Activities of Alfred SANT related to 2020/0266(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014
Amendments (123)
Amendment 157 #
Proposal for a regulation
Recital 1
Recital 1
(1) In the digital age, information and communication technology (ICT) supports complex systems used for everyday societal activities. It keeps our economies running in key sectors, including finance, and enhances the functioning of the single market. Increased digitalisation and interconnectedness also amplify ICT risks making society as a whole - and the financial system in particular - more vulnerable to cyber threats or ICT disruptions. While the ubiquitous use of ICT systems and high digitalisation and connectivity are nowadays core features of all activities of Union financial entities, digital resilience is not yethas yet to be sufficiently built in their operational frameworks.
Amendment 167 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14 a) However, that approach should in no way be taken to mean that, in its implementation, this Regulation should serve to hamper innovation and flexibility with regard to how financial entities deal with resilience issues while complying with its provisions. Through dialogue with supervisory authorities, which should acknowledge the virtues of flexibility, there will be full scope for adaptation and innovation while fully maintaining a high level of resilience.
Amendment 172 #
Proposal for a regulation
Recital 19
Recital 19
(19) Cloud computing service providers are one category of digital service providers covered by Directive (EU) 2016/1148. As such they are subject to ex- post supervision carried out by the national authorities designated according to that Directive, which is limited to requirements on ICT security and incident notification laid down in that act. Since the Oversight Framework established by this Regulation applies to all critical ICT third-party service providers, including cloud computing service providers, when they provide ICT services to financial entities, it should be considered complementary to the supervision that is taking place under Directive (EU) 2016/1148 and both substantive and procedural requirements applicable to critical ICT third-party service providers under this Regulation should be coherent and seamless with those applicable under that Directive. Moreover, the Oversight Framework established by this Regulation should cover cloud computing service providers in the absence of a Union horizontal sector-agnostic framework establishing a Digital Oversight Authority.
Amendment 174 #
Proposal for a regulation
Recital 20
Recital 20
(20) To remain in full control of ICT risks, financial entities need to have in place comprehensive capabilities enabling a strong and effective ICT risk management, alongside specific mechanisms and policies for ICT-related incident reporting, testing of ICT systems, controls and processes, as well as for managing ICT third-party risk. The digital operational resilience bar for the financial system should be raised while allowing for a proportionate application of requirements for financial entities which are micro and small enterprises as defined in Commission Rrecommendation 2003/361/EC32 also taking into account their nature, scale, complexity and overall risk profile. _________________ 32Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 193 #
Proposal for a regulation
Recital 35
Recital 35
(35) Moreover, as solely those financial entities identified as significant for the purposes of the advanced digital resilience testing should be required to conduct threat led penetration tests, the administrative processes and financial costs entailed by the performance of such tests should be devolved to a small percentage of financial entities. Finally, with a view to ease regulatory burdens, only financial entities other than micro enterprises should be asked to regularly report to the competent authorities all costs and losses caused by significant ICT disruptions and the results of post- incident reviews after significantuch ICT disruptions.
Amendment 197 #
Proposal for a regulation
Recital 41 a (new)
Recital 41 a (new)
(41 a) The definition of critical or important functions in this Regulation should encompass critical functions as defined in Directive (EU) 2014/59. Thereby, functions that are deemed to be critical functions pursuant to Directive (EU) 2014/59 should be deemed to be critical or important within the meaning of this Regulation.
Amendment 208 #
Proposal for a regulation
Recital 52
Recital 52
(52) To ensure that financial entities remain in full control of all developments which may impair their ICT security, notice periods and reporting obligations of the ICT third-party service provider should be set out in case of developments with a potential material impact on the ICT third- party service provider’s ability to effectively carry out critical or important functions, including the provision of assistance by the latter in case of an ICT- related incident at no additional cost or at a cost that is determined ex-anterelevant to the services being provided by the ICT third-party service provider to the financial institution at no additional cost or at a cost that is determined ex-ante. Ancillary ICT services on which the financial entities are not operationally dependent shall not be covered by this Regulation.
Amendment 211 #
Proposal for a regulation
Recital 53
Recital 53
(53) Rights of access, inspection and audit by the financial entity or an appointed third party shall cover only critical and important functions and are crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the latter’s full cooperation during inspections. In the same vein, the competent authority of the financial entity should have those rights, based on notices, to inspect and audit the ICT third-party service provider, subject to confidentiality.
Amendment 213 #
Proposal for a regulation
Recital 54
Recital 54
(54) Contractual arrangements should provide for clear termination rights and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the relevant functions with a view to reduce the risk of disruptions at the level of the financial entity or allow the latter to effectively switch to other ICT third-party service providers, or alternatively resort to the use of on-premises solutions, consistent with the complexity of the provided service. Moreover, credit institutions should also ensure that the relevant ICT contracts are robust and fully enforceable in the event of resolution of the credit institution. In line with the resolution authorities’ expectations, credit institutions should ensure that the relevant contracts for ICT services are resolution-resilient. As long as critical and important ICT functions continue to be performed, those financial entities should ensure that the contracts foresee, among other requirements, non- termination, non-suspension and non- modification clauses on the grounds of restructuring or resolution.
Amendment 236 #
Proposal for a regulation
Recital 69 a (new)
Recital 69 a (new)
(69 a) Guidelines issued by the ESAs on the application of those regulations and directives should be reviewed and revised as part of the consolidation process so that the legal basis for ICT risk requirements in Union law exclusively derive from this Regulation, its implementing acts and/or decisions and recommendations taken in accordance therewith, concerning entities within its scope.
Amendment 239 #
Proposal for a regulation
Article 1 – paragraph 1 – point a – indent 2 a (new)
Article 1 – paragraph 1 – point a – indent 2 a (new)
- reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in points (a) to (c) of Article 2 (1);
Amendment 241 #
Proposal for a regulation
Article 1 – paragraph 1 a (new)
Article 1 – paragraph 1 a (new)
1 a. This Regulation provides for the development of regulatory technical standards by the ESAs in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk. When developing those regulatory technical standards, the ESAs shall fully take into account and incorporate previous guidelines and any other regulatory requirements issued before the entry into force of this Regulation, aiming to provide regulatory continuity and stability, wherever possible, and in accordance with this Regulation.
Amendment 242 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
2 a. This Regulation is without prejudice to the competences of Member States concerning the maintenance of public security, defence and national security in compliance with Union law.
Amendment 246 #
Proposal for a regulation
Article 2 – paragraph 1 – point f
Article 2 – paragraph 1 – point f
(f) central securities depositories, and operators of securities settlement systems,
Amendment 248 #
Proposal for a regulation
Article 2 – paragraph 1 – point k
Article 2 – paragraph 1 – point k
(k) management companies and self- managed UCITS investment companies within the meaning of Directive 2009/65/EC and managers of alternative investment funds as defined in Article 4(1)(b) of Directive 2011/61/EU,
Amendment 265 #
Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)
Article 2 – paragraph 1 – point u a (new)
(u a) payment cards' networks,
Amendment 267 #
Proposal for a regulation
Article 2 – paragraph 1 – point u b (new)
Article 2 – paragraph 1 – point u b (new)
(u b) mutatis mutandis, the ESAs, the competent authorities, the Commission’s directorate general responsible for financial policies;
Amendment 270 #
Proposal for a regulation
Article 2 – paragraph 2 a (new)
Article 2 – paragraph 2 a (new)
2 a. This Regulation shall be considered to be a sector-specific Union legal act in relation to the Directive on measures for a high common level of cybersecurity across the Union [insert the full title and OJ publication reference when known] (NIS 2) with regard to financial entities. The provisions of this Regulation relating to ICT risk management measures, management of ICT-related incidents and notably incident reporting, as well as on digital operational resilience testing, information sharing arrangements and ICT third- party risk shall apply instead of those set up under the NIS 2 directive. Member States shall therefore not apply the provisions of NIS 2 on cybersecurity risk management and reporting obligations, information sharing and supervision and enforcement to any financial entities covered by this Regulation. At the same time, it is important to maintain a strong relationship and the exchange of information with the financial sector under the NIS 2 Directive. To that end, this Regulation allows all financial supervisors, the European Supervisory Authorities (ESAs) for the financial sector and the national competent authorities under this Regulation to participate in strategic policy discussions and the technical workings of the Cooperation Group, and to exchange information and cooperate with the single points of contact designated under the NIS 2 Directive and with the national CSIRTs. The competent authorities under this Regulation shall also transmit details of major ICT-related incidents to the single points of contact designated under the NIS 2 Directive. Moreover, Member States shall continue to include the financial sector in their cybersecurity strategies and national CSIRTs may cover the financial sector in their activities.
Amendment 277 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
(4) ‘ICT risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems, - including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non- malicious event - which, if materialised, may compromise the security of the network and information systems, of any technologyICT-dependaent tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects;
Amendment 279 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5 a (new)
Article 3 – paragraph 1 – point 5 a (new)
(5 a) ‘incident’ means any event having the potential to disrupt, or that in fact disrupts, the operations of a financial entity;
Amendment 284 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
Article 3 – paragraph 1 – point 6
(6) ‘ICT-related incident’ means an unforeseen identified occurrenceincident in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has or is likely to have adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity;
Amendment 286 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6 a (new)
Article 3 – paragraph 1 – point 6 a (new)
(6 a) ‘operational or security payment- related incident’, means an event or a series of linked occurrences unforeseen by financial entities referred to in points (a) to (c) of Article 2(1) which has or is likely to have an adverse impact on the integrity, availability, confidentiality, authenticity or continuity of payment- related services;
Amendment 289 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
(7) ‘major ICT-related incident’ means an ICT-related incident with a potentially highhigh risk of material adverse impact on the network and information systems that support critical functions of the financial entity;
Amendment 291 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7 a (new)
Article 3 – paragraph 1 – point 7 a (new)
(7 a) ‘major operational or security payment-related incident’ means an operational or security payment-related incident which meets the criteria set out in Article 16(2)(a);
Amendment 292 #
Proposal for a regulation
Article 3 – paragraph 1 – point 8 a (new)
Article 3 – paragraph 1 – point 8 a (new)
(8 a) ‘significant cyber threat’ means a cyber threat whose characteristics clearly indicate that it is likely to result in a major ICT-related incident or a major operational or security payment-related incident;
Amendment 297 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15
Article 3 – paragraph 1 – point 15
(15) ‘ICT third-party service provider’ means an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centres, including an economic unit providing ICT services that forms part of an undertaking which provides a wider range of products or services, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council43 ; _________________ 43Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)(OJ L 321, 17.12.2018, p. 36).
Amendment 304 #
Proposal for a regulation
Article 3 – paragraph 1 – point 16
Article 3 – paragraph 1 – point 16
(16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services excluding maintenance contracts for licensed software and telecom contracts;
Amendment 305 #
Proposal for a regulation
Article 3 – paragraph 1 – point 17
Article 3 – paragraph 1 – point 17
(17) ‘critical or important function’ means a function whose discontinued, defective orthat is essential to the operation of a financial entity as it would be unable to deliver its services without the function, or whose failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation, or its financial performance or the soundness, or continuity of its services and activities;
Amendment 330 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50 a (new)
Article 3 – paragraph 1 – point 50 a (new)
(50 a) ‘small enterprise’ means a financial entity as defined in Article 2(2) of the Annex to Recommendation 2003/361/EC.
Amendment 333 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50 b (new)
Article 3 – paragraph 1 – point 50 b (new)
(50 b) 'service' means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services, and where: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present; (ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means; and (iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.
Amendment 334 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50 c (new)
Article 3 – paragraph 1 – point 50 c (new)
(50 c) 'function' means the identification, protection and prevention, detection, response and recovery, learning and evolution and communication in the use and management of ICT systems.
Amendment 345 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Financial entities other than microenterprises shall establish a role to monitor the arrangements within the entity especially those concluded with ICT third- party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
Amendment 352 #
Proposal for a regulation
Article 5 – paragraph 4
Article 5 – paragraph 4
4. As part of the ICT risk management framework referred to in paragraph 1, financial entities other than microenterprises shall implement an information security management system based on recognized international standards and where already available in accordance with supervisory guidance as laid out in guidelines established for that purpose by the ESAs and shall regularly review it.
Amendment 356 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
5. Financial entities other than microenterprises shall ensure appropriate segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model, in coherence and conformity with the guidelines established prior to the entry into force of this Regulation and subsequently further developed and, where applicable, amended, by their respective ESAs in accordance with this Regulation.
Amendment 374 #
Proposal for a regulation
Article 5 – paragraph 10 a (new)
Article 5 – paragraph 10 a (new)
10 a. Any processing of personal data that takes place by financial entities and ICT service providers operating on their behalf under Chapters II and III of this Regulation shall be necessary for compliance with a legal obligation in accordance with Article 6(1)(c) of Regulation (EU)2016/679.
Amendment 387 #
Proposal for a regulation
Article 7 – paragraph 7
Article 7 – paragraph 7
7. Financial entities other than microenterprises shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems, especially before and after connecting old and new technologies, applications or systemsand classification in terms of the level of criticality of all ICT systems that were in use for a period of at least six years prior to the date of entry into force of this Regulation and of all ICT systems that have been in use for a period of more than six years since that date.
Amendment 391 #
Proposal for a regulation
Article 8 – paragraph 3 – introductory part
Article 8 – paragraph 3 – introductory part
3. To achieve the objectives referred to in paragraph 2, financial entities shall use state-of-the-artappropriate ICT technology and processes which:
Amendment 397 #
Proposal for a regulation
Article 8 – paragraph 3 – point a
Article 8 – paragraph 3 – point a
(a) guarantemaximize the security of the means of transfer of information;
Amendment 400 #
Proposal for a regulation
Article 8 – paragraph 4 – point a
Article 8 – paragraph 4 – point a
(a) develop and document an information security policy defining rules to protect the confidentiality, integrity and availability of theirs, and their ICT resources, data and information assets while ensuring full protection of customers’ ICT resources, data and information assets; within financial entities’ own ICT systems
Amendment 401 #
Proposal for a regulation
Article 8 – paragraph 4 – point b
Article 8 – paragraph 4 – point b
(b) following a risk-based approach, establish a sound network and infrastructure management using appropriate techniques, methods and protocols including implementing automated mechanisms to isolate affected information assets in case of cyber- attacks;
Amendment 403 #
Proposal for a regulation
Article 8 – paragraph 4 – point c
Article 8 – paragraph 4 – point c
(c) implement policies, procedures and controls that limit the physical and virtual access to ICT system resources and data to what is required only for legitimate and approved functions and activities, and establish to that effect a set of policies, procedures and controls that address access privileges and a sound administration thereof;
Amendment 404 #
Proposal for a regulation
Article 8 – paragraph 4 – point d
Article 8 – paragraph 4 – point d
(d) implement policies and protocols for strong authentication mechanisms, and protection of cryptographic keys, based on relevant standards and dedicated controls systems to prevent access to cryptographic keys whereby data is encrypted based on results of approved data classification and risk assessment processes;
Amendment 429 #
Proposal for a regulation
Article 10 – paragraph 6
Article 10 – paragraph 6
6. Financial entities other than microenterprises shall have a crisis management function, which may be nested under functions responsible for incident response and management or be a dedicated function and which, in case of activation of their ICT Business Continuity Policy or ICT Disaster Recovery Plan, shall set out clear procedures to manage internal and external crisis communications in accordance with Article 13.
Amendment 433 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
9. Financial entities other than microenterprises shall report to competent authorities all yearly review of costs and losses caused by ICT disruptions and ICT- related incidents.
Amendment 439 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. Financial entities shallother than small and microenterprises shall assess the need to maintain redundant ICT capacities equipped with resources capabilities and functionalities that are sufficient and adequate to ensure business needs.
Amendment 441 #
Proposal for a regulation
Article 11 – paragraph 5 – introductory part
Article 11 – paragraph 5 – introductory part
5. Financial entities referred to in point (f) of Article 2(1) shall maintain or ensure that their ICT third-party providers maintain at least one secondary processing site endowed with resources, capabilities, functionalities and staffing arrangements sufficient and appropriate to ensure business needs.
Amendment 451 #
Proposal for a regulation
Article 12 – paragraph 2 – subparagraph 1
Article 12 – paragraph 2 – subparagraph 1
When implementing changes to their ICT operations, financial entities other than microenterprises shall communicate thoseall such significant changes to the competent authorities.
Amendment 453 #
Proposal for a regulation
Article 12 – paragraph 2 – subparagraph 2 – introductory part
Article 12 – paragraph 2 – subparagraph 2 – introductory part
The post ICT-related incident reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, includingnamely, where deemed relevant, in relation to:
Amendment 456 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. As part of the ICT risk management framework referred to in Aarticle 5(1), financial entities shall have in place communication plans enabling a responsible disclosure of major ICT- related incidents or major vulnerabilities to clients and counterparts as well as to the public,as well as for the subsequent disclosure to the public, when, where and as appropriate.
Amendment 460 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
Article 14 – paragraph 1 – point a
(a) specify furtherstructural and supplementary elements to be included in the ICT security policies, procedures, protocols and tools referred to in Article 8(2), with a view to ensure the security of networks, enable adequate safeguards against intrusions and data misuse, preserve the authenticity and integrity of data, including cryptographic techniques, and guarantee an accurate and prompt data transmission without major disruptions and undue delays;
Amendment 470 #
Proposal for a regulation
Article 15 – paragraph 3 a (new)
Article 15 – paragraph 3 a (new)
3 a. The requirements laid down in the paragraphs 1, 2 and 3 shall apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 471 #
Proposal for a regulation
Article 15 a (new)
Article 15 a (new)
Article 15 a Operational or security payment-related incidents concerning financial entities referred to in points (a), (b) and (c) of Article 2(1) The requirements laid down in Chapter III of this Regulation shall apply to operational or security payment-related incidents and to major operational or security payment-related incidents where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 474 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
1 a. The classification requirements laid down in paragraph 1 shall apply to operational or security payment-related incidents and major operational or security payment-related incidents in cases where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 475 #
Proposal for a regulation
Article 16 – paragraph 1 b (new)
Article 16 – paragraph 1 b (new)
1 b. 1b. Financial entities shall classify significant cyber threats based on the following criteria: (a) the number or relevance of clients or financial counterparts targeted and, where applicable, the amount or number of transactions targeted by the significant cyber threat; (b) the duration or the frequency of the significant cyber threat; (c) the geographical spread with regard to the areas targeted by the significant cyber threat, particularly if it affects more than two Member States; (d) the criticality of the services targeted, including the financial entity’s transactions and operations;
Amendment 478 #
Proposal for a regulation
Article 16 – paragraph 2 – point a
Article 16 – paragraph 2 – point a
(a) the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidents or, as applicable, major operational or security payment-related incidents which are subject to the reporting obligation laid down in Article 17(1);
Amendment 479 #
Proposal for a regulation
Article 16 – paragraph 2 – point b
Article 16 – paragraph 2 – point b
(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT- related incidents or, as applicable, major operational or security payment-related incidents, to other Member States’ jurisdictions, and the details of ICT-related incidents reporor, as applicable, major operational or security payment-related incidents, to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.
Amendment 482 #
Proposal for a regulation
Article 16 – paragraph 2 – point b a (new)
Article 16 – paragraph 2 – point b a (new)
(b a) the criteria set out in paragraph 1b, including high materiality thresholds for determining significant cyber threats which are subject to the reporting obligation laid down in Article 17 (1a);
Amendment 483 #
Proposal for a regulation
Article 16 – paragraph 3 – introductory part
Article 16 – paragraph 3 – introductory part
3. When developing the common draft regulatory technical standards referred to in paragraph 2, the ESAs shall take into account international standards, as well as specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectorsthe size, nature, scale, complexity and overall risk profile of the financial entities, as well as international standards and specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. The ESAs shall further take into account that the timely and efficient management of an incident by small and microenterprises is not constricted by the need to respect the classification requirements set out in this Article.
Amendment 485 #
Proposal for a regulation
Article 16 – paragraph 3 – subparagraph 1
Article 16 – paragraph 3 – subparagraph 1
The ESAs shall submit those common draft regulatory technical standards to the Commission by [PO: insert date 13 years after the date of entry into force].
Amendment 487 #
Proposal for a regulation
Article 17 – title
Article 17 – title
17 Reporting of major ICT-related incidents and significant cyber threats
Amendment 492 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1 a. Financial entities shall notify significant cyber threats without undue delay to the relevant competent authority as referred to in Article 41.
Amendment 493 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where a major ICT-related incident has or may have an material impact on the financial interests of service users and clients, financial entities shall, without undue delay after having become aware of it, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of all measures which have been taken to mitigate the adverse effects of such incident.
Amendment 498 #
Proposal for a regulation
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2 a. Where a significant cyber threat could adversely impact the financial interests of clients, financial entities shall inform their clients, without undue delay, of the significant cyber threat and of the measures which the financial entity intends to take to mitigate the adverse effects of such threat. Where appropriate, the financial entity shall also advise its clients on the measures they can take to mitigate the adverse effects of the threat.
Amendment 508 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
Article 17 – paragraph 3 – point a
(a) an initial notification, without delay, butafter becoming aware of a major ICT-incident and making best efforts to do so no later than the end of the business day, or, in case of a major ICT- related incident that took placehe financial entity became aware of later than 2 hours before the end of the business day, not later than 4 hours from the beginning of the next business day, or, where reporting channels are not available, as soon as they become available;
Amendment 511 #
Proposal for a regulation
Article 17 – paragraph 3 – point b
Article 17 – paragraph 3 – point b
(b) an intermediate report, no later than 1 weekwhen relevant events occur or information becomes available following the initial notification or, if expressly required by the competent authority, after the initial notification referred to in point (a), followed as appropriate by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority;
Amendment 513 #
Proposal for a regulation
Article 17 – paragraph 3 – point c
Article 17 – paragraph 3 – point c
(c) a final report, when the root cause analysis has been completed, regardless of whether or not mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates, but not later than one month from the moment of sending the initial repor and at the latest one month from the date of resolution of the incident
Amendment 518 #
Proposal for a regulation
Article 17 – paragraph 4
Article 17 – paragraph 4
4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider upon approval of the delegation by the relevant competent authority referred to in Article 41, after an explicit request from both the financial entity and the ICT third-party service provider. In cases of such delegation, the financial entity shall remain fully accountable for the fulfilment of the incident reporting requirements.
Amendment 523 #
Proposal for a regulation
Article 17 – paragraph 5 – introductory part
Article 17 – paragraph 5 – introductory part
5. Upon receipt of the report referred to in paragraph 1 or the notification referred to in paragraph 1a, the competent authority shall, without undue delay, provide details of the incidenmajor ICT-related incident or significant cyber threat to:
Amendment 524 #
Proposal for a regulation
Article 17 – paragraph 5 – point c a (new)
Article 17 – paragraph 5 – point c a (new)
(c a) the Single Resolution Board for entities referred to in Article 7(2) of Regulation EU 806/2014, and national resolution authorities in relation to entitites referred to in Article 7(3) of Regulation EU 806/2014. National resolution authorities should provide to the SRB, on a six monthly basis, a summary of the report received under this Article.
Amendment 528 #
Proposal for a regulation
Article 18 – paragraph 1 – point a – point 1 a (new)
Article 18 – paragraph 1 – point a – point 1 a (new)
(1 a) establish the content of the notification for significant cyber threats;
Amendment 529 #
Proposal for a regulation
Article 18 – paragraph 1 – point b
Article 18 – paragraph 1 – point b
(b) common draft implementing technical standards in order to establish the standard forms, templates and procedures for financial entities to report a major ICT- related incident and notify a significant cyber threat.
Amendment 530 #
Proposal for a regulation
Article 18 – paragraph 1 – subparagraph 1
Article 18 – paragraph 1 – subparagraph 1
The ESAs shall submit the common draft regulatory technical standards referred to in point (a) of paragraph 1 and the common draft implementing technical standards referred to in point (b) of the paragraph 1 to the Commission by xx 202x [PO: insert date 12 years after the date of entry into force].
Amendment 534 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The ESAs, through the Joint Committee and in consultation with ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting that would replace all pre-existing reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.
Amendment 545 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Upon receipt of a report as referred to in Article 17(1) and (1a), the competent authority shall acknowledge receipt of notification and shall as quickly as possible provide all necessary feedback or guidance to the financial entity, in particular to discuss remedies at the level of the entity or ways to minimise adverse impact across sectors and also provide appropriately anonymised feedback, insight and intelligence to all relevant financial entities where it could be beneficial, based on any major incident reports they receive.
Amendment 546 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. The ESAs shall, through the Joint Committee, report yearlyevery six months on an anonymised and aggregated basis on the ICT-related incident and cyber threat notifications received from competent authorities in accordance with Article17(1) and 17(1.1), setting out at least the number of ICT-related major incidents and significant cyber threats, their nature, impact on the operations of financial entities or customers, costs and remedial actions taken.
Amendment 551 #
Proposal for a regulation
Article 21 – paragraph 3
Article 21 – paragraph 3
3. Financial entities shall follow a risk-based approach when conducting the digital operational resilience testing programme referred toas defined in paragraph 1, taking into account the evolving landscape of ICT risks, any specific risks to which the financial entity is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the financial entity deems appropriate.
Amendment 555 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. The digital operational resilience testing programme referred to in Article 21 shall provide for the execution of a full range of appropriate tests, including vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing or penetration testingon the basis of guidelines already developed and implemented by the ESAs and national competent authorities in their respective areas of competence, as well as new and updated guidelines developed after the entry into force of this Regulation.
Amendment 564 #
At the end of the test, after reports and remediation planthe financial entity and the external testers shave bell provide to the competent agreed, the financial entity and uthority or, in the case of ICT third-party service providers entering into contractual arrangements withe external testers shall provide to the competent authoritydirectly, to the Lead Overseers, a confidential summary of the test results and the documentation confirming that the threat led penetration testing has been conducted in accordance with the requirements. Competent authorities shall validate the documentation and issue an attestationissue an attestation confirming that the test was performed in accordance with the requirements based on the documentation in order to allow for mutual recognition of threat led penetration tests between competent authorities.
Amendment 567 #
Proposal for a regulation
Article 23 – paragraph 3 – introductory part
Article 23 – paragraph 3 – introductory part
3. Financial entities shall either contract testers in accordance with Article 24 or use internal testing teams, provided they operate at arms' length and are independent from the rest of the financial entity, for the purposes of undertaking threat led penetration testing.
Amendment 569 #
Proposal for a regulation
Article 23 – paragraph 3 – subparagraph 1 – introductory part
Article 23 – paragraph 3 – subparagraph 1 – introductory part
Amendment 575 #
Proposal for a regulation
Article 23 – paragraph 4 – introductory part
Article 23 – paragraph 4 – introductory part
4. EBA, ESMA and EIOPA shall, in co-operation with ENISA and after consulting the ECB and taking into account relevant frameworks in the Union which apply to intelligence-based penetration tests, by taking into account guidelines issued before the entry into force of this Regulation, develop draft regulatory technical standards to specify further:
Amendment 576 #
Proposal for a regulation
Article 23 – paragraph 4 – point c
Article 23 – paragraph 4 – point c
(c) the type of supervisory cooperation needed for the implementation and to facilitate full mutual recognition of threat led penetration testing in the context of financial entities which operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub- sectors or local financial markets..
Amendment 577 #
Proposal for a regulation
Article 23 – paragraph 4 – subparagraph 1
Article 23 – paragraph 4 – subparagraph 1
The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 26 months before the date of entry into force].
Amendment 578 #
Proposal for a regulation
Article 23 – paragraph 4 – subparagraph 1 a (new)
Article 23 – paragraph 4 – subparagraph 1 a (new)
Until the entry into force of this Regulation, and the development and adoption of regulatory technical standards specified in Article 23 (4), financial entities shall follow those relevant guidelines and frameworks in the Union which apply to intelligence-based penetration tests, as these will continue to apply when this Regulation comes into force.
Amendment 581 #
Proposal for a regulation
Article 24 – paragraph 1 – point c
Article 24 – paragraph 1 – point c
(c) are certified by an accreditation body in a Member State or are certified by a well-established accreditation body in a third country or adhere to formal codes of conduct or ethical frameworks;
Amendment 589 #
Proposal for a regulation
Article 25 – paragraph 1 – point 4 – introductory part
Article 25 – paragraph 1 – point 4 – introductory part
4. As part of their ICT risk management framework, financial entities shall maintain and update at entity level and, at sub-consolidated and consolidated levels, a Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third- party service providers. Where available, financial entities shall follow the guidelines and other measures issued by the ESAs and competent authorities until the entry into force of the implementing technical standards referred in Article 25(10). Where relevant, the register of information may be constituted by records pursuant to Article 30 of Regulation (EU) 2016/79.
Amendment 590 #
Proposal for a regulation
Article 25 – paragraph 1 – point 6
Article 25 – paragraph 1 – point 6
6. Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with high, appropriate and t security standards. The latest information security standardstandards shall also be considered when determining whether the information standards in place are appropriate.
Amendment 596 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – introductory part
Article 25 – paragraph 1 – point 8 – introductory part
8. Financial entities shall ensure that contractual arrangements on the use of ICT services are terminatedmay be wholly terminated, if no rectification is possible, and partially terminated, if a rectification is possible, at least under the following circumstances:
Amendment 601 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point c
Article 25 – paragraph 1 – point 8 – point c
(c) ICT third-party service provider’s evidenced weaknesses inpertaining to its overall ICT risk management of its contract with the financial entity and in particular in the way it ensures the security and integrity of confidential, personal or otherwise sensitive data or non-personal information;
Amendment 602 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point d
Article 25 – paragraph 1 – point 8 – point d
(d) verifiable circumstances where the competent authority demonstrably can no longer effectively supervise the financial entity as a result of the respective contractual arrangement.
Amendment 608 #
Proposal for a regulation
Article 25 – paragraph 1 – point 9 – introductory part
Article 25 – paragraph 1 – point 9 – introductory part
9. Financial entities shall put in place exit strategies, to be reviewed periodically, in order to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function.
Amendment 616 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
Article 26 – paragraph 2 – introductory part
2. Where the contractual arrangement on the use of ICT services concerning critical or important functions includes the possibility that an ICT third-party service provider further sub-contracts a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such possible sub- contracting, in particular in the case of an ICT sub-contractor established in a third- country.
Amendment 617 #
Proposal for a regulation
Article 26 – paragraph 2 – subparagraph 1 – introductory part
Article 26 – paragraph 2 – subparagraph 1 – introductory part
Where contractual arrangements on the use of ICT services concerning critical or important functions are concluded with an ICT third-party service provider established in a third-country, financial entities shall consider relevant, at least the following factors:
Amendment 619 #
Proposal for a regulation
Article 27 – paragraph 1
Article 27 – paragraph 1
1. The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in a writing. The full contract, which includes the services level agreements, shall be documented in one written documentwriting and be available to the parties on paper or in a downloadable and accessible format.
Amendment 620 #
Proposal for a regulation
Article 27 – paragraph 2 – introductory part
Article 27 – paragraph 2 – introductory part
2. TheFinancial entities and ICT third party providers shall ensure that contractual arrangements on the use of ICT services shall include at least the following:
Amendment 622 #
2. The contractual arrangements on the use of ICT services concerning critical and important functions shall include at least the following:
Amendment 624 #
Proposal for a regulation
Article 27 – paragraph 2 – point b
Article 27 – paragraph 2 – point b
(b) the locations(s), namely the regions or countries, where the contracted or sub- contracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify in advance the financial entity if it envisages changing such locations; (s).
Amendment 626 #
Proposal for a regulation
Article 27 – paragraph 2 – point c
Article 27 – paragraph 2 – point c
(c) provisions on accessibility, availability, integrity, securconfidentiality and protection of data including personal data and on ensuring access, recover and return in an easily accessible format of personal and non- personal data processed by the financial entity in the case of insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider;
Amendment 633 #
Proposal for a regulation
Article 27 – paragraph 2 – point h – point i a (new)
Article 27 – paragraph 2 – point h – point i a (new)
i a) the obligation to allow competent authorities to have access to all contractual arrangements;
Amendment 637 #
Proposal for a regulation
Article 27 – paragraph 2 – point j
Article 27 – paragraph 2 – point j
(j) termination rights and related minimum notices period for the termination of the contract, in accordance with competent and resolution authorities’ expectations;
Amendment 639 #
Proposal for a regulation
Article 27 – paragraph 2 – point k – point i
Article 27 – paragraph 2 – point k – point i
(i) during which the ICT third-party service provider will continue providing the respective functions or services with a view to reduce the risk of disruptions at the financial entity or to ensure its effective resolution and restructuring;
Amendment 641 #
Proposal for a regulation
Article 27 – paragraph 2 – point k a (new)
Article 27 – paragraph 2 – point k a (new)
(k a) the processing of personal data by the ICT-third party service provider is in conformity with Regulation (EU) 2016/679;
Amendment 643 #
Proposal for a regulation
Article 27 – paragraph 2 a (new)
Article 27 – paragraph 2 a (new)
2 a. Competent authorities shall be able to access the contractual arrangements.
Amendment 658 #
Proposal for a regulation
Article 28 – paragraph 2 – point f a (new)
Article 28 – paragraph 2 – point f a (new)
(f a) the materiality and importance of the relevant service provided by the ICT third-party service provider.
Amendment 675 #
Proposal for a regulation
Article 28 – paragraph 9
Article 28 – paragraph 9
9. Financial entities shall not make use ofrefrain from using an ICT third-party service provider established in a third country that would be designated as critical pursuant to point (a) of paragraph 1 if it were establisheddoes not establish a subsidiary in the Union.
Amendment 707 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. The Lead Overseer may, in the case of whole or partial non-compliance with the appropriate measures that would need to be taken in accordance with points (a),(b) or (c) of paragraph 1, within 60 calendar days, decide to impose a periodic penalty payment to compel the critical ICT third-party service provider to comply with points (a), (b) and (c) of paragraph 1.
Amendment 709 #
Proposal for a regulation
Article 31 – paragraph 7
Article 31 – paragraph 7
7. Penalty payments shall be of an administrative nature and shall be enforceable. Enforcement shall be governed by the rules of civil procedure in force in the Member State on the territory of which inspections and access shall be carried out. Courts of the Member State concerned shall have jurisdiction over complaints related to irregular conduct of enforcement. The amounts of the penalty payments shall be allocated to the general budget of the European Union. Such penalty payments shall only be imposed as a last resort in the event that the ICT third-party service provider fails to comply despite other reasonable measures being taken.
Amendment 712 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. The Lead Overseer may by simple request or by decision require the critical ICT third-party providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party provider has outsourced operational functions or activities. ICT third-party service providers shall only be required to provide that information in respect of financial entities subject to this Regulation who use the services for critical or important functions and shall give notice to the relevant financial entity of requests specific to that financial entity.
Amendment 720 #
Proposal for a regulation
Article 33 – paragraph 2 – point e
Article 33 – paragraph 2 – point e
(e) request records of telephone and data traffic, in accordance with the principle of proportionality.
Amendment 724 #
Proposal for a regulation
Article 34 – paragraph 4
Article 34 – paragraph 4
4. Inspections shall cover the full range of relevant ICT systems, networks, devices, information and data that the Lead Overseer deems appropriate and technologically relevant, either used for, or contributing to, the provision of services to financial entities.
Amendment 725 #
Proposal for a regulation
Article 34 – paragraph 5
Article 34 – paragraph 5
5. Before any planned on-site visit, Lead Overseers shall give a reasonable notice to the critical ICT third-party service providers, unless such notice is not possible due to an emergency or crisis situation, or if it would lead to a situation where the inspection or audit would no longer be effective. On the occasion of an on-site visit, both the Lead Overseer and the ICT third-party service provider shall avoid and mitigate any disruption in services to clients of the ICT third-party service provider other than financial entities within the scope of this Regulation.
Amendment 728 #
Proposal for a regulation
Article 37 – paragraph 1
Article 37 – paragraph 1
1. Within 30 calendar days after the receipt of the recommendations issued by Lead Overseers pursuant to point (d) of Article 31(1), which shall be simultaneously copied to the financial entities serviced by the latter critical ICT third-party service providers shall notify the Lead Overseer whether they intend to follow those critical recommendations. For non-critical recommendations, the time period may be extended by up to 45 days. Lead Overseers shall immediately transmit this information to competent authorities.
Amendment 734 #
Proposal for a regulation
Article 37 – paragraph 3
Article 37 – paragraph 3
3. Competent authorities may, in accordance with Article 44, as a measure of last resort, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third- party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers, after considering risks and mitigating measures and following the defined exit strategies put in place by the financial entity. Following the request for termination, the competent authorities shall allow sufficient time for financial entities to adjust their contractual arrangements with ICT third-party service providers in such a way as to not jeopardise digital operational resilience.
Amendment 739 #
Proposal for a regulation
Article 37 – paragraph 4 – point d a (new)
Article 37 – paragraph 4 – point d a (new)
(d a) whether the suspension or termination introduces a discontinuity risk for the business operations of the customer of the critical ICT third-party provider.
Amendment 741 #
Proposal for a regulation
Article 40 – paragraph 1 – introductory part
Article 40 – paragraph 1 – introductory part
1. Financial entities may exchange amongst themselveshall, whenever possible and deemed appropriate, exchange amongst themselves and ICT third-party service providers cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing:
Amendment 742 #
Proposal for a regulation
Article 40 – paragraph 1 – point a
Article 40 – paragraph 1 – point a
(a) aims at enhancing the digital operational resilience of financial entities and ICT third-party service providers, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting financial entities’ range of defensive capabilities, threat detection techniques, mitigation strategies or response and recovery stages;
Amendment 743 #
Proposal for a regulation
Article 40 – paragraph 1 – point b
Article 40 – paragraph 1 – point b
(b) takes places within trusted communities of financial entities and ICT third-party service providers;
Amendment 744 #
Proposal for a regulation
Article 40 – paragraph 2
Article 40 – paragraph 2
2. For the purpose of paragraph 1, a database for storing information at Union level shall be created. For the purpose of point (c) of paragraph 1, the information sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which the latter may be associated to the information-sharing arrangements, as well as on operational elements, including the use of dedicated IT platforms.
Amendment 746 #
Proposal for a regulation
Article 40 – paragraph 3 a (new)
Article 40 – paragraph 3 a (new)
3 a. Processing of personal data for the purposes of this Article is in accordance with point (f) of Article 6(1) of Regulation (EU) 2016/679.
Amendment 755 #
Proposal for a regulation
Article 48 – paragraph 2
Article 48 – paragraph 2
2. The publication referred to in paragraph 1 shall include information on the type and nature of the breach, exceptionally the identity of the persons responsible and the penalties imposed, taking into account the need to avoid jeopardising the stability of financial markets or the pursuit of an ongoing criminal investigation. It may defer its publication until all reasons for non-publication cease to exist.
Amendment 758 #
Proposal for a regulation
Article 48 – paragraph 6
Article 48 – paragraph 6
6. Competent authorities shall ensure that any publication referred to in paragraphs 1 to 4and 2 shall remain on their official website for at least five years after its publication. Personal data contained in the publication shall only be kept on the official website of the competent authority for the period which is necessary in accordance with the applicable data protection rules.
Amendment 759 #
Proposal for a regulation
Article 50 – paragraph 2
Article 50 – paragraph 2
2. The power to adopt delegated acts referred to in Articles 28(3) and 38(2) shall be conferred on the Commission for a period of fivthree years from [PO: insert date 53 years after the date of entry into force of this Regulation].
Amendment 761 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
It shall apply from [PO: insert date - 1236 months after the date of entry into force].