credit institutions,

 (b) payment institutions,

(c) electronic money institutions,

(d) investment firms,

(e) crypto-asset service providers, issuers and offerors of crypto-assets, issuers and offerors of asset-referenced tokens and issuers of significant asset-referenced tokens,

(f) central securities depositories and operators of securities settlement systems,

(g) central counterparties,

(h) trading venues,

(i) trade repositories,

(j) managers of alternative investment funds,

(k) management companies,

(l) data reporting service providers,

(m) insurance and reinsurance undertakings,

(n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries that are not micro, small or medium-sized enterprises unless those micro, small or medium sized-enterprises rely exclusively on organised automated sales systems,

(o) institutions for occupational retirement provisions (IORPs) that do not operate pension schemes having together fewer than 15 members,

(p) credit rating agencies,

(q) statutory auditors and audit firms that are not micro, small or medium-sized enterprises unless such micro, small or medium-sized enterprises provide auditing services to entities listed in this Article with the exception of micro, small or medium-sized enterprises that are non-profit-making auditing entities pursuant to Article 2(3) of Regulation (EU) No 537/2014 unless the competent authority decides that the exception is not valid,

(r) administrators of critical benchmarks,

(s) crowdfunding service providers,

(t) securitisation repositories,

(u) ICT third-party service providers.

1a. This Regulation, with the exception of Section II of Chapter V, also applies to ICT intra-group service providers.

2. For the purposes of this Regulation, entities referred to in paragraph (a) to (t) shall collectively be referred to as ‘financial entities’.

2a. For the purposes of this Regulation, with the exception of Section II of Chapter V, ICT third-party service providers and ICT intra-group service providers shall be collectively referred to as 'ICT third-party service providers'.

Article 3

Definitions

For the purposes of this Regulation, the following definitions shall apply:

(1) ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity ▌by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, ▌ the continued provision of financial services and their quality in the face of operational disruptions impacting the financial entity’s ICT capabilities;

(2) ‘network and information system’ means network and information system as defined in point (1) of Article 4 of Directive (EU) No 2016/1148;

(3) ‘security of network and information systems’ means security of network and information systems as defined in point (2) of Article 4 of Directive (EU) No 2016/1148;

(4) ‘ICT risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems ▌ which, if materialised, may compromise the security of the network and information systems, of any ICT-dependent tool or process, of the operation and process’ running, or of the provision of services▌;

(5) ‘information asset’ means a collection of information, either tangible or intangible, that is worth protecting;

(6) ‘ICT-related incident’ means an unforeseen identified incident, or a series of linked incidents, which compromises the security of network and information systems▌ or having adverse effects on the availability, confidentiality, continuity, integrity or authenticity of financial services provided by the financial entity;

(6a) ‘operational or security payment-related incident’ means an event or a series of linked occurrences unforeseen by the financial entities referred to in Article 2(1), points (a) to (c) that has or is likely to have an adverse impact on the integrity, availability, confidentiality, authenticity or continuity of payment-related services;

(7) ‘major ICT-related incident’ means an ICT-related incident that has or is likely to have a high adverse impact on the network and information systems that support critical functions of the financial entity;

(7a) ‘major operational or security payment-related incident’ means an operational or security payment-related incident that meets the criteria set out in Article 16;

(8) ‘cyber threat’ means ‘cyber threat’ as defined in point (8) of Article 2 Regulation (EU) 2019/881 of the European Parliament and of the Council[20];

(8a) ‘significant cyber threat’ means a cyber threat the characteristics of which clearly indicate that it is likely to result in a major ICT-related incident;

(9) ‘cyber-attack’ means a malicious ICT-related incident by means of an attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset perpetrated by any threat actor;

(10) ‘threat intelligence’ means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and that brings relevant and sufficient understanding for mitigating the impact of an ICT-related incident or cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations;

(11) ‘defence-in-depth’ means an ICT-related strategy integrating people, processes and technology to establish a variety of barriers across multiple layers and dimensions of the entity;

(12) ‘vulnerability’ means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited by a cyber threat;

(13) ‘threat led penetration testing’ means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the entity’s critical live production systems;

(14) ‘ICT third-party risk’ means ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by further sub-contractors of the latter;

(15) ‘ICT third-party service provider’ means an undertaking providing ICT services, including  a financial entity providing ICT services that forms part of an undertaking that provides a wider range of products or services but excluding providers of hardware components and undertakings authorised under Union law that provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council[21];

(15a) ‘ICT intra-group service provider’ means an undertaking that is part of a financial group and that provides ICT services, exclusively to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;

(16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external users on an ongoing basis, excluding telecommunication contracts;

(17) ‘critical or important function’ means an activity or service that is essential to the operation of a financial entity and the disruption of which would materially impair the soundness or continuity of the financial entity’s services and activities, or whose discontinued, defective or failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation, including 'critical functions' as defined in Article 2, paragraph 1, point 35, of Directive 2014/59/EU;

(18) ‘critical ICT third-party service provider’ means an ICT third-party service provider designated in accordance with Article 28 and subject to the Oversight Framework referred to in Articles 29 to 37;

(19) ‘ICT third-party service provider established in a third country’ means an ICT third-party service provider that is a legal person established in a third-country▌ and has entered into a contractual arrangement with a financial entity for the provision of ICT services;

(20) ‘ICT sub-contractor established in a third country’ means an ICT sub-contractor that is a legal person established in a third-country, ▌ and has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third country;

(21) ‘ICT concentration risk’ means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the financial stability of the Union as a whole or the ability of a financial entity▌ to deliver critical or important functions, or to suffer other type of adverse effects, including large losses;

(22) ‘management body’ means a management body as defined in point (36) of Article 4(1) of Directive 2014/65/EU, point (7) of Article 3(1) of Directive 2013/36/EU, point (s) of Article 2(1) of Directive 2009/65/EC, point (45) of Article 2(1) of Regulation (EU) No 909/2014, point (20) of Article 3(1) of Regulation (EU) 2016/1011 of the European Parliament and of the Council[22], point (18) of Article 3(1) of Regulation (EU) 20xx/xx of the European Parliament and of the Council[23] [MICA] or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national legislation;

(23) ‘credit institution’ means a credit institution as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council[24];

(23a) ‘credit institution exempted by Directive 2013/36/EU’ means an institution benefiting from an exemption pursuant to Article 2(5), points (4) to (23), of Directive 2013/36/EU;

(24) ‘investment firm’ means an investment firm as defined in point (1) of Article 4(1) of Directive 2014/65/EU;

(24a)  ‘small and non-interconnected investment firm’ means an investment firm that meets the conditions laid out in Article 12 (1) of Regulation (EU) 2019/2033;

(25) ‘payment institution’ means a payment institution as defined in point (d) of Article 1(1) of Directive (EU) 2015/2366;

(25a) ‘payment institution exempted by Directive (EU) 2015/2366’ means a payment institution benefitting from an exemption pursuant to Article 32 (1) of Directive (EU) 2015/2366;

(26) ‘electronic money institution’ means an electronic money institution as defined in point (1) of Article 2 of Directive 2009/110/EC of the European Parliament and of the Council[25];

(26a) ‘electronic money institution exempted by Directive 2009/110/EC’ means an electronic money institution benefitting from a waiver under Article 9 of Directive 2009/110/EC;

(27) ‘central counterparty’ means a central counterparty as defined in point (1) of Article 2 of Regulation (EU) No 648/2012;

(28) ‘trade repository’ means a trade repository’ as defined in point (2) of Article 2 of Regulation (EU) No 648/2012;

(29) ‘central securities depository’ means a central securities as defined in point (1) of Article 2(1) of Regulation 909/2014;

(30) ‘trading venue’ means a trading venue as defined in point (24) of Article 4(1) of Directive 2014/65/EU;

(31) ‘manager of alternative investment funds’ means a manager of alternative investment funds as defined in point (b) of Article 4(1) of Directive 2011/61/EU;

(32) ‘management company’ means a management company as defined in point (b) of Article 2(1) of Directive 2009/65/EC;

(33) ‘data reporting service provider’ means a data reporting service provider as defined in point (63) of Article (4)(1) of Directive 2014/65/EU;

(34) ‘insurance undertaking’ means an insurance undertaking as defined in point (1) of Article 13 of Directive 2009/138/EC;

(35) ‘reinsurance undertaking’ means a reinsurance undertaking as defined in point (4) of Article 13 of Directive 2009/138/EC;

(36) ‘insurance intermediary’ means insurance intermediary as defined in point (3) of Article 2 (1) of Directive (EU) 2016/97;

(37) ‘ancillary insurance intermediary’ means an ancillary insurance intermediary as defined in point (4) of Article 2 (1) of Directive (EU) 2016/97;

(38) ‘reinsurance intermediary’ means reinsurance intermediary as defined in point (5) of Article 2 (1) of Directive (EU) 2016/97;

(39) ‘institution for occupational retirement pensions’ means institution for occupational retirement pensions as defined in point (6) of Article 1 of Directive 2016/2341;

(40) ‘credit rating agency’ means a credit rating agency as defined in point (a) of Article 3(1) of Regulation (EC) No 1060/2009;

(41) ‘statutory auditor’ means statutory auditor as defined in point (2) of Article 2 of Directive 2006/43/EC;

(42) ‘audit firm’ means an audit firm as defined in point (3) of Article 2 of Directive 2006/43/EC;

(43) ‘crypto-asset service provider’ means crypto-asset service provider as defined in point (8) of Article 3(1) of Regulation (EU) 202x/xx [PO: insert reference to MICA Regulation];

(44) ‘issuer of crypto-assets’ means issuer of crypto-assets as defined in point (6) of Article 3 (1) of [OJ: insert reference to MICA Regulation];

(44a) ‘offeror’ means an offeror as defined in point [(XX)] of Article 3(1) of [OJ: insert reference to MICA Regulation];

(44b) offeror of crypto-assets’ means an offeror of ‘crypto-assets’ as defined in point [(XX) of Article 3 (1)] of [OJ: insert reference to MICA Regulation];

(45) ‘issuer of asset-referenced tokens’ means ‘issuer of asset-referenced payment tokens’ as defined in point (i) of Article 3 (1) of [OJ: insert reference to MICA Regulation];

(45a) ‘offeror of asset-referenced tokens’ means an offeror of asset-referenced payment tokens as defined in point [(XX)] of Article 3 (1) of [OJ: insert reference to MICA Regulation];

(46) ‘issuer of significant asset-referenced tokens’ means issuer of significant asset-referenced payment tokens as defined in point (XX) of Article 3 (1) of [OJ: insert reference to MICA Regulation];

(47) ‘administrator of critical benchmarks’ means an administrator of “critical benchmarks” as defined in point (25) of Article 3 of Regulation 2016/1011 [OJ: insert reference to Benchmark Regulation];

(48) ‘crowdfunding service provider’ means a crowdfunding service provider as defined in point (e) Article 2(1)of Regulation (EU) 2020/1503 [PO: insert reference to Crowdfunding Regulation];

(49) ‘securitisation repository’ means securitisation repository as defined in point (23) of Article 2 of Regulation (EU) 2017/2402;

(50) ‘micro, small and medium-sized enterprise’ means a financial entity as defined in Article 2 of the Annex to Recommendation 2003/361/EC;

(50a) ‘resolution authority’ means the authority designated by a Member State in accordance with Article 3 of Directive 2014/59/EU or the Single Resolution Board established pursuant to Article 42 of Regulation (EU) No 806/2014.

 

Article 3a

Proportionality principle

 

1. Financial entities shall implement the rules introduced by Chapters II, III and IV in accordance with the principle of proportionality, taking into account their size, the nature, scale and complexity of their services, activities and operations, and their overall risk profile.

2. Pursuant to the principle of proportionality, Articles 4 to 14 of this Regulation shall not apply to:

(a) small and non-interconnected investment firms or payment institutions exempted by Directive (EU) 2015/2366;

(b)  credit institutions exempted by Directive 2013/36/EU;

(c) electronic money institutions exempted by Directive 2009/110/EC; or

(d) small institutions for occupational retirement pensions.

3. On the basis of the annual report on the review of the ICT risk management framework, referred to in Article 5(6) and Article 14a(2), the relevant competent authorities shall review and evaluate the application of the proportionality by a financial entity and determine whether the financial entity’s ICT risk management framework ensures sound management and digital operational resilience and coverage of ICT risk. In doing so, the competent authorities shall take into account the size of the financial entity, the nature, scale and complexity of its services, activities and operations, and its overall risk profile

4. In the event that the relevant competent authority deems the financial entity’s ICT risk management framework to be insufficient and disproportionate, it shall enter into a dialogue with the financial entity to rectify the shortcomings and ensure full compliance with Chapter II.

5. The ESAs shall develop draft regulatory technical standards in respect of the following:

(a) determining the extent to which ICT risk management obligations are applicable to each of the financial entities mentioned in paragraph 1;

(b) specifying further the content and format of the annual report on the review of the ICT risk management framework referred to in paragraph 3.

(c) specifying further the rules and procedures to be followed by the competent authorities and financial entities in the dialogue referred to in paragraph 4.

6. The ESAs shall submit the draft regulatory technical standards referred to in paragraph 5 to the Commission by [OJ: insert date 1 year after the date of entry into force].

Power is delegated to the Commission to adopt the regulatory technical standards referred to in paragraph 5 of this Article in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively.


 

 

CHAPTER II

ICT RISK MANAGEMENT

SECTION I

Article 4

Governance and organisation

1. Financial entities shall have in place an internal governance and a control framework that ensures an effective and prudent management of all ICT risks, with a view to achieving a high level of digital operational resilience.

2. The management body of the financial entity shall define, approve, oversee and be accountable for the implementation of all arrangements related to the ICT risk management framework referred to in Article 5(1).

For the purposes of the first subparagraph, the management body shall:

(a) bear the ultimate responsibility for managing the financial entity’s ICT risks;

(aa) put in place procedures and policies that aim to ensure the maintenance of high standards of security, confidentiality and integrity of data;

(b) set clear roles and responsibilities for all ICT-related functions;

(c) determine the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in point (b) of Article 5(9);

(d) approve, oversee and periodically review the implementation of the financial entity's ICT Business Continuity Policy and ICT Disaster Recovery Plan, which may be adopted as a dedicated distinct policy and as an integral part of the financial entity's broader business-wide continuity policy and disaster recovery plan, referred to in, respectively, paragraphs 1 and 3 of Article 10;

(e) approve and periodically review the ICT audit plans, ICT audits and material modifications thereto;

(f) allocate and periodically review appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant training on ICT risks and skills for all ▐ staff;

(g) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;

(h) be duly informed, of the arrangements concluded with ICT third-party service providers on the use of ICT services, of any relevant planned material changes regarding the ICT third-party service providers, and on the potential impact of such changes on the critical or important functions subject to those arrangements, including receiving a summary of the risk analysis to assess the impact of these changes;

(i) be  regularly informed about at least major ICT-related incidents and their impact and about response, recovery and corrective measures.

3. Financial entities other than microenterprises shall establish a role to monitor the arrangements within the financial entity for the use of ICT services, especially those concluded with ICT third-party service providers, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.

4. Members of the management body of the financial entity shall actively keep up to date sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risks being managed.

 

SECTION II

Article 5

ICT risk management framework

1. Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience ▐.

2. The ICT risk management framework referred to in paragraph 1 shall include strategies, policies, procedures, ICT protocols and tools that are necessary to duly and effectively protect all relevant physical components and infrastructures, including computer hardware, servers, as well as all relevant premises, data centres and sensitive designated areas, to ensure that all those physical elements are adequately protected from risks including damage and unauthorized access or usage.

3. Financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, protocols and tools as determined in the ICT risk management framework. They shall provide complete and updated information on ICT risks and on their ICT risk management framework as requested by the competent authorities.

4. As part of the ICT risk management framework referred to in paragraph 1, financial entities other than microenterprises shall implement an information security management system based on recognized international standards and in accordance with supervisory guidance, where already available and appropriate, including guidance laid out in relevant guidelines established by the ESAs and shall regularly review it.

5. Financial entities other than microenterprises shall assign the responsibility for managing and overseeing ICT risks to a control function and ensure the independence of such control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate independence of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.

6. The ICT risk management framework referred to in paragraph 1 shall be documented and reviewed at least once a year, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring.

A report on the review of the ICT risk management framework shall be submitted to the competent authority on an annual basis.

 

7. As regards financial entities other than microenterprises, the ICT risk management framework referred to in paragraph 1 shall be audited on a regular basis by ICT auditors possessing sufficient knowledge, skills and expertise in ICT risk. The frequency and focus of ICT audits shall be commensurate to the ICT risks of the financial entity.

8. A formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings, shall be established, taking into consideration the conclusions from the audit review. ▐

9. The ICT risk management framework referred to in paragraph 1 shall include a digital operational resilience strategy setting out how the framework is implemented. To that effect it shall include the methods to address ICT risk and attain specific ICT objectives, by:

(a) explaining how the ICT risk management framework supports the financial entity’s business strategy and objectives;

(b) establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruptions;

(c) setting out clear information security objectives;

(d) explaining the ICT ▐ architecture and any changes needed to reach specific business objectives;

(e) outlining the different mechanisms put in place to detect, protect and prevent impacts of ICT-related incidents;

(f) evidencing the number of reported major ICT-related incidents and the effectiveness of preventive measures

(g) identifying key dependencies on ICT third-party service providers and and detailing exit strategies in relation to such key dependencies ;

(h) implementing digital operational resilience testing, in accordance with Chapter IV of this Regulation;

(i) outlining a communication strategy in case of ICT-related incidents required to be disclosed in accordance with Article 13.

10. Upon approval of competent authorities, financial entities may outsource the tasks of verifying compliance with the ICT risk management requirements to ▐external undertakings.

Upon notification to the competent authorities, financial entities may delegate the task of verifying compliance with the ICT risk management requirements to intra-group undertakings.

Where the delegation referred to in the second subparagraph is put in place, the financial entity shall remain fully accountable for the verification of compliance with ICT risk management requirements.

 

Article 6

ICT systems, protocols and tools

1. Financial entities shall use and maintain updated ICT systems, protocols and tools, in order to address and manage ICT risk, that  fulfil the following conditions:

(a) the systems and tools are appropriate to the ▐magnitude of operations supporting the conduct of their activities;

(b) they are reliable;

(c) they have sufficient capacity to accurately process the data necessary for the performance of activities and the provision of services in time, and to deal with peak orders, message or transaction volumes, as needed, including in the case of introduction of new technology;

(d) they are technologically resilient to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.

2. Where financial entities use internationally recognized technical standards and industry leading practices on information security and ICT internal controls, they shall use those standards and practices in line with any relevant supervisory recommendation on their incorporation.

 

Article 7

Identification

1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all critical or important ICT-related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems. Financial entities shall review as needed, and at least yearly, the criticality or importance of ICT-related business functions, as well as the adequacy of the classification of the information assets and of any relevant documentation.

2. Financial entities shall on a continuous basis identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their critical or important ICT-related business functions and information assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.

3. Financial entities other than microenterprises shall perform, where appropriate, a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their functions, supporting processes or information assets.

4. Financial entities shall identify all ICT systems accounts, including those on remote sites, the network resources and hardware equipment, and shall map physical equipment considered critical. They shall map the configuration of the critical or important ICT assets having regard to their purpose and the links and interdependencies between those different ICT assets.

5. Financial entities shall identify and document all critical or important processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that support critical or important functions.

6. For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain and regularly update relevant inventories.

7. Financial entities other than microenterprises shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems, including systems that are still in use and perform their function but that are:

(a) old or at the end of their life, in the case of hardware;

(b) no longer able to receive support or maintenance from their supplier; or

(c) impossible or uneconomical to update. Annual ICT risk assessments shall be conducted on legacy ICT systems especially before and after connecting ▐ technologies, applications or systems.

 

Article 8

Protection and Prevention

1. For the purposes of adequately protecting the ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the functioning of the ICT systems and tools and shall minimise the impact of such risks through the deployment of appropriate ICT security tools, policies and procedures.

2. Financial entities shall design, procure and implement ICT security strategies, policies, procedures, protocols and tools that aim at, in particular, ensuring the resilience, continuity and availability of ICT systems supporting critical or important functions, and maintaining high standards of security, confidentiality and integrity of data, whether at rest, in use or in transit.

3. To achieve the objectives referred to in paragraph 2, financial entities shall use ▐ICT technology and processes that:

(a) maximise the security of the means of transfer of information;

(b) minimise the risk of corruption or loss of data, unauthorized access and of the technical flaws that may hinder business activity;

(c)  prevent information leakage;

(d) ensure that data is protected from internal ICT risks, including poor administration, processing-related risks and human error.

4. As part of the ICT risk management framework referred to in Article 5(1), in accordance with their risk profile, financial entities shall:

(a) develop and document an information security policy defining rules to protect the confidentiality, integrity and availability of their ICT resources, data and information assets while ensuring full protection of their customers’ ICT resources, data and information assets where they comprise part of financial entities’ ICT systems;

(b) following a risk-based approach, establish a sound network and infrastructure management using appropriate techniques, methods and protocols that may include implementing ▐ mechanisms to isolate affected information assets in case of cyber-attacks;

(c) implement policies, procedures and controls that limit the physical and virtual access to ICT system resources and data to what is required only for legitimate and approved functions and activities▐;

(d) implement policies and protocols for strong authentication mechanisms, and protection of cryptographic keys, based on relevant standards and dedicated controls systems ▐;

(e) implement policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, system or security changes, that are based on a risk-assessment approach and as an integral part of the financial entity’s overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner;

(f) have appropriate and comprehensive policies for patches and updates.

For the purposes of point (b), financial entities shall design the network connection infrastructure in a way that allows it to be  severed as quickly as possible and shall ensure its compartmentalisation and segmentation, in order to minimise and prevent contagion, especially for interconnected financial processes.

For the purposes of point (e), the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols enabled for emergency changes.

 

Article 9

Detection

1. Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 15, including ICT network performance issues and ICT-related incidents, and, where technologically possible, to identify and monitor all potential material single points of failure.

All detection mechanisms referred to in the first subparagraph shall be regularly tested in accordance with Article 22.

2. The detection mechanisms referred to in paragraph 1 shall ▐trigger ICT-related incident detection and ICT-related incident response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incident response.

3. Financial entities shall devote sufficient resources and capabilities, ▐ to monitor user activity, occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.

3a Financial entities shall record all ICT-related incidents that have an impact on the stability, continuity or quality of financial services, including where the incident has or is likely to have an impact on such services.

4. Financial entitles referred to in point (l) of Article 2(1) shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors and request re-transmission of any such erroneous reports.

 

Article 10

Response and recovery

1. As part of the ICT risk management framework referred to in Article 5(1) and based on the identification requirements set out in Article 7, financial entities shall put in place▐ comprehensive ICT Business Continuity Policy, which may be adopted as a dedicated  distinct policy and as an integral part of the broader business-wide operational business continuity policy of the financial entity.

The ICT Business Continuity Policy shall aim to manage and mitigate risks that could have a harmful effect on financial entities’ ICT systems and ICT services and to facilitate their swift recovery if necessary. In drawing up the ICT Business Continuity Policy, financial entities shall specifically consider risks that could have a harmful impact on ICT services and ICT systems.

2. Financial entities shall implement the ICT Business Continuity Policy referred to in paragraph 1 through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aimed at:

 (b) ensuring the continuity of the financial entity’s critical functions;

(c) quickly, appropriately and effectively responding to and resolving all ICT-related incidents, in particular but not limited to cyber-attacks, in a way that limits damage and prioritises resumption of activities and recovery actions;

(d) activating without delay dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and preventing further damage, as well as tailored response and recovery procedures established in accordance with Article 11;

(e) estimating preliminary impacts, damages and losses;

(f) setting out communication and crisis management actions that ensure that updated information is transmitted to all relevant internal staff and external stakeholders in accordance with Article 13, and reported to competent authorities in accordance with Article 17.

3. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall implement an associated ICT Disaster Recovery Plan, which, in the case of financial entities other than microenterprises, shall be subject to independent audit reviews.

4. Financial entities shall put in place, maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functions outsourced or contracted through arrangements with ICT third-party service providers.

5. As part of their comprehensive ICT risk management, financial entities shall:

(a) test the ICT Business Continuity Policy and the ICT Disaster Recovery Plan at least yearly and after substantive changes to critical or important ICT systems;

(b) test the crisis communication plans established in accordance with Article 13.

For the purposes of point (a), financial entities other than microenterprises shall include in the testing plans scenarios of cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 11.

Financial entities shall regularly review their ICT Business Continuity Policy and ICT Disaster Recovery Plan taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews.

6. Financial entities other than microenterprises shall have a crisis management function, either as a dedicated function or comprising part of the functions with responsibilities for incident handling response and management. The crisis management function shall, in case of activation of their ICT Business Continuity Policy or ICT Disaster Recovery Plan, ▐ set out clear procedures to manage internal and external crisis communications in accordance with Article 13.

7. Financial entities shall keep records of relevant activities before and during disruption events when their ICT Business Continuity Policy or ICT Disaster Recovery Plan is activated. Such records shall be readily available.

8. Financial entities referred to in point (f) of Article 2(1) shall provide to the competent authorities copies of the results of the ICT business continuity tests or similar exercises performed during the period under review.

9. Financial entities other than microenterprises shall report to competent authorities all estimated financial costs and losses caused by significant ICT disruptions and major ICT-related incidents.

9a. The ESAs shall, through the Joint Committee, develop common guidelines on the methodology for calculating the costs, and quantifying the losses, referred to in paragraph 9.

 

Article 11

Backup policies and recovery methods

1. For the purpose of ensuring the restoration of ICT systems with minimum downtime and limited disruption, as part of their ICT risk management framework, financial entities shall develop:

(a) a backup policy specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the sensitiveness of the data;

(b) recovery methods.

2. In accordance with the backup policy specified in point (a) of paragraph 1, backup systems shall begin processing without undue delay, unless such start would jeopardize the security of the network and information systems or the integrity or confidentiality of data.

3. When restoring backup data using own systems, financial entities shall use ICT systems that are segregated, either physically or logically, from their main ICT system and that is securely protected from any unauthorized access or ICT corruption.

For financial entities referred to in point (g) of Article 2(1), the recovery plans shall enable the recovery of all transactions at the time of disruption to allow the central counterparty to continue to operate with certainty and to complete settlement on the scheduled date.

4. Financial entities shall assess the need to maintain redundant ICT capacities equipped with resources capabilities and functionalities that are sufficient and adequate to ensure business needs and meet digital operational resilience requirements as set out in this Regulation.

5. Financial entities referred to in point (f) of Article 2(1) shall maintain or ensure that their ICT third-party providers maintain at least one secondary processing site endowed with resources, capabilities, functionalities and staffing arrangements sufficient and appropriate to ensure business needs.

The secondary processing site shall be:

(a) located at a geographical distance from the primary processing site to ensure that it bears a distinct risk profile and to prevent it from being affected by the event which has affected the primary site;

(b) capable of ensuring the continuity of critical services identically to the primary site, or providing the level of services necessary to ensure that the financial entity performs its critical operations within the recovery objectives;

(c) ▐accessible to the financial entity’s staff to ensure continuity of critical or important functions in case the primary processing site has become unavailable.

6. In determining the recovery time and point objectives for each function, financial entities shall take into account whether it is a critical or important function and the potential overall impact on market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met.

7. When recovering from an ICT-related incident, financial entities shall ensure that the level of data integrity is of the highest level, for instance through performing multiple checks, including reconciliations. Such checks shall also be performed when reconstructing data from external stakeholders, in order to ensure that all data is consistent between systems.

 

Article 12

Learning and evolving

1. Financial entities shall have in place capabilities and staff, to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse their likely impacts on their digital operational resilience.

2. Financial entities shall put in place post major ICT-related incident reviews after significant ICT disruptions of their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT Business Continuity Policy referred to in Article 10.

When implementing changes related to addressing ICT risk identified as the result of major ICT-related incident reviews, financial entities other than microenterprises shall communicate all significant  changes to the competent authorities, detailing the improvements required and how they aim to prevent or mitigate disruption in the future. Communication of changes to the competent authorities may be prior to or post the implementation of the changes.

The post ICT-related incident reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, including in relation to:

(a) the promptness in responding to security alerts and determining the impact of ICT-related incidents and their severity;

(b) the quality and speed in performing forensic analysis;

(c) the effectiveness of incident escalation within the financial entity;

(d) the effectiveness of internal and external communication.

3. Lessons derived from the digital operation resilience testing carried out in accordance with Articles 23 and 24 and from real life ICT-related incidents, in particular cyber-attacks, along with challenges faced upon the activation of business continuity or recovery plans, together with relevant information exchanged with counterparties and assessed during supervisory reviews, shall be duly incorporated on a continuous basis into the ICT risk assessment process. These findings shall translate into appropriate reviews of relevant components of the ICT risk management framework referred to in Article 5(1).

4. Financial entities shall monitor the effectiveness of the implementation of their digital resilience strategy set out in Article 5(9). They shall map the evolution of ICT risks over time, including the proximity of those risks to critical or important functions, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understand the level of ICT risk exposure and enhance the cyber maturity and preparedness of the financial entity.

5. Senior ICT staff shall report at least yearly to the management body on the findings referred to in paragraph 3 and put forward recommendations.

6. Financial entities shall develop ICT security awareness programs and digital operational resilience trainings as compulsory modules in their staff training schemes. The ICT security awareness programmes shall apply to all staff. The digital operational resilience trainings shall apply to, at least, all employees with rights of direct access to the ICT systems and to senior management staff. The complexity of the training modules shall be commensurate to the level of direct access to the ICT systems of the staff member and, in particular, shall take account of their access to critical or important functions.

Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understand possible impacts of deployment of such new technologies upon the ICT security requirements and digital operational resilience. They shall keep abreast of the latest ICT risk management processes, effectively countering current or new forms of cyber-attacks.

 

Article 13

Communication

1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall have in place communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or major vulnerabilities to clients and counterparts as well as to the public, as appropriate.

The communication plans referred to in the first subparagraph shall also ensure the disclosure to clients and counterparts, on an annual basis, of a summary of all ICT-related incidents. Such a disclosure shall fully respect the business confidentiality of the financial entity and of its clients and counterparts, and shall not jeopardise the ICT risk management framework referred to in Article 5(1).

2. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall implement communication policies for staff and for external stakeholders. Communication policies for staff shall take into account the need to differentiate between staff involved in the ICT risk management, in particular response and recovery, and staff that needs to be informed.

3. At least one person in the entity shall be tasked with implementing the communication strategy for at least major ICT-related incidents and fulfil the role of public and media spokesperson for that purpose.

 

Article 14

Further harmonisation of ICT risk management tools, methods, processes and policies

The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) shall, in consultation with the European Union Agency on Cybersecurity (ENISA), develop draft regulatory technical standards for the following purposes:

(a) specify further elements to be included in the ICT security policies, procedures, protocols and tools referred to in Article 8(2), with a view to ensure the security of networks, enable adequate safeguards against intrusions and data misuse, preserve the authenticity and integrity of data, including cryptographic techniques, and guarantee an accurate and prompt data transmission without major disruptions and undue delays;

(d) develop further components of the controls of access management rights referred to in point (c) of Article 8(4) and associated human resources policy specifying access rights, procedures for granting and revoking rights, monitoring anomalous behaviour in relation to ICT risks through appropriate indicators, including for network use patterns, hours, IT activity and unknown devices;

(e) develop further the elements specified in Article 9(1) enabling a prompt detection of anomalous activities and the criteria referred to in Article 9(2) triggering ICT-related incident detection and response processes;

(f) specify further the components of the ICT Business Continuity Policy referred to in Article 10(1);

(g) specify further the testing of ICT business continuity plans referred to in Article 10(5) to ensure that it duly takes into account scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly considers the potential impact of the insolvency or other failures of any relevant ICT third-party service provider and, where relevant, the political risks in the respective providers’ jurisdictions;

(h) specify further the components of the ICT Disaster Recovery Plan referred to in Article 10(3).

EBA, ESMA and EIOPA shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 1 year after the date of entry into force].

Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively.

 

Article 14a

ICT risk management framework for small, non-interconnected and exempt entities

1. Pursuant to Article 3a, small and non-interconnected investment firms, payment institutions exempted by Directive (EU) 2015/2366, credit institutions exempted by Directive 2013/36/EU, electronic money institutions exempted by Directive 2009/110/EC and small institutions for occupational retirement pensions, shall put in place and maintain a sound and documented ICT risk management framework that shall:

(a) detail the mechanisms and measures aimed at a quick, efficient and comprehensive management of all ICT risks, including for the protection of relevant physical components and infrastructures;

(b) continuously monitor the security and functioning of all ICT systems;

(c) minimise the impact of ICT risks through the use of sound, resilient and updated ICT systems, protocols and tools which are appropriate for supporting the performance of their activities and the provision of services;

(d) adequately protect confidentiality, integrity and availability of data network and information systems;

(e) allow sources of risk and anomalies in the network and information systems to be promptly identified and detected and ICT incidents to be swiftly handled.

 

2. The ICT risk management framework referred to in paragraph 1 shall be documented and reviewed at least once a year, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring.

 

A report on the review of the ICT risk management framework shall be submitted to the competent authority on an annual basis.

  


 

 

 

CHAPTER III

ICT-RELATED INCIDENTS

MANAGEMENT, CLASSIFICATION and REPORTING

Article 15

ICT-related incident management process

1. Financial entities shall establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents and shall put in place early warning indicators as alerts.

2. Financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to make sure that root causes are identified and addressed in order to prevent the occurrence of such incidents.

3. The ICT-related incident management process referred to in paragraph 1 shall:

(a) establish procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and to the severity and criticality of the services impacted, in accordance with the criteria referred to in Article 16(1);

(b) assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios;

(c) set out plans for communication to staff, external stakeholders and media in accordance with Article 13, and for notification to clients, internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate;

(d) ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body on major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of major ICT-related incidents;

(e) establish ICT-related incident response procedures to mitigate impacts and ensure that services becomes operational and secure in a timely manner.

 

Article 16

Classification of ICT-related incidents

1. Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria:

(a) the number of users or financial counterparts affected by the disruption caused by the ICT-related incident▐;

(b) the duration of the ICT-related incident, including service downtime;

(c) the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;

(d) the data losses that the ICT-related incident entails, such as integrity loss, confidentiality loss or availability loss;

(e) the severity of the impact of the ICT-related incident on the financial entity’s ICT systems;

(f) the criticality of the services affected, including the financial entity’s transactions and operations;

(g) the economic impact of the ICT-related incident in both absolute and relative terms.

2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and in coordination  with the European Central Bank (ECB) and ENISA, develop common draft regulatory technical standards further specifying the following:

(a) the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidents that are subject to the reporting obligation laid down in Article 17(1);

(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents to other Member States’ jurisdictions, and the details of major ICT-related incidents reports to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.

3. When developing the common draft regulatory technical standards referred to in paragraph 2, the ESAs shall take into account international standards, as well as specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. The ESAs shall further take into account that the timely and efficient management of an incident by small and microenterprises is not constricted by the need to respect the classification requirements set out in this Article. The ESAs shall also take into consideration the size of financial entities, the nature, scale and complexity of their services, activities and operations, and their overall risk profile.

The ESAs shall submit those common draft regulatory technical standards to the Commission by [PO: insert date 2 years after the date of entry into force].

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 2 in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively.

 

Article 17

Reporting of major ICT-related incidents

1. Financial entities shall report major ICT-related incidents to the relevant competent authority as referred to in Article 41, within the time-limits laid down in paragraph 3.

For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, an incident report using the template referred to in Article 18 and submit it to the competent authority.

The report shall include all information necessary for the competent authority to determine the significance of the major ICT-related incident and assess possible cross-border impacts.

1a. Financial entities may, on a voluntary basis, notify significant cyber threats to the relevant competent authority when they deem the threat to be of relevance to the financial system, service users or clients. The relevant competent authority may provide such information to other relevant authorities in accordance with paragraph 5.

2. Where a major ICT-related incident occurs and has a material impact on the financial interests of service users and clients, financial entities shall, without undue delay after having become aware of it, inform their service users and clients about the major ICT-related incident and shall ▐ inform them of the pertinent measures that  have been taken to mitigate the adverse effects of such incident. Where no harm to service users and clients materialises due to the countermeasures taken by the financial entity, the requirement to inform service users and clients shall not apply.

3. Financial entities shall submit to the competent authority as referred to in Article 41:

(a) an initial notification▐ of the major ICT-related incident that shall contain information available to the notifying entity on a best efforts basis as follows:

(i) with regard to incidents that significantly disrupt the availability of the services provided by the financial entity, the competent authority shall be notified without undue delay and in any event within 24 hours of becoming aware of the incident;

 (ii) with regard to incidents that have a significant impact on the financial entity other than on the availability of the services provided by that financial entity, the competent authority shall be notified without undue delay and in any event within 72 hours of becoming aware of the incident;

 (iii) with regard to incidents that have an impact on the integrity, confidentiality or security of personal data maintained by that financial entity, the competent authority shall be notified without undue delay and in any event within 24 hours of becoming aware of the incident;

 

(b) an intermediate report, as soon as the status of the original incident has changed significantly or new information has come to light that could have a major impact on how the ICT-related incident is addressed by the competent authority, after the initial notification referred to in point (a), followed as appropriate by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority;

(c) a final report, when the root cause analysis has been completed, regardless of whether or not mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates, but not later than one month from the date of sending the initial report.

(ca) in the case of an ongoing incident at the time of submission of the final report referred to in point (c), a final report shall be provided one month after the incident has been resolved.

The relevant competent authority referred to in Article 41 shall provide that, in duly justified cases, a financial entity is permitted to deviate from the deadlines set out in points (a), (b), (c) and (ca) of this paragraph, giving due consideration to the ability of financial entities to provide accurate and meaningful information in relation to major ICT-related incidents.

4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider upon approval of the delegation by the relevant competent authority referred to in Article 41. In cases of such delegation, the financial entity shall remain fully accountable for the fulfilment of the incident reporting requirements.

 

5. Upon receipt of the report referred to in paragraph 1, the competent authority shall, without undue delay, provide details of the major ICT-related incident to:

(a) EBA, ESMA or EIOPA, as appropriate;

(b) the ECB, as appropriate, in the case of financial entities referred to in points (a), (b) and (c) of Article 2(1); and

(c) the single point of contact designated under Article 8 of Directive (EU) 2016/1148 or CSIRTs designated under Article 9 of Directive (EU) 2016/1149;

(ca) the resolution authority responsible for the relevant financial entity. The Single Resolution Board (SRB) with respect to entities referred to in Article 7(2) of Regulation (EU) No 806/2014, and for the entities and groups referred to in Article 7(4)(b) and (5) of Regulation (EU) No 806/2014 where the conditions for the application of those paragraphs are met;

(cb) national resolution authorities, in relation to entities and groups referred to in Article 7(3) of Regulation (EU) No 806/2014. National resolution authorities shall provide to the SRB, on a quarterly basis, a summary of the reports they have received under this point in relation to entities and groups referred to in Article 7(3) of Regulation (EU) No 806/2014;

(cc) other relevant public authorities, including ones in other Member States.

6. EBA, ESMA or EIOPA and the ECB, in cooperation with ENISA, shall assess the relevance of the major ICT-related incident to other relevant public authorities and notify them accordingly as soon as possible. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system. Based on that notification, the competent authorities shall, where appropriate, take all of the necessary measures to protect the immediate stability of the financial system.

 

Article 18

Harmonisation of reporting content and templates

 

1. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB, shall develop:

(a) common draft regulatory technical standards in order to:

(1) establish the content of the reporting for major ICT-related incidents;

(2) specify further the conditions under which financial entities may delegate to a third-party service provider, upon prior approval by the competent authority, the reporting obligations set out in this Chapter;

(3) specify further the criteria for determining the impact of a major ICT-related incident on a financial entity for the purposes of Article 17(3), point (a). 

(b) common draft implementing technical standards in order to establish the standard forms, templates and procedures for financial entities to report a major ICT-related incident.

The ESAs shall submit the common draft regulatory technical standards referred to in point (a) of the first subparagraph and the common draft implementing technical standards referred to in point (b) of the first subparagraph to the Commission by xx 202x [PO: insert date 2 years after the date of entry into force].

Power is delegated to the Commission to supplement this Regulation by adopting the common regulatory technical standards referred to in point (a) of the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively.

Power is conferred on the Commission to adopt the common implementing technical standards referred to in point (b) of the first subparagraph in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively.

2. Pending the outcome of the feasibility report referred to in Article 19 on the further centralisation of incident reporting, the ESAs, through the Joint Committee and in collaboration with competent authorities, the ECB, the SRB and ENISA, shall develop guidelines for the exchange of information on major ICT-related incident reports in accordance with Article 17(5).

 The guidelines referred to in the first subparagraph shall consider at least the following:

(a) the most efficient lines of communication;

(b) maintaining the security, confidentiality and integrity of the data being exchanged;

(c) the possible involvement of financial entities to complement the exchange of information referred to in Article 40.

 

Article 19

Centralisation of reporting of major ICT-related incidents

1. The ESAs, through the Joint Committee and in consultation with ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.

2. The report referred to in the paragraph 1 shall comprise at least the following elements:

(a) prerequisites for the establishment of a single  EU Hub;

(b) benefits, limitations and possible risks;

(ba) capability to establish the interoperability and assess its added value with regard to other relevant reporting schemes, including Directive (EU) 2016/1148.

(c) elements of operational management;

(d) conditions of membership;

(e) modalities for financial entities and national competent authorities to access the single EU Hub;

(f) a preliminary assessment of financial costs entailed by the setting-up the operational platform supporting the single EU Hub, including the required expertise

3. The ESAs shall submit the report referred to in the paragraph 1 to the Commission, the European Parliament and to the Council by xx 202x [OJ: insert date 3 years after the date of entry into force].

 

Article 20

Supervisory feedback

1. Upon receipt of a report as referred to in Article 17(1), the competent authority shall acknowledge receipt of notification and shall as quickly as possible provide all necessary feedback or guidance to the financial entity, in particular to discuss remedies at the level of the entity or ways to minimise adverse impact across sectors and also provide appropriately anonymised feedback, insight and intelligence to all relevant financial entities where it could be beneficial, based on any major ICT- related incident reports that it receives.

2. The ESAs shall, through the Joint Committee, report yearly on an anonymised and aggregated basis on the major ICT-related incident report notifications received from competent authorities, setting out at least the number of ICT-related major incidents, their nature, impact on the operations of financial entities or customers, estimated costs and remedial actions taken.

The ESAs shall issue warnings and produce high-level statistics to support ICT threat and vulnerability assessments.

Article 20a

 

Operational or security payment-related incidents concerning certain financial entities

 

The requirements laid down in this Chapter shall also apply to operational or security payment-related incidents and to major operational or security payment-related incidents where they concern financial entities referred to in Article 2(1), points (a), (b) and (c).


CHAPTER IV

DIGITAL OPERATIONAL RESILIENCE TESTING

Article 21

General requirements for the performance of digital operational resilience testing

1. For the purpose of assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities other than microenterprises shall establish, maintain and review▐ a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework referred to in Article 5.

2. The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with the provisions of Articles 22 and 23.

3. Financial entities shall follow a risk-based approach when conducting the digital operational resilience testing programme referred to in paragraph 1, taking into account the evolving landscape of ICT risks, any specific risks to which the financial entity is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the financial entity deems appropriate.

4. Financial entities shall ensure that tests are undertaken by independent parties, whether internal or external. Where tests are undertaken by an internal tester, financial entities shall dedicate sufficient resources and ensure that conflicts of interest are avoided throughout the design and execution phases of the test.

5. Financial entities shall establish procedures and policies to prioritise, classify and address all issues acknowledged throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.

6. Financial entities shall ensure that appropriate tests are conducted on all critical ICT systems and applications at least yearly.

 

Article 22

Testing of ICT tools and systems

1. The digital operational resilience testing programme referred to in Article 21 shall provide for the execution of a full range of appropriate tests.

Those tests may include vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing or penetration testing.

2. Financial entities referred to in points (f) and (g) of Article 2(1) shall perform vulnerability assessments before any deployment or redeployment of new or existing services supporting the critical functions, applications and infrastructure components of the financial entity.

Article 23

Advanced testing of ICT tools, systems and processes based on threat led penetration testing

 

1. Financial entities identified in accordance with the second subparagraph of paragraph 3 shall carry out at least every 3 years advanced testing by means of threat led penetration testing.

2. Threat led penetration testing shall cover at least the critical or important functions and services of a financial entity, and shall be performed on live production systems supporting such functions where possible, or on pre-production systems with the same security configuration. The precise scope of threat led penetration testing, based on the assessment of critical or important functions and services, shall be determined by financial entities and shall be validated by the competent authorities. It shall not be a requirement for a single threat led penetration test to cover all critical or important functions.

For the purpose of the first subparagraph, financial entities shall identify all relevant underlying ICT processes, systems and technologies supporting critical or important functions and services, including critical or important functions and services outsourced or contracted to ICT third-party service providers.

Where critical ICT third-party service providers and, where necessary, non-critical ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Those ICT third-party service providers shall not be required to communicate information or provide any details in relation to items that are not relevant to the risk management controls of the relevant critical or important functions of the relevant financial entities. Such testing shall not adversely impact other customers of the ICT third-party service providers.

In cases where the involvement of an ICT third-party service provider in the threat led penetration testing could potentially have an impact on the quality, confidentiality or security of the ICT third-party provider’s services to other customers not falling within the scope of this Regulation, or on the overall integrity of the ICT third-party service provider's operations, the financial entity and the ICT third-party service provider may contractually agree that the ICT third-party service provider is permitted to enter directly into contractual arrangements with an external tester. ICT third-party service providers may enter into such arrangements on behalf of all their financial entity service users in order to conduct pooled testing.

Financial entities shall apply effective risk management controls to mitigate  the risks of any potential impact to data, damage to assets and disruption to critical or important functions or operations at the financial entity itself, its counterparties or to the financial sector.

At the end of the test, after reports and remediation plans have been agreed, the financial entity and the external testers shall provide to the single public authority, designated in accordance with paragraph 3a, or, in the case of ICT third-party service providers entering directly into contractual arrangements with external testers, toENISA, a confidential summary of the test results and the documentation confirming that the threat led penetration testing has been conducted in accordance with the requirements. The single public authority or ENISA, as applicable, shall issue an attestation confirming that the test was performed in accordance with the requirements set out in the documentation in order to allow for mutual recognition of threat led penetration tests between competent authorities. The attestation shall be shared with the competent authority of the financial entity and, where relevant, with the Lead Overseer of the critical ICT third-party service provider.

3. Financial entities, or ICT third-party service providers permitted to enter directly into contractual arrangements with an external tester in accordance with paragraph 2 of this Article, shall contract testers in accordance with Article 24 for the purposes of undertaking threat led penetration testing.

Without prejudice to their ability to delegate tasks and competences under this Article to other competent authorities in charge of threat led penetration testing, competent authorities shall identify financial entities to perform threat led penetration testing in a proportionate manner▐ based on the assessment of the following:

(a) impact-related factors, in particular the criticality of services provided and activities undertaken by the financial entity;

(b) possible financial stability concerns, including the systemic character of the financial entity at national or Union level, as appropriate;

(c) specific ICT risk profile, level of ICT maturity of the financial entity or technology features which are involved.

3a Member States shall designate a single public authority to be responsible for threat led penetration testing in the financial sector at national level, except for the identification of financial entities in accordance with paragraph 3, including threat led penetration testing undertaken by financial entities and by ICT third-party service providers entering directly into contractual arrangements with external testers. The designated single public authority shall be entrusted with all competences and tasks to that effect.

 

4. The ESAs shall, in coordination with ENISA, after consulting the ECB and taking into account relevant frameworks in the Union that apply to intelligence-based threat led penetration tests, including the TIBER-EU framework, develop one set of draft regulatory technical standards to specify further:

(a) the criteria used for the purpose of the application of the second subparagraph of paragraph 3 of this Article;

(b) the requirements in relation to:

(i) the scope of threat led penetration testing referred to in paragraph 2 of this Article;

(ii) the testing methodology and approach to be followed for each specific phase of the testing process;

(iii) the results, closure and remediation stages of the testing;

(c) the type of supervisory cooperation needed for the implementation and to facilitate full mutual recognition of threat led penetration testing in the context of financial entities that operate in more than one Member State and testing undertaken by external testers that have entered directly into contractual arrangements with ICT third-party service providers in accordance with paragraph 2 of this Article, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub-sectors or local financial markets.

The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 6 months before the date of entry into force].

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the second subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively.

 

Article 24

Requirements for testers

1. Financial entities and ICT third-party service providers permitted to enter directly into contractual arrangements with an external tester in accordance with Article 23(2) shall only use testers for the deployment of threat led penetration testing, which:

(a) are of the highest suitability and reputability;

(b) possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing or red team testing;

(c) are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks, whether the testers are from within the Union, or from a third country;

(d) ▐ provide an independent assurance or an audit report in relation to the sound management of risks associated with the execution of threat led penetration testing, including the proper protection of the financial entity’s confidential information and redress for the business risks of the financial entity;

(e) ▐ are dully and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.

(ea) in the case of internal testers, their use has been approved by the relevant competent authority and by the single public authority designated in accordance with Article 23(3a), and those authorities have verified that the financial entity has dedicated sufficient resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test.

2. Financial entities and ICT third-party service providers permitted to enter directly into contractual arrangements with an external tester in accordance with Article 23(2) shall ensure that arrangements concluded with external testers require a sound management of the threat led penetration testing results and that any processing thereof, including any generation, draft, store, aggregation, report, communication or destruction, do not create risks to the financial entity.


 

CHAPTER V

MANAGING OF ICT THIRD-PARTY RISK

SECTION I

KEY PRINCIPLES FOR A SOUND MANAGEMENT OF ICT THIRD PARTY RISK

 

Article 25

General principles

Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework and in accordance with the following principles:

1. Financial entities that have in place contractual arrangements for the use of ICT services to run their business operations shall at all times remain fully responsible for complying with, and the discharge of, all obligations under this Regulation and applicable financial services legislation.

2. Financial entities’ management of ICT third party risk shall be implemented in light of the principle of proportionality, taking into account:

(a) the nature, scale, complexity and importance of ICT-related dependencies,

(b) the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and to the potential impact on the continuity and quality of financial services and activities, at individual and at group level;

(ba) whether a provider of ICT services is an ICT intra-group service provider.

3. As part of their ICT risk management framework, financial entities other than microenterprises shall adopt and regularly review a strategy on ICT third-party risk.▐ . That strategy shall include a policy on the use of ICT services provided by ICT third-party service providers and shall apply on an individual and, as relevant, on a sub-consolidated and consolidated basis. The management body shall regularly review the risks identified in respect of outsourcing of critical or important functions.

4. As part of their ICT risk management framework, financial entities shall maintain and update at entity level and, at sub-consolidated and consolidated levels, a Register of Information in relation to all contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

The contractual arrangements referred to in the first subparagraph shall be appropriately documented ▐

Where available, financial entities shall follow the guidelines and other measures issued by the ESAs and competent authorities until the entry into force of the implementing technical standards referred to in paragraph 10.

Financial entities shall report at least yearly to the competent authorities information on the number of new arrangements on the use of ICT services supporting critical or important functions, the categories of ICT third-party service providers, the type of contractual arrangements and the services and functions which are being provided.

Financial entities shall make available to the competent authority, upon request, the full Register of Information or as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.

Financial entities shall inform the competent authority in a timely manner about planned contracting of critical or important functions and when a function has become critical or important.

5. Before entering into a contractual arrangement on the use of ICT services, financial entities shall:

(a) assess whether the contractual arrangement covers a critical or important function;

(b) assess if supervisory conditions for contracting are met;

(c) identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangements may contribute to reinforcing ICT concentration risk;

(d) undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable;

(e) identify and assess conflicts of interest that the contractual arrangement may cause.

6. Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with high, appropriate and up-to-date security standards. The latest standards shall also be considered when determining whether the security standards in place are appropriate.

7. In exercising access, inspection and audit rights over the ICT third-party service provider in relation to critical or important functions, financial entities shall on a risk-based approach pre-determine the frequency of audits and inspections and the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.

For contractual arrangements that entail a detailed technological complexity, the financial entity shall verify that auditors, whether internal, pools of auditors or external auditors possess appropriate skills and knowledge to effectively perform relevant audits and assessments.

8. Financial entities shall ensure that contractual arrangements on the use of ICT services allow the financial entities to take appropriate corrective or remedial measures, which could include wholly terminating the arrangements, if no rectification is possible, or partially terminating the arrangements, if rectification is possible, under applicable law  at least under the following circumstances:

(a) significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms;

(aa) a recommendation issued by the Joint Oversight Body pursuant to Article 37 to a critical ICT third-party service provider;

(b) circumstances identified throughout the monitoring of ICT third-party risk that  are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider;

(c) ICT third-party service provider’s evidenced weaknesses pertaining to the  overall ICT risk management of its contract with the financial entity and in particular in the way it ensures the security and integrity of confidential, personal or otherwise sensitive data or non-personal information;

(d) circumstances where the competent authority demonstrably can no longer effectively supervise the financial entity as a result of the respective contractual arrangement.

8a. With a view to reducing the risk of disruptions at the level of the financial entity, in duly justified circumstances and in agreement with its competent authorities, the financial entity may decide not to terminate the contractual arrangements with the ICT third-party service provider until it is able to switch to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided, in accordance with the exit strategy referred to in paragraph 9.

8b. In cases where contractual arrangements with ICT third-party service providers are terminated under any of the circumstances listed in paragraph 8, points (a) to (d), financial entities shall not bear the cost of transferring out data from an ICT third-party service provider where such transfer exceeds the cost of transferring out data provided for in the initial contract.

9. For ICT services related to critical or important functions, financial entities shall put in place exit strategies, to be reviewed periodically . The exit strategies shall to take into account risks that may emerge at the level of ICT third-party service providers, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function, or in the event of termination of contractual arrangements with ICT third-party service providers under any of the circumstances listed in paragraph 8, points (a) to (d).

Financial entities shall ensure that they are able to exit contractual arrangements without:

(a) disruption to their business activities,

(b) limiting compliance with regulatory requirements,

(c) detriment to the continuity and quality of their provision of services to clients.

Exit plans shall be comprehensive, documented and, where appropriate, sufficiently tested.

Financial entities shall identify alternative solutions and develop transition plans enabling them to remove the contracted functions and the relevant data from the ICT third-party service provider and securely and integrally transfer them to alternative providers or reincorporate them in-house.

Financial entities shall take appropriate contingency measures to maintain business continuity under all of the circumstances referred to in the first subparagraph.

10. The ESAs shall, through the Joint Committee, develop draft implementing technical standards to establish the standard templates for the purposes of the Register of Information referred to in paragraph 4.

The ESAs shall submit those draft implementing technical standards to the Commission by [OJ: insert date 1 year after the date of entry into force of this Regulation].

Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively.

11. The ESAs shall, through the Joint Committee, develop draft regulatory standards:

(a) to further specify the detailed content of the policy referred to in paragraph 3 in relation to the contractual arrangements on the use of ICT services provided by ICT third-party service providers, by reference to the main phases of the lifecycle of the respective arrangements on the use of ICT services;

(b) the types of information to be included in the Register of Information referred to in paragraph 4.

The ESAs shall submit those draft regulatory technical standards to the Commission by [PO: insert date 18 months after the date of entry into force].

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the second subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively.

 

Article 26

Preliminary assessment of ICT concentration risk and further sub-contracting  arrangements

1. When performing the identification and assessment of ICT concentration risk referred to in point (c) of Article 25(5), financial entities shall take into account whether the conclusion of a contractual arrangement in relation to ICT services supporting critical or important functions would lead to any of the following:

(a) contracting with an ICT third-party service provider that is not easily substitutable; or

(b) having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.

Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.

2. Where the contractual arrangement on the use of ICT services supporting critical or important functions includes the possibility that an ICT third-party service provider further sub-contracts a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such possible sub-contracting▐.

Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider ▐financial entities shall consider relevant, at least the following factors:

(a) 

(b)  

(c) insolvency law provisions that would apply in the event of the ICT-third party service provider’s bankruptcy; and

(d) any constraints that may arise in respect to the urgent recovery of the financial entity’s data.

Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the first and second subparagraphs, also consider:

(i)  the respect of Union data protection rules; and,

(ii) the effective enforcement of the rules laid down in this Regulation.

Where such contractual arrangements include the sub-contracting of critical or important functions, financial entities shall assess whether and how potentially long or complex chains of sub-contracting may impact their ability to fully assess the factors listed in the second and third subparagraphs to monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.

Article 27

Key contractual provisions

1. The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in a writing. The full contract, which includes the services level agreements, shall be documented in writing   and be available to the parties on paper or in a downloadable and accessible format.

2. Financial entities and ICT third-party service providers shall ensure that contractual arrangements on the use of ICT services shall include at least the following:

(a) a clear and complete description of all functions and services to be provided by the ICT third-party service provider, indicating whether sub-contracting of a critical or important function, or material parts thereof, is permitted and, if so, the conditions applying to such sub-contracting;

(b) the locations, namely the regions or countries, where the contracted or sub-contracted ICT functions and services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify in advance the financial entity if it envisages changing such locations;

(c) provisions on accessibility, availability, integrity, security, confidentiality and protection of data, including personal data;

(ca) provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the case of insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the case of termination of the contractual arrangements;

(d) full service level descriptions, including updates and revisions thereof, and precise quantitative and qualitative performance targets within the agreed service levels to allow an effective monitoring by the financial entity and enable without undue delay appropriate corrective actions when agreed service levels are not met;

(e) 

(f) the obligation of the ICT third-party service provider to provide assistance in case of an ICT incident related to the service provided at no additional cost or at a cost that is determined ex-ante;

(g) requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of secure provision of services by the financial entity in line with its regulatory framework;

(h) 

(i) the obligation of the ICT-third party service provider to fully cooperate with the competent authorities and resolution authorities of the financial entity, including persons appointed by them;

(j) termination rights and related minimum notices period for the termination of the contract, in accordance with competent and resolution authorities’ expectations and, where that contractual arrangement impacts an ICT intra-group service provider within the same group, an analysis following a risk-based approach;

(k) exit strategies, in particular the establishment of a mandatory adequate transition period:

(i) during which the ICT third-party service provider will continue providing the respective functions or services with a view to reduce the risk of disruptions at the financial entity or to ensure its effective resolution and restructuring;

(ii) which allows the financial entity to switch to another ICT third-party service provider or change to on-premises solutions consistent with the complexity of the provided service;

(iia) where that contractual arrangement impacts an ICT intra-group service provider within the same group, it shall be analysed following a risk-based approach;

(ka) a provision on the processing of personal data by the ICT-third party service provider which is to be in conformity with Regulation (EU) 2016/679;

2a. The contractual arrangements for the provision of critical or important functions shall, in addition to paragraph 2, include at least the following:

(a) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively carry out critical or important functions in line with agreed service levels;

(b) the right to monitor on an ongoing basis the ICT third-party service provider’s performance, which includes:

(i)  rights of access, inspection and audit by the financial entity or by an appointed third party, and the right to review copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;

(ii)  the right to agree on alternative assurance levels if other clients’ rights are affected;

(iii)  the commitment by the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, lead overseer, financial entity or an appointed third party, and details on the scope, modalities and frequency of such inspections and audits;

By way of derogation from point (b), the ICT third-party service provider and the financial entity may agree that the rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provider, and that the financial entity is able to request information and assurance on the ICT third-party service provider's performance from the third party at any time.

2b. The contractual arrangements for the provision of ICT services by an ICT third-party service provider established in a third country and designated as critical pursuant to Article 28(9), shall, in addition to paragraphs 2 and 2a of this Article:

(a) stipulate that the contract is governed by the law of a Member State; and

(b)  guarantee that the Joint Oversight Body and Lead Overseer can carry out their duties specified in Article 30 on the basis of their competences set out in Article 31.

The services for which the contractual arrangements are concluded shall not be required to be performed by the undertaking constituted in the Union under the law of a Member State.

3. When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed for specific services.

3a. Competent authorities shall be able to access the contractual arrangements referred to in this Article. The parties to those contractual arrangements may agree to redact commercially sensitive or confidential information prior to granting such access to the competent authorities, subject to the latter being fully informed as to the extent and nature of the redactions.

4. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the elements which a financial entity needs to determine and assess when sub-contracting critical or important functions to properly give effect to the provisions of point (a) of paragraph 2. When developing those draft regulatory technical standards, the ESAs shall take into consideration the size of financial entities, the nature, scale and complexity of their services, activities and operations, and their overall risk profile.

The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 18 months  after the date of entry into force].

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively.

 

 


SECTION II

OVERSIGHT FRAMEWORK OF CRITICAL ICT THIRD-PARTY SERVICE PROVIDERS

Article 28

Designation of critical ICT third-party service providers

1. The ESAs, through the Joint Committee and upon recommendation from the Oversight Body established pursuant to Article 29(1), after consultation with ENISA, shall:

(a) designate the ICT third-party service providers that are critical for financial entities, taking into account the criteria specified in paragraph 2;

(b) appoint either EBA, ESMA or EIOPA as Lead Overseer for each critical ICT third-party service provider, depending on whether the total value of assets of financial entities making use of the services of that critical ICT third-party service provider and which are covered by one of the Regulations (EU) No 1093/2010 (EU), No 1094/2010 or (EU) No 1095/2010 respectively, represents more than a half of the value of the total assets of all financial entities making use of the services of the critical ICT third-party service provider, as evidenced by the consolidated balance sheets, or the individual balance sheets where balance sheets are not consolidated, of those financial entities.

 The Lead Overseer appointed in accordance with point (b) of the first subparagraph shall be responsible for the daily oversight of the critical ICT third-party service provider.

2. The designation referred to in point (a) of paragraph 1 shall be based on all of the following criteria:

(a) the systemic impact on the stability, continuity or quality of the provision of financial services in case the relevant ICT third-party provider would face a large scale operational failure to provide its services, taking into account the number of financial entities to which the relevant ICT third-party service provider provides services;

(b)  the systemic character or importance of the financial entities that rely on the relevant ICT third-party provider, assessed in accordance with the following parameters:

 i) the number of global systemically important institutions (G-SIIs) or     other systemically important institutions (O-SIIs) that rely on the       respective ICT third-party service provider;

 ii) the interdependence between the G-SIIs or O-SIIs referred to in point (i)     and other financial entities including situations where the G-SIIs or O-    SIIs provide financial infrastructure services to other financial entities;

(c) the reliance of financial entities on the services provided by the relevant ICT third-party service provider in relation to critical or important functions of financial entities that ultimately involve the same ICT third-party service provider, irrespective of whether financial entities rely on those services directly or indirectly, by means or through subcontracting arrangements;

(d) the degree of substitutability of the ICT third-party service provider, taking into account the following parameters:

i) the lack of real alternatives, even partial, due to the limited number of ICT third-party service providers active on a specific market, or the market share of the relevant ICT third-party service provider, or the technical complexity or sophistication involved, including in relation to any proprietary technology, or the specific features of the ICT third-party service provider’s organisation or activity;

ii) difficulties to partially or fully migrate the relevant data and workloads from the relevant to another ICT third-party service provider, due to either significant financial costs, time or other type of resources that the migration process may entail, or to increased ICT risks or other operational risks to which the financial entity may be exposed through such migration.

(e) the number of Member States in which the relevant ICT third-party service provider provides services;

(f) the number of Member States in which financial entities using the relevant ICT third-party service provider are operating.

(fa) the materiality and importance of the services provided by the relevant ICT third-party service provider.

2a. The Joint Oversight Body shall notify the ICT third-party service provider before initiating its assessment for the purposes of the designation referred to paragraph 1, point (a).

 The Joint Oversight Body shall notify the ICT third-party service provider of the outcome of the assessment referred to in the first subparagraph by providing a draft recommendation of criticality. Within 6 weeks from the date of receipt of that draft recommendation, the ICT third-party service provider may submit to the Joint Oversight Body a reasoned statement on the assessment. That reasoned statement shall contain all relevant additional information deemed to be appropriate by the ICT third-party service provider in order to support the completeness and accuracy of the designation procedure or to challenge the draft recommendation of criticality. The Joint Committee of the ESAs shall take due consideration of the reasoned statement and may request further information or evidence from the ICT third-party service provider prior to taking a decision on designation.

 The Joint Committee of the ESAs shall notify the ICT third-party service provider of its designation as critical. The ICT third-party service provider shall have at least three months, from the date of receipt of the notification, to make any necessary adjustments to allow the Joint Oversight Body to carry out its duties pursuant to Article 30, as well as to notify the financial entities to which the ICT third-party service provider provides services. The Joint Oversight Body may allow the adjustment period to be extended for a maximum period of three months if requested, and duly justified, by the designated ICT third-party service provider.

3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to specify further  the criteria referred to in paragraph 2.

4. The designation mechanism referred to in point (a) of paragraph 1 shall not be used until the Commission has adopted a delegated act in accordance with paragraph 3.

5. The designation mechanism referred to in point (a) of paragraph 1 shall not apply in relation to ICT third-party service providers that are subject to oversight frameworks established for the purposes of supporting the tasks referred to in Article 127(2) of the Treaty on the Functioning of the European Union.

6. The Joint Oversight Body, in consultation with ENISA, shall establish, publish and regularly  update the list of critical ICT third-party service providers at Union level.

7. For the purposes of point (a) of paragraph 1, competent authorities shall transmit, on a yearly and aggregated basis, the reports referred to in Article 25(4) to the Joint Oversight Body  established pursuant to Article 29. The Joint Oversight Body  shall assess the ICT third-party dependencies of financial entities based on the information received from the competent authorities.

8. The ICT third-party service providers that are not included in the list referred to in paragraph 6 may request to be included in that list.

 For the purpose of the first subparagraph, the ICT third-party service provider shall submit a reasoned application to EBA, ESMA or EIOPA, which, through the Joint Committee, shall decide whether to include that ICT third-party service provider in that list in accordance with point (a) of paragraph 1.

 The decision referred to in the second subparagraph shall be adopted and notified to the ICT third-party service provider within 6 months of receipt of the application.

8a. The Joint Committee of the ESAs, upon recommendation from the Joint Oversight Body, shall designate the ICT third-party service providers established in a third country that are critical for financial entities in accordance with paragraph 1, point (a).

 In making the designation referred to in the first subparagraph of this paragraph, the ESAs and the Joint Oversight Body shall follow the procedural steps set out in paragraph 2a.

9. Financial entities shall not make use of a critical ICT third-party service provider established in a third country unless that ICT third-party service provider has an undertaking constituted in the Union under the law of a Member State and has concluded contractual arrangements in accordance with Article 27(2b)..

Article 29

Structure of the Oversight Framework

1. The Joint Oversight Body shall be established  for the purposes of overseeing  ICT third-party risk across financial sectors and conducting direct oversight of ICT third-party service providers designated as critical pursuant to Article 28..

 The role of the Joint Oversight Body shall be limited to oversight powers related to ICT risks concerning the ICT services provided to financial entities by critical ICT third-party service providers.

 The Joint Oversight Body shall regularly discuss relevant developments on ICT risks and vulnerabilities and promote a consistent approach in the monitoring of ICT third-party risk at Union scale.

2. The Joint Oversight Body shall on a yearly basis undertake a collective assessment of the results and findings of the Oversight activities conducted for all critical ICT third-party service providers and promote coordination measures to increase the digital operational resilience of financial entities, foster best practices on addressing ICT concentration risk and explore mitigants for cross-sector risk transfers.

 The Joint Oversight Body shall submit comprehensive benchmarks of critical ICT third-party service providers to be adopted by the Joint Committee as joint positions of the ESAs in accordance with Articles 56(1) of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

3. The Joint Oversight Body shall be composed of the Executive Directors  of the ESAs, and one high-level representative from the current staff of the ESAs and one high-level representative from at least eight of the national competent authorities. One representative from the European Commission, from the ESRB, from ECB and from ENISA, and at least one independent expert appointed in accordance with paragraph 3a of this Article shall participate ▌as observers.

Following the annual designation of critical ICT third-party service providers, pursuant to point (a) of Article 28(1), the Joint Committee of the ESAs shall decide which national competent authorities shall be members of the Joint Oversight Body, taking into account the following factors:

(a)  the number of critical ICT third-party service providers established or providing services in the Member State;

(b)  the reliance of the financial entities in a Member State on critical ICT third-party service providers;

(c)  the relative expertise of a national competent authority;

(d)  the available resources and capacity of a national competent authority;

(e)  the need for the operation and decision making of the Joint Oversight Body to be streamlined, lean, and efficient.

The Joint Oversight Body shall share its documentation and decisions with all national competent authorities that are not members of the Joint Oversight Body.

The work of the Joint Oversight Body shall be supported and assisted by dedicated staff from across the ESAs.

3a. The independent expert referred to in paragraph 3 of this Article shall be appointed as an observer by the Joint Oversight Body following a public and transparent application process.

The independent expert shall be appointed on the basis of their expertise on financial stability, digital operational resilience and ICT security matters for a two year term.

The appointed independent expert shall not hold any office at national, Union, or international level. The independent expert shall act independently and objectively in the sole interest of the Union as a whole and shall neither seek nor take instructions from Union institutions or bodies, from any government of a Member State or from any other public or private body.

The Joint Oversight Body may decide to appoint more than one independent expert observer.

4. In accordance with Article 16 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAs shall issue guidelines by [OJ: insert date 18 months after the date of entry into force of this Regulation] on the cooperation between the Joint Oversight Body, the Lead Overseer  and the competent authorities for the purposes of this Section on the detailed procedures and conditions relating to the execution of tasks between competent authorities and the Joint Oversight Body  and details on exchanges of information needed by competent authorities to ensure the follow-up of recommendations addressed by the Joint Oversight Body pursuant to point (d) of Article 31(1) to critical ICT third-party providers.

5. The requirements set out in this Section shall be without prejudice to the application of Directive (EU) 2016/1148 and of other Union rules on oversight applicable to providers of cloud computing services.

6. The Joint ▌Oversight Body, shall present yearly to the European Parliament, the Council and the Commission a report on the application of this Section.

Article 30

Tasks of the Lead Overseer

1. The Lead Overseer, appointed under Article 28(1), point (b), shall lead and coordinate the daily oversight of critical ICT third-party service providers and shall be the primary point of contact for those critical ICT third-party service providers.

1a. The Lead Overseer shall assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities. That assessment shall primarily focus on the ICT services supporting critical or important functions provided by the critical ICT third-party service providers to financial entities, but may also be broader if relevant to the assessment of the risks to those functions.

2. The assessment referred to in paragraph 1a shall include:

(a) ICT requirements to ensure, in particular, the security, availability, continuity, scalability and quality of services which the critical ICT third-party service provider provides to financial entities, as well as the ability to maintain at all times high standards of security, confidentiality and integrity of data;

(b) the physical security contributing to ensuring the ICT security, including the security of premises, facilities, datacentres;

(c) the risk management processes, including ICT risk management policies, ICT business continuity and ICT disaster recovery plans;

(d) the governance arrangements, including an organisational structure with clear, transparent and consistent lines of responsibility and accountability rules enabling an effective ICT risk management;

(e) the identification, monitoring and prompt reporting of major ICT-related incidents to the financial entities, the management and resolution of those incidents, in particular cyber-attacks;

(f) the mechanisms for data portability, application portability and interoperability, which ensure an effective exercise of termination rights by the financial entities;

(g) the testing of ICT systems, infrastructure and controls;

(h) the ICT audits;

(i) the use of relevant national and international standards applicable to the provision of its ICT services to the financial entities.

3. Based on the assessment referred to in paragraph 1a  undertaken by the Lead Overseer, the Joint Oversight Body, under the coordination and direction of the Lead Overseer, shall draft and propose a clear, detailed and reasoned individual Oversight plan for each critical ICT third-party service provider.

When preparing the draft Oversight Plan, the Joint Oversight Body shall consult all relevant competent authorities and single points of contact referred to in Article 8 of Directive (EU) 2016/1148 to ensure that there are no inconsistencies or duplications with the obligations of the critical ICT third-party service provider under that Directive.

The Oversight plan shall be adopted on a yearly basis by the board of the Lead Overseer.

Prior to adoption, the draft Oversight plan shall be communicated  to the critical ICT third-party service provider.

Upon receipt of the draft Oversight Plan, the critical ICT third-party service provider shall have a period of six weeks within which to review and submit a reasoned statement on the draft Oversight plan. Such reasoned statement may be submitted only if the critical ICT third-party service provider is able to produce evidences that the execution of the Oversight Plan would generate a disproportionate impact on or disruption to customers not subject to this Regulation, or that there is a more effective or efficient solution for managing the identified ICT risks. If such a statement is submitted, the critical ICT third-party service provider shall suggest to the Joint Oversight Body a more effective or efficient solution to achieve the objectives of the draft Oversight Plan.

Prior to adopting the Oversight Plan, the board of the Lead Overseer shall take due consideration of the reasoned statement and may request further information or evidence from the ICT third-party service provider.

4. Once the annual Oversight plans referred to in paragraph 3 have been adopted and notified to the critical ICT third-party service providers, competent authorities may only take measures concerning critical ICT third-party service providers in agreement with the Joint Oversight Body..

Article 31

 Oversight Powers

1. For the purposes of carrying out the duties laid down in this Section, the Lead Overseer shall have the following powers in respect of the services provided by critical ICT third-party service providers to financial entities:

(a) to request all relevant information and documentation in accordance with Article 32;

(b) to conduct general investigations and on-site inspections in accordance with Articles 33 and 34;

(c) to request reports after the completion of the Oversight activities specifying the actions that have been taken or the remedies that  have been implemented by the critical ICT third-party service providers in relation to the recommendations referred to paragraph 1a;

1a. For the purposes of carrying out the duties laid down in this Section, and on the basis of the information obtained by the Lead Overseer and the outcomes of the investigations conducted by the Lead Overseer, the Joint Oversight Body shall have the power  to address recommendations on the areas referred to in Article 30(2), in particular concerning the following:

(i) the use of specific ICT security and quality requirements or processes, notably in relation to the roll-out of patches, updates, encryption and other security measures that the Joint Oversight Body  deems relevant for ensuring the ICT security of services provided to financial entities;

(ii) the use of conditions and terms, including their technical implementation, under which the critical ICT third-party service providers provide services to financial entities, that the Joint Oversight Body deems relevant for preventing the generation of single points of failure, or the amplification thereof, or for minimising possible systemic impact across the Union’s financial sector in case of ICT concentration risk;

(iii) upon the examination undertaken in accordance with Articles 32 and 33 of subcontracting arrangements, including sub-outsourcing arrangements which the critical ICT third-party service providers plan to undertake with other ICT third-party service providers or with ICT sub-contractors established in a third country, any planned subcontracting, including sub-outsourcing, where the Joint Oversight Body  deems that further subcontracting may trigger risks for the provision of services by the financial entity, or risks to the financial stability;

(iv) refraining from entering into a further subcontracting arrangement, where the following cumulative conditions are met:

 the envisaged sub-contractor is an ICT third-party service provider or an ICT sub-contractor established in a third country and does not have an undertaking constituted in the Union under the law of a Member State;

 the subcontracting concerns a critical or important function of the financial entity;

 the sub-contracting will result in serious and clear risks to the financial entity or the financial stability of the Union financial system.

1b. The powers referred to in paragraphs 1 and 1a shall be exercised with regard to the ICT services supporting non-critical or important functions provided by the critical ICT third-party service provider when necessary.

1c. When exercising the powers referred to in paragraphs 1 and 1a of this Article, the Lead Overseer and the Joint Oversight Body shall take due account of the framework established by Directive (EU) 2016/1148 and, where necessary, consult the relevant competent authorities established by that Directive, in order to avoid unnecessary duplication of technical and organisational measures that might apply to critical ICT third-party service providers pursuant to that Directive.

2. Before finalising and issuing recommendations in accordance with paragraph 1a, the Joint Oversight Body shall inform the critical ICT third-party service provider of its intentions and give the ICT third-party service provider an opportunity to provide information which it reasonably believes should be taken into account before the recommendation is finalised or in order to challenge the intended recommendations. Grounds for challenging a recommendation may include that there would be a disproportionate impact on or disruption for customers not subject to this Regulation, or that there is a more effective or efficient solution for managing the identified risk..

3. Critical ICT third-party service providers shall cooperate in good faith with and assist the Lead Overseer and the Joint Oversight Body in the fulfilment of their tasks.

4. The Lead Overseer may decide, in the case of whole or partial non-compliance with the measures required to be taken in accordance with paragraph 1, points (a),(b) or (c), and after the expiry of a period of at least 60 calendar days from the date on which the critical ICT third-party service provider received notification of the measure, to impose a periodic penalty payment to compel the critical ICT third-party service provider to comply.

4a. The periodic penalty payment referred to in paragraph 4 shall be imposed by the Lead Overseer only as a last resort and in cases where the critical ICT third-party service provider has failed to comply with the measures required to be taken in accordance with paragraph 1, points (a), (b) or (c).

5. The periodic penalty payment referred to in paragraph 4 shall be imposed on a daily basis until compliance is achieved and for no more than a period of six months following the notification to the critical ICT third-party service provider.

6. The amount of the periodic penalty payment, calculated from the date stipulated in the decision imposing the periodic penalty payment, shall be up to 1% of the average daily worldwide turnover related to services provided to financial entities covered by this Regulation of the critical ICT third-party service provider in the preceding business year.

7. Penalty payments shall be of an administrative nature and shall be enforceable. Enforcement shall be governed by the rules of civil procedure in force in the Member State on the territory of which inspections and access shall be carried out. Courts of the Member State concerned shall have jurisdiction over complaints related to irregular conduct of enforcement. The amounts of the penalty payments shall be allocated to the general budget of the European Union.

8. The ESAs shall disclose to the public every periodic penalty payment that has been imposed, unless such disclosure to the public would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.

9. Before imposing a periodic penalty payment under paragraph 4, the Lead Overseer shall give the representatives of the critical ICT third-party provider subject to the proceedings the opportunity to be heard on the findings and shall base its decisions only on findings on which the critical ICT third-party provider subject to the proceedings has had an opportunity to comment. The rights of the defence of the persons subject to the proceedings shall be fully respected in the proceedings. They shall be entitled to have access to file, subject to the legitimate interest of other persons in the protection of their business secrets. The right of access to the file shall not extend to confidential information or Lead Overseer’s internal preparatory documents.

Article 32

Request for information

1. The Lead Overseer may by simple request or by decision require the critical ICT third-party providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party provider has outsourced operational functions or activities.

Critical ICT third-party service providers shall only be required to provide the information referred to in the first subparagraph in respect of the services provided to financial entities that are subject to this Regulation and that use the services of critical ICT third-party service providers for critical or important functions. Critical ICT third-party service providers shall give notice to the relevant financial entity of the requests specific to that financial entity.

2. When sending a simple request for information under paragraph 1, the Lead Overseer shall:

(a) refer to this Article as the legal basis of the request;

(b) state the purpose of the request;

(c) specify what information is required;

(d) set a time limit within which the information is to be provided;

(e) inform the representative of the critical ICT third-party service provider from whom the information is requested that he or she is not obliged to provide the information, but that in case of a voluntary reply to the request the information provided must not be incorrect or misleading.

3. When requiring by decision to supply information under paragraph 1, the Lead Overseer shall:

(a) refer to this Article as the legal basis of the request;

(b) state the purpose of the request;

(c) specify what information is required;

(d) set a reasonable time limit within which the information is to be provided;

(e) indicate the periodic penalty payments provided for in Article 31(4) where the production of the required information is incomplete or when such information is not provided within the time limit referred to in point (d);

(f) indicate the right to appeal the decision before ESA’s Board of Appeal and to have the decision reviewed by the Court of Justice of the European Union (‘Court of Justice’) in accordance with Articles 60 and 61 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 respectively.

4. Representatives of critical ICT third-party service providers shall supply the information requested. Lawyers duly authorised to act may supply the information on behalf of their clients. The critical ICT third-party service provider shall remain fully responsible if the information supplied is incomplete, incorrect or misleading.

5. The Lead Overseer shall, without delay, send a copy of the decision to supply information to the competent authorities of the financial entities using the critical ICT third-party providers’ services.

Article 33

General investigations

1. In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the examination team referred to in Article 35(1), may conduct the necessary investigations of ICT third-party service providers in accordance with the principle of proportionality. When conducting investigations, the Lead Overseer shall exercise caution and ensure that the rights of the customers of critical ICT third-party service providers that are not the subject of this Regulation are protected, including in relation to the impact on service levels, availability of data and confidentiality:

2. The Lead Overseer shall be empowered to:

(a) examine records, data, procedures and any other material relevant to the execution of its tasks, irrespective of the medium on which they are stored;

(b) review, in a secured way,  certified copies of, or extracts from, such records, data, procedures and other material;

(c) summon representatives of the ICT third-party service provider for oral or written explanations on facts or documents relating to the subject matter and purpose of the investigation and to record the answers;

(d) interview any other natural or legal person who consents to be interviewed for the purpose of collecting information relating to the subject matter of an investigation;

(e) request records of telephone and data traffic.

3. The officials and other persons authorised by the Lead Overseer for the purposes of the investigation referred to in paragraph 1 shall exercise their powers upon production of a written authorisation specifying the subject matter and purpose of the investigation.

That authorisation shall also indicate the periodic penalty payments provided for in Article 31(4) where the production of the required records, data, procedures or any other material, or the answers to questions asked to representatives of the ICT third -party service provider are not provided or are incomplete.

4. The representatives of the ICT third-party service providers are required to submit to the investigations on the basis of a decision of the Lead Overseer. The decision shall specify the subject matter and purpose of the investigation, the periodic penalty payments provided for in Article 31(4), the legal remedies available under Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 and the right to have the decision reviewed by the Court of Justice.

5. In good time before the investigation, Lead Overseers shall inform competent authorities of the financial entities using that ICT third-party service provider of the investigation and of the identity of the authorised persons.

Article 34

On-site inspections

1. In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the examination teams referred to in Article 35(1), may enter and conduct all necessary on-site inspections on any business premises, land or property of the ICT third-party service providers, such as head offices, operation centres, secondary premises, as well as to conduct off-line inspections.

The power to conduct on-site inspections referred to in the first subparagraph shall not be limited to sites in the Union, provided that the inspection of a site in a third country meets all of the following requirements:

 it is necessary for the Lead Overseer to carry out its duties under this Regulation;

 it has a direct connection to the provision of ICT services to Union financial entities;

 it is relevant to an ongoing investigation.

1a.  When performing on-site inspections, the Lead Overseer and the examination team shall exercise caution and ensure that the rights of the customers of critical ICT third-party service providers that are not the subject of this Regulation are protected, including in relation to the impact on service levels, availability of data and confidentiality.

2. The officials and other persons authorised by the Lead Overseer to conduct an on-site inspection, may enter any such business premises, land or property and shall have all the powers to seal any business premises and books or records for the period of, and to the extent necessary for, the inspection.

They shall exercise their powers upon production of a written authorisation specifying the subject matter and the purpose of the inspection and the periodic penalty payments provided for in Article 31(4) where the representatives of the ICT third-party service providers concerned do not submit to the inspection.

3. In good time before the inspection, Lead Overseers shall inform the competent authorities of the financial entities using that ICT third-party provider.

4. Inspections shall cover the full range of relevant ICT systems, networks, devices, information and data that the Lead Overseer deems appropriate and technologically relevant, either used for, or contributing to, the provision of services to financial entities.

5. Before any planned on-site inspection , Lead Overseers shall give a reasonable notice to the critical ICT third-party service providers, unless such notice is not possible due to an emergency or crisis situation, or if it would lead to a situation where the inspection or audit would no longer be effective.

6. The critical ICT third-party service provider shall submit to on-site inspections ordered by decision of the Lead Overseer. The decision shall specify the subject matter and purpose of the inspection, appoint the date on which it is to begin and indicate the periodic penalty payments provided for in Article 31(4), the legal remedies available under Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, as well as the right to have the decision reviewed by the Court of Justice.

7. Where the officials and other persons authorised by the Lead Overseer find that a critical ICT third-party service provider opposes an inspection ordered pursuant to this Article, the Lead Overseer shall inform the critical ICT third-party service provider of the consequences of such opposition, including the possibility for competent authorities of the relevant financial entities to terminate the contractual arrangements concluded with that critical ICT third-party service provider.

Article 35

Ongoing Oversight

1. Where conducting general investigations or on-site inspections, the Lead Overseers shall be assisted by an examination team established for each critical ICT third-party service provider.

2. The joint examination team referred to in paragraph 1 shall be composed of staff members from the Lead Overseer, from the other ESAs, and from the relevant competent authorities supervising the financial entities to which the critical ICT third-party service provider provides services, who will join the preparation and execution of the Oversight activities, with a maximum of 10 members. All members of the joint examination shall have expertise in ICT and operational risk. The joint examination team shall work under the coordination of a designated ESA staff member (the ‘Lead Overseer coordinator’).

3. The ESAs, through the Joint Committee, shall develop common draft regulatory technical standards to specify further the designation of the members of the joint examination team coming from the relevant competent authorities, as well as the tasks and working arrangements of the examination team. The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 1 year after the date of entry into force].

Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively.

4. Within 3 months after the completion of an investigation or on-site inspection, the Joint Oversight Body  shall adopt recommendations to be addressed to the critical ICT third-party service provider pursuant to the powers referred to in Article 31.

5. The recommendations referred to in paragraph 4 shall be immediately communicated to the critical ICT third-party service provider and to the competent authorities of the financial entities to which it provides services.

For the purposes of fulfilling the Oversight activities, Lead Overseers and the Joint Oversight Body may take into consideration any relevant third-party certifications and ICT third-party internal or external audit reports made available by the critical ICT third-party service provider.

Article 36

Harmonisation of conditions enabling the conduct of the Oversight

 

1. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify:

(a) the information to be provided by a critical ICT third-party service provider in the application for a voluntary opt-in set out in Article 28(8);

(b) the content and format of reports which may be requested for the purposes of point (c) of Article 31(1);

(c) the presentation of the information, including the structure, formats and methods that a critical ICT third-party service provider shall be required to submit, disclose or report pursuant to Article 31(1);

(d) the details of the competent authorities’ assessment of measures taken by critical ICT third-party service providers based on the recommendations of the Joint Oversight Body  pursuant to Article 37(2).

2. The ESAs shall submit those draft regulatory technical standards to the Commission by 1 January 20xx [OJ: insert date 1 year after the date of entry into force].

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with the procedure laid down in Articles 10 to 14 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 respectively.

Article 37

Follow-up by competent authorities

1. Within 30 calendar days after the receipt of the recommendations issued by the Joint Oversight Body  pursuant to  Article 31(1a), critical ICT third-party service providers shall notify the Joint Oversight Body  whether they intend to follow those recommendations. The Joint Oversight Body  shall immediately transmit this information to competent authorities of the financial entities concerned.

2. Competent authorities shall inform financial entities that have concluded contractual arrangements with critical ICT third-party service providers of the risks identified in the recommendations addressed to those critical ICT third-party service providers by the Joint Oversight Body in accordance with Article 31(1a) and monitor whether financial entities take into account the risks identified.. The Joint Oversight Body shall monitor whether the critical ICT third-party providers have addressed the risks identified in those recommendations.

3. Where regulatory objectives cannot be ensured by other measures, and warnings have been issued to the affected financial entities by the national competent authorities on the basis of information communicated by the Joint Oversight Board, the board of the Lead Overseer may decide, upon recommendation from the Joint Oversight Body and after consultation with the competent authorities of the affected financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided to financial entities exposed to the risks identified in the recommendations addressed to critical ICT third-party service providers until those risks have been addressed. Where necessary, and as a measure of last resort, they may require the critical ICT third-party service providers  to terminate, in part or completely, the relevant contractual arrangements concluded with the financial entities exposed to the identified risks..

4. When taking the decisions referred to in paragraph 3, the Board of the Lead Overseer shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provider, as well as the seriousness of the non-compliance, having regard to the following criteria:

(a) the gravity and the duration of the non-compliance;

(b) whether the non-compliance has revealed serious weaknesses in the critical ICT third-party service provider’s procedures, management systems, risk management and internal controls;

(c) whether financial crime was facilitated, occasioned or otherwise attributable to the non-compliance;

(d) whether the non-compliance has been committed intentionally or negligently.

(da) whether the suspension or termination introduces a continuity risk for the business operations of the service user of the critical ICT third-party service provider.

4a. The decisions provided for in paragraph 3 shall only be implemented once all affected financial entities have been duly notified thereof. The affected financial entities shall be afforded a period of time, which shall not go beyond what is strictly necessary, to adjust their outsourcing and contractual arrangements with critical ICT third-party service providers in such a way as to not jeopardise digital operational resilience and to execute their exit strategies and transition plans referred to in Article 25.

The critical ICT third-party service providers subject to the decisions provided for in paragraph 3 shall fully cooperate with the affected financial entities.

5. Competent authorities shall regularly inform the Joint Oversight Body  on the approaches and measures taken in their supervisory tasks in relation to financial entities.

Article 38

Oversight fees

1. The ESAs shall charge critical ICT third-party service providers fees that fully cover ESAs’ necessary expenditure in relation to the conduct of Oversight tasks pursuant to this Regulation, including the reimbursement of any costs which may be incurred as a result of work carried out by competent authorities joining the Oversight activities in accordance with Article 35.

The amount of a fee charged to a critical ICT third-party service provider shall cover all costs derived from the execution of the duties foreseen in this Section and shall be proportionate to their turnover.

1a.  If an administrative arrangement is entered into with a third-country regulatory and supervisory authority in accordance with paragraph 1 of this Article, that authority may form part of the examination team referred to in Article 35(1).

2. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by determining the amount of the fees and the way in which they are to be paid.

Article 39

International cooperation

1. EBA, ESMA and EIOPA may, in accordance with Article 33 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively, conclude administrative arrangements with third-country regulatory and supervisory authorities to foster international cooperation on ICT third-party risk across different financial sectors, notably by developing best practices for the review of ICT risk-management practices and controls, mitigation measures and incident responses.

2. The ESAs shall, through the Joint Committee, submit every five years a joint confidential report to the European Parliament, to the Council and to the Commission summarising the findings of relevant discussions held with the third countries authorities referred to in paragraph 1, focussing on the evolution of ICT third-party risk and the implications for financial stability, market integrity, investor protection or the functioning of the single market.


 

CHAPTER VI

INFORMATION SHARING ARRANGEMENTS

Article 40

Information-sharing arrangements on cyber threat information and intelligence

1. Financial entities shall endeavour to  exchange amongst themselves and ICT third-party service providers cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing:

(a) aims at enhancing the digital operational resilience of financial entities and ICT third-party service providers, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting  defensive capabilities, threat detection techniques, mitigation strategies or response and recovery stages;

(b) takes places within trusted communities of financial entities and ICT third-party service providers;

(c) is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data[26] and guidelines on competition policy[27].

2. For the purpose of point (c) of paragraph 1, the information sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which the latter may be associated to the information-sharing arrangements, as well as on operational elements, including the use of dedicated IT platforms.

3. Financial entities shall notify competent authorities of their participation in the information-sharing arrangements referred to in paragraph 1, upon validation of their membership, or, as applicable, of the cessation of their membership, once the latter takes effect.


 

CHAPTER VII

COMPETENT AUTHORITIES

Article 41

Competent authorities

Without prejudice to the provisions on the Oversight Framework for critical ICT third-party service providers referred to in Section II of Chapter V of this Regulation, compliance with the obligations set out in this Regulation shall be ensured by the following competent authorities in accordance with the powers granted by the respective legal acts:

(a) for credit institutions, the competent authority designated in accordance with Article 4 of Directive 2013/36/EU, without prejudice to the specific tasks conferred on the ECB by Regulation (EU) No 1024/2013;

(b) for payment service providers, the competent authority designated in accordance with Article 22 of Directive (EU) 2015/2366;

(c) for electronic payment institutions, the competent authority designated in accordance with Article 37 of Directive 2009/110/EC;

(d) for investment firms, the competent authority designated in accordance with Article 4 of Directive (EU) 2019/2034;

(e) for crypto-asset service providers, issuers and offerors of crypto-assets, issuers and offerors of asset-referenced tokens and issuers of significant asset-referenced tokens, the competent authority designated in accordance with the first indent of point (ee) of Article 3 (1) of [Regulation (EU) 20xx MICA Regulation];

(f) for central securities depositories and operators of securities settlement systems, the competent authority designated in accordance with Article 11 of Regulation (EU) No 909/2014;

(g) for central counterparties, the competent authority designated in accordance with Article 22 of Regulation (EU) No 648/2012;

(h) for trading venues and data reporting service providers, the competent authority designated in accordance with Article 67 of Directive 2014/65/EU;

(i) for trade repositories, the competent authority designated in accordance with Article 55 of Regulation (EU) No 648/2012;

(j) for managers of alternative investment funds, the competent authority designated in accordance with Article 44 of Directive 2011/61/EU;

(k) for management companies, the competent authority designated in accordance with Article 97 of Directive 2009/65/EC;

(l) for insurance and reinsurance undertakings, the competent authority designated in accordance with Article 30 of Directive 2009/138/EC;

(m) for insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, the competent authority designated in accordance with Article 12 of Directive (EU) 2016/97;

(n) for institutions for occupational retirement provisions, the competent authority designated in accordance with Article 47 of Directive 2016/2341;

(o) for credit rating agencies, the competent authority designated in accordance Article 21 of Regulation (EC) No 1060/2009;

(p) for statutory auditors and audit firms, the competent authority designated in accordance Articles 3(2) and 32 of Directive 2006/43/EC;

(q) for administrators of critical benchmarks, the competent authority designated in accordance with Articles 40 and 41 of Regulation (EU) 20161011;

(r) for crowdfunding service providers, the competent authority designated in accordance with Article 29  of Regulation(EU) 2020/1503;

(s) for securitisation repositories, the competent authority designated in accordance with Article 10 and 14 (1) of Regulation (EU) 2017/2402.

 

Article 42

Cooperation with structures and authorities established by Directive (EU) 2016/1148

1. To foster cooperation and enable supervisory exchanges between the competent authorities designated under this Regulation and the Cooperation Group established by Article 11 of Directive (EU) 2016/1148, the ESAs and the competent authorities, shall  be invited to participate in the work  of the Cooperation Group. insofar as that work concerns supervisory and oversight activities, respectively, in relation to entities listed under point (7) of Annex II to Directive (EU) 2016/1148 that have also been designated as critical ICT third-party service providers pursuant to Article 28 of this Regulation.

2. Competent authorities may consult where appropriate with the single point of contact and the national Computer Security Incident Response Teams referred to respectively in Articles 8 and 9 of Directive (EU) 2016/1148.

2a. The Lead Overseer shall inform and cooperate with the competent authorities designated under Directive (EU) 2016/1148 before conducting general investigations and on-site inspections in accordance with Articles 33 and 34 of this Regulation.

 

Article 43

Financial cross-sector exercises, communication and cooperation

1. The ESAs, through the Joint Committee and in collaboration with competent authorities, the ECB, the Single Resolution Board in respect of information relating to entities falling under the scope of Regulation (EU) No 806/2014 and the ESRB, may establish mechanisms to enable the sharing of effective practices across financial sectors to enhance situational awareness and identify common cyber vulnerabilities and risks across-sectors.

They may develop crisis-management and contingency exercises involving cyber-attack scenarios with a view to develop communication channels and gradually enable an effective EU-level coordinated response in the event of a major cross-border ICT-related incident or significant cyber  threat having a systemic impact on the Union’s financial sector as a whole.

These exercises may as appropriate also test the financial sector’ dependencies on other economic sectors.

2. Competent authorities, EBA, ESMA or EIOPA, the ECB, national resolution authorities and the Single Resolution Board in respect of information relating to entities falling under the scope of Regulation (EU) No 806/2014 shall cooperate closely with each other and exchange information to carry out their duties pursuant to Articles 42 to 48. They shall closely coordinate their supervision in order to identify and remedy breaches of this Regulation, develop and promote best practices, facilitate collaboration, foster consistency of interpretation and provide cross-jurisdictional assessments in the event of any disagreements.

 

 

Article 44

Administrative penalties and remedial measures

1. Competent authorities shall have all supervisory, investigatory and sanctioning powers necessary to fulfil their duties under this Regulation.

2. The powers referred to in paragraph 1 shall include at least the powers to:

(a) have access to any document or data held in any form that the competent authority considers relevant for the performance of its duties and receive or take a copy of it;

(b) carry out on-site inspections or investigations;

(c) require corrective and remedial measures for breaches of the requirements of this Regulation.

3. Without prejudice to the right of Member States to impose criminal penalties according to Article 46, Member States shall lay down rules establishing appropriate administrative penalties and remedial measures for breaches of this Regulation and shall ensure their effective implementation.

Those penalties and measures shall be effective, proportionate and dissuasive.

4. Member States shall confer on competent authorities the power to apply at least the following administrative penalties or remedial measures for breaches of this Regulation:

(a) issue an order requiring the natural or legal person to cease the conduct and to desist from a repetition of that conduct;

(b) require the temporary or permanent cessation of any practice or conduct considered to be contrary to the provisions of this Regulation and prevent repetition of that practice or conduct;

(c) adopt any type of measure, including of a pecuniary nature, to ensure that financial entities continue to comply with legal requirements;

(d) require, in so far as permitted by national law, existing data traffic records held by a telecommunication operator, where there is a reasonable suspicion of a breach of this Regulation and where such records may be relevant to an investigation into breaches of this Regulation; and

(e) issue public notices, including public statements indicating the identity of the natural or legal person and the nature of the breach.

5. Where the provisions referred to in point (c) of paragraph 2 and in paragraph 4 apply to legal persons, Member States shall confer on competent authorities the power to apply the administrative penalties and remedial measures, subject to the conditions provided for in national law, to members of the management body, and to other individuals who under national law are responsible for the breach.

6. Member States shall ensure that any decision imposing administrative penalties or remedial measures set out in point (c) of paragraph 2 is properly reasoned and is subject to a right of appeal.

 

Article 45

Exercise of the power to impose administrative penalties and remedial measures

1. Competent authorities shall exercise the powers to impose administrative penalties and remedial measures referred to in Article 44 in accordance with their national legal frameworks, as appropriate:

(a) directly;

(b) in collaboration with other authorities;

(c) under their responsibility by delegation to other authorities;

(d) by application to the competent judicial authorities.

2. Competent authorities, when determining the type and level of an administrative penalty or remedial measure to be imposed under Article 44, shall take into account the extent to which the breach is intentional or results from negligence and all other relevant circumstances, including, where appropriate:

(a) the materiality, gravity and the duration of the breach;

(b) the degree of responsibility of the natural or legal person responsible for the breach;

(c) the financial strength of the responsible natural or legal person;

(d) the importance of profits gained or losses avoided by the responsible natural or legal person, insofar as they can be determined;

(e) the losses for third parties caused by the breach, insofar as they can be determined;

(f) the level of cooperation of the responsible natural or legal person with the competent authority, without prejudice to the need to ensure disgorgement of profits gained or losses avoided by that person;

(g) previous breaches by the responsible natural or legal person.

 

Article 46

Criminal penalties

1. Member States may decide not to lay down rules for administrative penalties or remedial measures for breaches that are subject to criminal penalties under their national law.

2. Where Member States have chosen to lay down criminal penalties for breaches of this Regulation they shall ensure that appropriate measures are in place so that competent authorities have all the necessary powers to liaise with judicial, prosecuting, or criminal justice authorities within their jurisdiction to receive specific information related to criminal investigations or proceedings commenced for breaches of this Regulation, and to provide the same information to other competent authorities, as well as EBA, ESMA or EIOPA to fulfil their obligations to cooperate for the purposes of this Regulation.

 

Article 47

Notification duties

Member States shall notify the laws, regulations and administrative provisions implementing this Chapter, including any relevant criminal law provisions, to the Commission, ESMA, the EBA and EIOPA by [OJ: insert date 12 months after the date of entry into force]. Member States shall notify the Commission, ESMA, the EBA and EIOPA without undue delay of any subsequent amendments thereto.

 

Article 48

Publication of administrative penalties

1. Competent authorities shall publish on their official websites, without undue delay, any decision imposing an administrative penalty against which there is no appeal after the addressee of the sanction has been notified of that decision.

2. The publication referred to in paragraph 1 shall include information on the type and nature of the breach, the penalties imposed, and, exceptionally, the identity of the persons responsible.

3. Where the competent authority, following a case-by-case assessment, considers that the publication of the identity, in the case of legal persons, or of the identity and personal data, in the case of natural persons, would be disproportionate, jeopardise the stability of financial markets or the pursuit of an on-going criminal investigation, or cause, insofar as these can be determined, disproportionate damages to the person involved, it shall adopt either of the following solutions in respect to the decision imposing an administrative sanction:

(a) defer its publication until the moment where all reasons for non-publication cease to exist;

(b) publish it on an anonymous basis, in accordance with national law; or

(c) refrain from publishing it, where the options set out in points (a) and (b) are deemed either insufficient to guarantee a lack of any danger for the stability of financial markets, or where such a publication would not be proportional with the leniency of the imposed sanction.

4. In the case of a decision to publish an administrative penalty on an anonymous basis in accordance with point (b) of paragraph 3, the publication of the relevant data may be postponed.

5. Where a competent authority publishes a decision imposing an administrative penalty against which there is an appeal before the relevant judicial authorities, competent authorities shall immediately add on their official website that information and at later stages any subsequent related information on the outcome of such appeal. Any judicial decision annulling a decision imposing an administrative penalty shall also be published.

6. Competent authorities shall ensure that any publication referred to in paragraphs 1 to 4 shall remain on their official website for at least five years after its publication. Personal data contained in the publication shall only be kept on the official website of the competent authority for the period which is necessary in accordance with the applicable data protection rules.

 

 

Article 49

Professional secrecy

 

1. Any confidential information received, exchanged or transmitted pursuant to this Regulation shall be subject to the conditions of professional secrecy laid down in paragraph 2.

2. The obligation of professional secrecy applies to all persons who work or who have worked for the competent authorities under this Regulation, or for any authority or market undertaking or natural or legal person to whom those competent authorities have delegated their powers, including auditors and experts contracted by them.

3. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of provisions laid down by Union or national law.

4. All information exchanged between the competent authorities under this Regulation that concerns business or operational conditions and other economic or personal affairs shall be considered confidential and shall be subject to the requirements of professional secrecy, except where the competent authority states at the time of communication that such information may be disclosed or where such disclosure is necessary for legal proceedings.


 

CHAPTER VIII

DELEGATED ACTS

Article 50

Exercise of the delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Articles 28(3) and 38(2) shall be conferred on the Commission for a period of five years from [PO: insert date 5 years after the date of entry into force of this Regulation]. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

3. The delegation of power referred to in Articles 28(3) and 38(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6. A delegated act adopted pursuant to Articles 28(3) and 38(2) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three  months at the initiative of the European Parliament or of the Council.


 

CHAPTER IX

TRANSITIONAL AND FINAL PROVISIONS

SECTION I

Article 51

Review clause

By [PO: insert date 5 years after the date of entry into force of this Regulation], the Commission shall, after consulting EBA, ESMA, EIOPA, and the ESRB, as appropriate, carry out a review and submit a report to the European Parliament and the Council, accompanied, if appropriate, by a legislative proposal. The report shall review at least the following:

(a) the possibility of extending the scope of application of this Regulation to operators of payment systems;

(b)  the voluntary nature of the reporting of significant cyber threats;

(c)  the criteria for the designation of critical ICT third-party service providers in Article 28(2); and

(d)  the efficiency of the decision-making of the Joint Oversight Body and the exchange of information between the Joint Oversight Body and non-member national competent authorities.

 


SECTION II

AMENDMENTS

Article 52

Amendments to Regulation (EC) No 1060/2009

In Annex I to Regulation (EC) No 1060/2009, the first subparagraph of point 4 of Section A is replaced by the following:

 ‘A credit rating agency shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2021/xx of the European Parliament and of the Council* [DORA].

* Regulation (EU) 2021/xx of the European Parliament and of the Council […] (OJ L XX, DD.MM.YYYY, p. X).’.

Article 53

Amendments to Regulation (EU) No 648/2012

Regulation (EU) No 648/2012 is amended as follows:

(1) Article 26 is amended as follows:

(a) paragraph 3 is replaced by the following:

  3. A CCP shall maintain and operate an organisational structure that ensures continuity and orderly functioning in the performance of its services and activities. It shall employ appropriate and proportionate systems, resources and procedures, including ICT systems managed in accordance with Regulation (EU) 2021/xx of the European Parliament and of the Council* [DORA].

* Regulation (EU) 2021/xx of the European Parliament and of the Council […](OJ L XX, DD.MM.YYYY, p. X).’;

(b)   paragraph 6 is deleted;

(2) Article 34 is amended as follows:

(a)  paragraph 1 is replaced by the following:

‘1. A CCP shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan, which shall include ICT business continuity and disaster recovery plans set up in accordance with Regulation (EU) 2021/xx [DORA], aiming at ensuring the preservation of its functions, the timely recovery of operations and the fulfilment of the CCP’s obligations.’;

(b) in paragraph 3, the first subparagraph is replaced by the following:

‘In order to ensure consistent application of this Article, ESMA shall, after consulting the members of the ESCB, develop draft regulatory technical standards specifying the minimum content and requirements of the business continuity policy and of the disaster recovery plan, excluding ICT business continuity and disaster recovery plans.’;

(3) in Article 56, the first subparagraph of paragraph 3 is replaced by the following:

‘3. In order to ensure consistent application of this Article, ESMA shall develop draft regulatory technical standards specifying the details, other than for requirements related to ICT risk management, of the application for registration referred to in paragraph 1.’;

(4) in Article 79, paragraphs 1 and 2 are replaced by the following:

‘1. A trade repository shall identify sources of operational risk and minimise them also through the development of appropriate systems, controls and procedures, including ICT systems managed in accordance with Regulation (EU) 2021/xx [DORA].

2. A trade repository shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan including ICT business continuity and disaster recovery plans established in accordance with Regulation (EU) 2021/xx[DORA], aiming at ensuring the maintenance of its functions, the timely recovery of operations and the fulfilment of the trade repository’s obligations.’;

(5) in Article 80, paragraph 1 is deleted.

Article 54

Amendments to Regulation (EU) No 909/2014

Article 45 of Regulation (EU) No 909/2014 is amended as follows:

(1) paragraph 1 is replaced by the following:

‘1.  A CSD shall identify sources of operational risk, both internal and external, and minimise their impact also through the deployment of appropriate ICT tools, processes and policies set up and managed in accordance with Regulation (EU) 2021/xx of the European Parliament and of the Council*[DORA], as well as through any other relevant appropriate tools, controls and procedures for other types of operational risk, including for all the securities settlement systems it operates.

* Regulation (EU) 2021/xx of the European Parliament and of the Council […](OJ L XX, DD.MM.YYYY, p. X).’;

(2) paragraph 2 is deleted;

(3) paragraphs 3 and 4 are replaced by the following:

‘3. For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish, implement and maintain an adequate business continuity and disaster recovery plan, including ICT business continuity and disaster recovery plans established in accordance with Regulation (EU) 2021/xx [DORA], to ensure the preservation of its services, the timely recovery of operations and the fulfilment of the CSD’s obligations in the case of events that pose a significant risk of disrupting operations.

4. The plan referred to in paragraph 3 shall provide for the recovery of all transactions and participants’ positions at the time of disruption to allow the participants of a CSD to continue to operate with certainty and to complete settlement on the scheduled date, including by ensuring that critical IT systems can resume operations from the time of disruption as provided for in paragraphs (5) and (7) of Article 11 of Regulation (EU) 2021/xx [DORA].’;

 

Article 55

Amendments to Regulation (EU) No 600/2014

Regulation (EU) No 600/2014 is amended as follows:

(1) Article 27g is amended as follows:

(a) paragraph 4 is deleted;

(b) in paragraph 8, point (c) is replaced by the following:

(c) ‘(c) the concrete organisational requirements laid down in paragraphs 3 and 5.’;

(2) Article 27h is amended as follows:

(a) paragraph 5 is deleted;

(b) in paragraph 8, point (e) is replaced by the following:

‘(e) the concrete organisational requirements laid down in paragraph 4.’;

(3) Article 27i is amended as follows:

(a) paragraph 3 is deleted;

(b) in paragraph 5, point (b) is replaced by the following:

‘(b) the concrete organisational requirements laid down in paragraphs 2 and 4.’.

Article 56

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from [PO: insert date 24 months after the date of entry into force].

However, Articles 23 and 24 shall apply from [PO: insert date 36 months after the date of entry into force of this Regulation].

This Regulation shall be binding in entirety and directly applicable in all Member States.

This Regulation shall be binding in entirety and directly applicable in all Member States.

Done at Brussels,

For the European Parliament For the Council

The President The President


PROCEDURE – COMMITTEE RESPONSIBLE

Title

Digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014

References

COM(2020)0595 – C9-0304/2020 – 2020/0266(COD)

Date submitted to Parliament

24.9.2020

 

 

 

Committee responsible

 Date announced in plenary

ECON

17.12.2020

 

 

 

Committees asked for opinions

 Date announced in plenary

ITRE

17.12.2020

IMCO

17.12.2020

 

 

Not delivering opinions

 Date of decision

ITRE

15.10.2020

IMCO

27.10.2020

 

 

Rapporteurs

 Date appointed

Billy Kelleher

15.10.2020

 

 

 

Discussed in committee

14.4.2021

14.6.2021

 

 

Date adopted

1.12.2021

 

 

 

Result of final vote

+:

–:

0:

44

5

5

Members present for the final vote

Gerolf Annemans, Gunnar Beck, Marek Belka, Isabel Benjumea Benjumea, Stefan Berger, Gilles Boyer, Engin Eroglu, Markus Ferber, Jonás Fernández, Raffaele Fitto, Frances Fitzgerald, Luis Garicano, Sven Giegold, Valentino Grant, Claude Gruffat, José Gusmão, Enikő Győri, Eero Heinäluoma, Danuta Maria Hübner, Stasys Jakeliūnas, France Jamet, Billy Kelleher, Ondřej Kovařík, Georgios Kyrtsos, Aurore Lalucq, Philippe Lamberts, Aušra Maldeikienė, Pedro Marques, Costas Mavrides, Jörg Meuthen, Csaba Molnár, Siegfried Mureşan, Caroline Nagtegaal, Luděk Niedermayer, Lefteris Nikolaou-Alavanos, Lídia Pereira, Kira Marie Peter-Hansen, Sirpa Pietikäinen, Evelyn Regner, Antonio Maria Rinaldi, Alfred Sant, Martin Schirdewan, Joachim Schuster, Ralf Seekatz, Pedro Silva Pereira, Paul Tang, Irene Tinagli, Ernest Urtasun, Inese Vaidere, Johan Van Overtveldt, Stéphanie Yon-Courtin, Marco Zanni, Roberts Zīle

Substitutes present for the final vote

Lefteris Christoforou

Date tabled

7.12.2021

 


 

 

 

FINAL VOTE BY ROLL CALL IN COMMITTEE RESPONSIBLE

44

+

ECR

Raffaele Fitto, Johan Van Overtveldt, Roberts Zīle

NI

Enikő Győri

PPE

Isabel Benjumea Benjumea, Stefan Berger, Lefteris Christoforou, Markus Ferber, Frances Fitzgerald, Danuta Maria Hübner, Georgios Kyrtsos, Aušra Maldeikienė, Siegfried Mureşan, Luděk Niedermayer, Lídia Pereira, Sirpa Pietikäinen, Ralf Seekatz, Inese Vaidere

Renew

Gilles Boyer, Engin Eroglu, Luis Garicano, Billy Kelleher, Ondřej Kovařík, Caroline Nagtegaal, Stéphanie Yon-Courtin

S&D

Marek Belka, Jonás Fernández, Eero Heinäluoma, Aurore Lalucq, Pedro Marques, Costas Mavrides, Csaba Molnár, Evelyn Regner, Alfred Sant, Joachim Schuster, Pedro Silva Pereira, Paul Tang, Irene Tinagli

Verts/ALE

Sven Giegold, Claude Gruffat, Stasys Jakeliūnas, Philippe Lamberts, Kira Marie Peter-Hansen, Ernest Urtasun

 

5

-

ID

Gerolf Annemans, Gunnar Beck, France Jamet, Jörg Meuthen

NI

Lefteris Nikolaou-Alavanos

 

5

0

ID

Valentino Grant, Antonio Maria Rinaldi, Marco Zanni

The Left

José Gusmão, Martin Schirdewan

 

Key to symbols:

+ : in favour

- : against

0 : abstention

 

 

[1]  OJ C 155, 30.4.2021, p. 38.

[*] Amendments: new or amended text is highlighted in bold italics; deletions are indicated by the symbol ▌.

[2] [add reference] OJ C , , p..

[3] OJ C 155, 30.4.2021, p. 38.

[5]  According to the impact assessment accompanying the review of the European Supervisory Authorities, (SWD(2017) 308, there are around 5,665 credit institutions, 5,934 investment firms, 2,666 insurance undertakings, 1,573 IORPS, 2,500 investment management companies, 350 market infrastructures (such as CCPs, stock exchanges, systemic internalisers, trade repositories and MTFs), 45 CRAs and 2,500 authorised payment institutions and electronic money institutions. This sums up to approx. 21.233 entities and does not include crowd funding entities, statutory auditors and audit firms, crypto assets service providers and benchmark administrators.

[6] Communication from the Commission to the European Parliament, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions, FinTech Action plan: For a more competitive and innovative European financial sector, COM/2018/0109 final, https://ec.europa.eu/info/publications/180308-action-plan-fintech_en.

[7]  Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).

[8] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75).

[10]  Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03), now repealed by the EBA Guidelines on outsourcing (EBA/GL/2019/02).

[11]  Communication from the Commission – Guidelines on the applicability of Article 101 of the Treaty on the Functioning of the European Union to horizontal co-operation agreements, 2011/C 11/01.

[12]  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(OJ L 119, 4.5.2016, p. 1).

[13]  CPMI-IOSCO, Guidance on cyber resilience for financial market infrastructures, https://www.bis.org/cpmi/publ/d146.pdf G7 Fundamental Elements of Cybersecurity for the Financial Sector, https://www.ecb.europa.eu/paym/pol/shared/pdf/G7_Fundamental_Elements_Oct_2016.pdf; NIST Cybersecurity Framework, https://www.nist.gov/cyberframework; FSB CIRR toolkit, https://www.fsb.org/2020/04/effective-practices-for-cyber-incident-response-and-recovery-consultative-document

[14]  In addition, should the risk of abuse by an ICT third-party service provider considered dominant arise, financial entities should also have the possibility to bring either a formal or an informal complaint with the European Commission or with the national competition law authorities.

[15]  Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190).

[16]  Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).

[17]  Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010 (OJ L 225, 30.7.2014, p. 1).

[18]  OJ L 123, 12.5.2016, p. 1.

[19]  [Please insert full reference]

[20]  Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)(OJ L 151, 7.6.2019, p. 15).

[21]  Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)(OJ L 321, 17.12.2018, p. 36).

[22]  Regulation (EU) 2016/1011 of the European Parliament and of the Council of 8 June 2016 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds and amending Directives 2008/48/EC and 2014/17/EU and Regulation (EU) No 596/2014 (OJ L 171, 29.6.2016, p. 1).

[23]  [please insert full title and OJ details]

[24]  Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

[25]  Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (OJ L 267, 10.10.2009, p. 7).

[26]  In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

[27]  Communication from the Commission – Guidelines on the applicability of Article 101 of the Treaty on the Functioning of the European Union to horizontal co-operation agreements, 2011/C 11/01.

Last updated: 7 December 2021Legal notice - Privacy policy