33 Amendments of Maximilian KRAH related to 2020/0266(COD)
Amendment 161 #
Proposal for a regulation
Recital 9
Recital 9
(9) Legislative disparities and unevack of coordination and of interoperability between national regulatory or supervisory approaches on ICT risk trigger obstacles to the single market in financial servicross-border cyber resiliences, impeding the smooth exercise of the freedom of establishment and the provision of services for financial entities with cross- border presence. Competition between the same type of financial entities operating in different Member States may equally be distorted. Notably for areas where Union harmonisation has been very limited - such as the digital operational resilience testing - or absent - such as the monitoring of ICT third-party risk - disparities stemming from envisaged developments at national level could generate further obstacles to the functioning of the single market to the detriment of market participants and financial stability.
Amendment 166 #
Proposal for a regulation
Recital 14
Recital 14
Amendment 175 #
Proposal for a regulation
Recital 20 a (new)
Recital 20 a (new)
(20 a) Where financial entities are required to report ICT-related incidents under this Regulation or under other Union or national law, the competent authorities should ensure that the reporting process is streamlined and done in a manner which utilises the model of a ‘one-stop shop’ authority in order to facilitate efficient reporting. Furthermore, given the regulatory framework under the Single Rulebook and cybersecurity legislation, national legislators and competent authorities at both Union and national level should ensure that the principle of proportionality is strictly followed in order to prevent an excessive burden on market participants.
Amendment 176 #
Proposal for a regulation
Recital 21
Recital 21
(21) ICT-related incident reporting thresholds and taxonomies vary significantly at national level. While common ground may be achieved through relevant work undertaken by tThe European Union Agency for Cybersecurity (ENISA)33 and the NIS Cooperation Group for the financial entities under Directive (EU) 2016/1148, divergent approaches on thresholds and taxonomies still exist or can emerge for the remainder of financial entities. This entails multiple requirements that financial entities must abide to, especially when operating across several Union jurisdictions and when part of a financial group. Moreover, these divergences may hinder the creation of further Union uniform or centralisedprovide the necessary coordination between national practices. ENISA and the NIS Cooperation group should improve cross-border mechanisms speeding up the reporting process and supporting a quick and smooth exchange of information between competent authorities, which is crucial for addressing ICT risks in case of large scale attacks with potentially systemic consequences. _________________ 33ENISA Reference Incident Classification Taxonomy, https://www.enisa.europa.eu/publications/r eference-incident-classification-taxonomy.
Amendment 179 #
Proposal for a regulation
Recital 22
Recital 22
(22) To enable competent authorities to fulfil their supervisory roles by obtaining a complete overview of the nature, frequency, significance and impact of ICT- related incidents and to enhance the exchange of information between relevant public authorities, including law enforcement authorities and resolution authorities, it is necessary to lay down rules in order to complete the ICT-related incident reporting regime with the requirements that are currently missing in financial subsector legislation and remove any existing overlaps and duplications to alleviate costs. It is therefore essential to harmonisstreamline the ICT-related incident reporting regime by requiring all financial entities to report to their competent authorities only. In addition, the ESAs should be empowered to further specify ICT-related incident reporting elements such as taxonomy, timeframes, data sets, templates and applicable thresholds, after consultation of the national supervisory authorities.
Amendment 180 #
Proposal for a regulation
Recital 23
Recital 23
(23) Digital operational resilience testing requirements have developed in some financial subsectors within several and unsometimes under-coordinated, national frameworks addressing the same issues in a different way. This leads to duplication of costs for cross-border financial entities and makes difficultcould hamper the mutual recognition of results. Uncoordinated testing can therefore segment the single market.
Amendment 181 #
Proposal for a regulation
Recital 24
Recital 24
(24) In addition, where no testing is required, vulnerabilities remain undetected putting the financial entity and ultimately the financial sector’s stability and integrity at higher risk. Without Union intervention, digital operational resilience testing would continue to be patchy and there would be no mutual recognition of testing results across different jurisdictions. Also, as it is unlikely that other financial subsectors would adopt such schemes on a meaningful scale, they would miss out on the potential benefits, such as revealing vulnerabilities and risks, testing defence capabilities and business continuity, and increased trust of customers, suppliers and business partners. To remedy such overlaps, divergences and gaps, it is necessaryTo remedy such overlaps, divergences and gaps, it could be useful to lay down rules aiming at coordinated testing by financial entities and competent authorities, thus facilitating the mutual recognition of advanced testing for significant financial entities.
Amendment 199 #
Proposal for a regulation
Recital 43
Recital 43
(43) Further reflection on the possible centralisation of ICT-related incident reports should be envisaged, by means of a single central EU Hub either directly receiving the relevant reports and automatically notifying national competent authorities, or merely centralising reports forwarded by the national competent authorities and fulfilling a coordination role. The ESAs should be required to prepare, in consultation with ECB and, ENISA and national supervisory authorities, by a certain date a joint report exploring the feasibility of setting up such a central EU Hub.
Amendment 203 #
Proposal for a regulation
Recital 47
Recital 47
(47) The conduct of such monitoring should follow a strategic approach to ICT third-party risk formalised through the adoption by the financial entity’s management body of a dedicated strategy, rooted in a continuous screening of all such ICT third-party dependencies. To enhance supervisory awareness over ICT third-party dependencies, and with a view to further support the Oversight Framework established by this Regulation, financial supervisors should regularly receive essential information from the Registers and should be able to request extracts thereof on an ad-hoc basis. The frequency of such interactions should be proportionate to the risk assessment of the entities, their size, and the reliability and security of the information sharing systems.
Amendment 207 #
Proposal for a regulation
Recital 49
Recital 49
(49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements, notably when concluded with ICT third-party service providers established in a third country. This Regulation should forbid outsourcing arrangements with third country ICT third-party service providers if those third parties have, or are suspected of having, ties to foreign governments or to foreign militaries. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The ESA designated to conduct the oversight for each critical ICT third- party provider (“the Lead Overseer”) should in the exercise of oversight tasks pay particular attention to fully grasp the magnitude of interdependences and discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and should provide instead for a dialogue with critical ICT third-party service providers where that risk is identified.38 _________________ 38In addition, should the risk of abuse by an ICT third-party service provider considered dominant arise, financial entities should also have the possibility to bring either a formal or an informal complaint with the European Commission or with the national competition law authorities.
Amendment 232 #
Proposal for a regulation
Recital 67
Recital 67
(67) Competent authorities should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant national competent authorities, includingand the ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/201339 , and consultation with the ESAs should be ensured by the mutual exchange of information and provision of assistance in the context of supervisory activities. _________________ 39 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
Amendment 234 #
Proposal for a regulation
Recital 69 – point 1
Recital 69 – point 1
Technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation without hindering innovation and equal treatment of different types of technology. As bodies with highly specialised expertise, the ESAs should be mandated to develop draft regulatory technical standards which do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk.
Amendment 245 #
Proposal for a regulation
Article 2 – paragraph 1 – point e
Article 2 – paragraph 1 – point e
(e) crypto-asset service providers, issuers and offerors of crypto-assets, issuers of asset- referenced tokens and issuers of significant asset-referenced tokens,
Amendment 258 #
Proposal for a regulation
Article 2 – paragraph 1 – point o
Article 2 – paragraph 1 – point o
(o) institutions for occupational retirement pensions, unless they are micro, small or medium-sized enterprises,
Amendment 266 #
Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)
Article 2 – paragraph 1 – point u a (new)
(u a) central banks, including the ECB.
Amendment 269 #
Proposal for a regulation
Article 2 – paragraph 2
Article 2 – paragraph 2
2. For the purposes of this Regulation, entities referred to in paragraph (a) to (t) and central banks, including the ECB, shall collectively be referred to as ‘financial entities’.
Amendment 323 #
Proposal for a regulation
Article 3 – paragraph 1 – point 44 a (new)
Article 3 – paragraph 1 – point 44 a (new)
(44 a) ‘offeror of crypto-assets’ means offeror of ‘crypto-assets’ as defined in point [(h) of Article 3 (1)] of [OJ: insert reference to MICA Regulation];
Amendment 324 #
Proposal for a regulation
Article 3 – paragraph 1 – point 45 a (new)
Article 3 – paragraph 1 – point 45 a (new)
(45 a) ‘offeror of asset-referenced tokens’ means an offeror of asset- referenced payment tokens as defined in point [(i) of Article 3 (1]) of [OJ: insert reference to MICA Regulation];
Amendment 325 #
Proposal for a regulation
Article 3 – paragraph 1 – point 46 a (new)
Article 3 – paragraph 1 – point 46 a (new)
(46 a) ‘offeror of significant asset- referenced tokens’ means an offeror of significant asset-referenced payment tokens as defined in point ([j) of Article 3 (1)] of [OJ: insert reference to MICA Regulation];
Amendment 326 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50
Article 3 – paragraph 1 – point 50
(50) ‘'micro, small and medium-sized enterprise’ means a financial entity as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC.
Amendment 365 #
Proposal for a regulation
Article 5 – paragraph 9 – point g
Article 5 – paragraph 9 – point g
(g) assessing the need for a multi- vendor strategy and, if applicable, and depending on the risk profile of the financial institution, defining a holistic ICT multi- vendor strategy at entitygroup level showing key dependencies on ICT third- party service providers and explaining the rationale behind the procurement mix of third-party and intra-group service providers. Upon the request of the competent authorities, the multi-vendor strategy may be defined at entity level. A multi-vendor strategy shall be defined at entity level for ICT third-party service providers from third countries.
Amendment 394 #
Proposal for a regulation
Article 8 – paragraph 3 – introductory part
Article 8 – paragraph 3 – introductory part
3. To achieve the objectives referred to in paragraph 2, financial entities shall use state-of-the-art ICT technology and processes that are proportionate to the risks identified and the size and client base of the relevant financial entity, which:
Amendment 476 #
Proposal for a regulation
Article 16 – paragraph 2 – introductory part
Article 16 – paragraph 2 – introductory part
2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and after consultation with the European Central Bank (ECB) and, ENISA and national supervisory authorities, develop common draft regulatory technical standards further specifying the following:
Amendment 506 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
Article 17 – paragraph 3 – point a
(a) an initial notification, without delay, but no latin case of a major ICT-related incident, a notification from critical ICT third-party providers thano the end of the business day, or, in casecompetent authority of athe major ICT- related incident that took place later than 2 hours before the end of the business day,, without undue delay and not later than 472 hours from the beginning of the next business day, or, where reporting channels are not available, as soon as they become availableafter becoming aware of it;
Amendment 526 #
Proposal for a regulation
Article 18 – paragraph 1 – introductory part
Article 18 – paragraph 1 – introductory part
1. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB and national supervisory authorities, shall develop:
Amendment 535 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The ESAs, through the Joint Committee and in consultation with ECB and, ENISA and national supervisory authorities, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.
Amendment 550 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with the provisions of Articles 22 and 23. Where Union legislation requires financial entities to carry out any digital operational or resilience testing and monitoring, the financial entities may pool such programmes and activities, provided they meet the requirements of any applicable legislation.
Amendment 560 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
Article 23 – paragraph 2 – subparagraph 2
Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Participation means that ICT third-party service providers shall conduct separate TLPT or join with the financial entity in the financial entity's TLPT. Those ICT third-party service providers shall not be required to communicate information or provide any details in relation to items which are not relevant to the risk management controls of the relevant critical or important services of the relevant financial entities.
Amendment 571 #
Proposal for a regulation
Article 23 – paragraph 4 – introductory part
Article 23 – paragraph 4 – introductory part
4. EBA, ESMA and EIOPAThe ESAs shall, after consulting the ECB, ENISA and the national supervisory authorities, and taking into account relevant frameworks in the Union which apply to intelligence-based penetration tests, develop draft regulatory technical standards to specify further:
Amendment 603 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point d a (new)
Article 25 – paragraph 1 – point 8 – point d a (new)
(d a) ICT third-party service provider becomes or is suspected of becoming at least partially owned or controlled by foreign governments or foreign militaries;
Amendment 610 #
Proposal for a regulation
Article 25 – paragraph 1 – point 11 a (new)
Article 25 – paragraph 1 – point 11 a (new)
Amendment 676 #
Proposal for a regulation
Article 28 – paragraph 9 a (new)
Article 28 – paragraph 9 a (new)
9 a. Financial entities shall not make use of an ICT third-party established in a third country if that third party has, or is suspected of having, ties with foreign governments or foreign militaries.
Amendment 699 #
Proposal for a regulation
Article 31 – paragraph 1 – point d – point iv a (new)
Article 31 – paragraph 1 – point d – point iv a (new)
(iv a) refraining from entering into a further subcontracting arrangement, when the envisaged sub-contractor is an ICT third-party service provider or an ICT sub-contractor established in a third country, if this third-party has or is suspected of having ties to foreign governments or foreign militaries;