BETA

13 Amendments of France JAMET related to 2020/0266(COD)

Amendment 161 #
Proposal for a regulation
Recital 9
(9) Legislative disparities and unevack of coordination and of interoperability between national regulatory or supervisory approaches on ICT risk trigger obstacles to the single market in financial servicross-border cyber resiliences, impeding the smooth exercise of the freedom of establishment and the provision of services for financial entities with cross- border presence. Competition between the same type of financial entities operating in different Member States may equally be distorted. Notably for areas where Union harmonisation has been very limited - such as the digital operational resilience testing - or absent - such as the monitoring of ICT third-party risk - disparities stemming from envisaged developments at national level could generate further obstacles to the functioning of the single market to the detriment of market participants and financial stability.
2021/06/01
Committee: ECON
Amendment 175 #
Proposal for a regulation
Recital 20 a (new)
(20 a) Where financial entities are required to report ICT-related incidents under this Regulation or under other Union or national law, the competent authorities should ensure that the reporting process is streamlined and done in a manner which utilises the model of a ‘one-stop shop’ authority in order to facilitate efficient reporting. Furthermore, given the regulatory framework under the Single Rulebook and cybersecurity legislation, national legislators and competent authorities at both Union and national level should ensure that the principle of proportionality is strictly followed in order to prevent an excessive burden on market participants.
2021/06/01
Committee: ECON
Amendment 176 #
Proposal for a regulation
Recital 21
(21) ICT-related incident reporting thresholds and taxonomies vary significantly at national level. While common ground may be achieved through relevant work undertaken by tThe European Union Agency for Cybersecurity (ENISA)33 and the NIS Cooperation Group for the financial entities under Directive (EU) 2016/1148, divergent approaches on thresholds and taxonomies still exist or can emerge for the remainder of financial entities. This entails multiple requirements that financial entities must abide to, especially when operating across several Union jurisdictions and when part of a financial group. Moreover, these divergences may hinder the creation of further Union uniform or centralisedprovide the necessary coordination between national practices. ENISA and the NIS Cooperation group should improve cross-border mechanisms speeding up the reporting process and supporting a quick and smooth exchange of information between competent authorities, which is crucial for addressing ICT risks in case of large scale attacks with potentially systemic consequences. _________________ 33ENISA Reference Incident Classification Taxonomy, https://www.enisa.europa.eu/publications/r eference-incident-classification-taxonomy.
2021/06/01
Committee: ECON
Amendment 179 #
Proposal for a regulation
Recital 22
(22) To enable competent authorities to fulfil their supervisory roles by obtaining a complete overview of the nature, frequency, significance and impact of ICT- related incidents and to enhance the exchange of information between relevant public authorities, including law enforcement authorities and resolution authorities, it is necessary to lay down rules in order to complete the ICT-related incident reporting regime with the requirements that are currently missing in financial subsector legislation and remove any existing overlaps and duplications to alleviate costs. It is therefore essential to harmonisstreamline the ICT-related incident reporting regime by requiring all financial entities to report to their competent authorities only. In addition, the ESAs should be empowered to further specify ICT-related incident reporting elements such as taxonomy, timeframes, data sets, templates and applicable thresholds, after consultation of the national supervisory authorities.
2021/06/01
Committee: ECON
Amendment 181 #
Proposal for a regulation
Recital 24
(24) In addition, where no testing is required, vulnerabilities remain undetected putting the financial entity and ultimately the financial sector’s stability and integrity at higher risk. Without Union intervention, digital operational resilience testing would continue to be patchy and there would be no mutual recognition of testing results across different jurisdictions. Also, as it is unlikely that other financial subsectors would adopt such schemes on a meaningful scale, they would miss out on the potential benefits, such as revealing vulnerabilities and risks, testing defence capabilities and business continuity, and increased trust of customers, suppliers and business partners. To remedy such overlaps, divergences and gaps, it is necessaryTo remedy such overlaps, divergences and gaps, it could be useful to lay down rules aiming at coordinated testing by financial entities and competent authorities, thus facilitating the mutual recognition of advanced testing for significant financial entities.
2021/06/01
Committee: ECON
Amendment 199 #
Proposal for a regulation
Recital 43
(43) Further reflection on the possible centralisation of ICT-related incident reports should be envisaged, by means of a single central EU Hub either directly receiving the relevant reports and automatically notifying national competent authorities, or merely centralising reports forwarded by the national competent authorities and fulfilling a coordination role. The ESAs should be required to prepare, in consultation with ECB and, ENISA and national supervisory authorities, by a certain date a joint report exploring the feasibility of setting up such a central EU Hub.
2021/06/01
Committee: ECON
Amendment 207 #
Proposal for a regulation
Recital 49
(49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements, notably when concluded with ICT third-party service providers established in a third country. This Regulation should forbid outsourcing arrangements with third country ICT third-party service providers if those third parties have, or are suspected of having, ties to foreign governments or to foreign militaries. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The ESA designated to conduct the oversight for each critical ICT third- party provider (“the Lead Overseer”) should in the exercise of oversight tasks pay particular attention to fully grasp the magnitude of interdependences and discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and should provide instead for a dialogue with critical ICT third-party service providers where that risk is identified.38 _________________ 38In addition, should the risk of abuse by an ICT third-party service provider considered dominant arise, financial entities should also have the possibility to bring either a formal or an informal complaint with the European Commission or with the national competition law authorities.
2021/06/01
Committee: ECON
Amendment 232 #
Proposal for a regulation
Recital 67
(67) Competent authorities should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant national competent authorities, includingand the ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/201339 , and consultation with the ESAs should be ensured by the mutual exchange of information and provision of assistance in the context of supervisory activities. _________________ 39 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
2021/06/01
Committee: ECON
Amendment 266 #
Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)
(u a) central banks, including the ECB.
2021/06/01
Committee: ECON
Amendment 269 #
Proposal for a regulation
Article 2 – paragraph 2
2. For the purposes of this Regulation, entities referred to in paragraph (a) to (t) and central banks, including the ECB, shall collectively be referred to as ‘financial entities’.
2021/06/01
Committee: ECON
Amendment 476 #
Proposal for a regulation
Article 16 – paragraph 2 – introductory part
2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and after consultation with the European Central Bank (ECB) and, ENISA and national supervisory authorities, develop common draft regulatory technical standards further specifying the following:
2021/06/01
Committee: ECON
Amendment 571 #
Proposal for a regulation
Article 23 – paragraph 4 – introductory part
4. EBA, ESMA and EIOPAThe ESAs shall, after consulting the ECB, ENISA and the national supervisory authorities, and taking into account relevant frameworks in the Union which apply to intelligence-based penetration tests, develop draft regulatory technical standards to specify further:
2021/06/01
Committee: ECON
Amendment 603 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point d a (new)
(d a) ICT third-party service provider becomes or is suspected of becoming at least partially owned or controlled by foreign governments or foreign militaries;
2021/06/01
Committee: ECON