BETA

33 Amendments of Maximilian KRAH related to 2020/0266(COD)

Amendment 161 #
Proposal for a regulation
Recital 9
(9) Legislative disparities and unevack of coordination and of interoperability between national regulatory or supervisory approaches on ICT risk trigger obstacles to the single market in financial servicross-border cyber resiliences, impeding the smooth exercise of the freedom of establishment and the provision of services for financial entities with cross- border presence. Competition between the same type of financial entities operating in different Member States may equally be distorted. Notably for areas where Union harmonisation has been very limited - such as the digital operational resilience testing - or absent - such as the monitoring of ICT third-party risk - disparities stemming from envisaged developments at national level could generate further obstacles to the functioning of the single market to the detriment of market participants and financial stability.
2021/06/01
Committee: ECON
Amendment 166 #
Proposal for a regulation
Recital 14
(14) The use of a regulation helps reducing regulatory complexity, fosters supervisory convergence, increases legal certainty, while also contributing to limiting compliance costs, especially for financial entities operating cross-border, and to reducing competitive distortions. The choice of a Regulation for the establishment of a common framework for the digital operational resilience of financial entities appears therefore the most appropriate way to guarantee a homogenous and coherent application of all components of the ICT risk management by the Union financial sectors.deleted
2021/06/01
Committee: ECON
Amendment 175 #
Proposal for a regulation
Recital 20 a (new)
(20 a) Where financial entities are required to report ICT-related incidents under this Regulation or under other Union or national law, the competent authorities should ensure that the reporting process is streamlined and done in a manner which utilises the model of a ‘one-stop shop’ authority in order to facilitate efficient reporting. Furthermore, given the regulatory framework under the Single Rulebook and cybersecurity legislation, national legislators and competent authorities at both Union and national level should ensure that the principle of proportionality is strictly followed in order to prevent an excessive burden on market participants.
2021/06/01
Committee: ECON
Amendment 176 #
Proposal for a regulation
Recital 21
(21) ICT-related incident reporting thresholds and taxonomies vary significantly at national level. While common ground may be achieved through relevant work undertaken by tThe European Union Agency for Cybersecurity (ENISA)33 and the NIS Cooperation Group for the financial entities under Directive (EU) 2016/1148, divergent approaches on thresholds and taxonomies still exist or can emerge for the remainder of financial entities. This entails multiple requirements that financial entities must abide to, especially when operating across several Union jurisdictions and when part of a financial group. Moreover, these divergences may hinder the creation of further Union uniform or centralisedprovide the necessary coordination between national practices. ENISA and the NIS Cooperation group should improve cross-border mechanisms speeding up the reporting process and supporting a quick and smooth exchange of information between competent authorities, which is crucial for addressing ICT risks in case of large scale attacks with potentially systemic consequences. _________________ 33ENISA Reference Incident Classification Taxonomy, https://www.enisa.europa.eu/publications/r eference-incident-classification-taxonomy.
2021/06/01
Committee: ECON
Amendment 179 #
Proposal for a regulation
Recital 22
(22) To enable competent authorities to fulfil their supervisory roles by obtaining a complete overview of the nature, frequency, significance and impact of ICT- related incidents and to enhance the exchange of information between relevant public authorities, including law enforcement authorities and resolution authorities, it is necessary to lay down rules in order to complete the ICT-related incident reporting regime with the requirements that are currently missing in financial subsector legislation and remove any existing overlaps and duplications to alleviate costs. It is therefore essential to harmonisstreamline the ICT-related incident reporting regime by requiring all financial entities to report to their competent authorities only. In addition, the ESAs should be empowered to further specify ICT-related incident reporting elements such as taxonomy, timeframes, data sets, templates and applicable thresholds, after consultation of the national supervisory authorities.
2021/06/01
Committee: ECON
Amendment 180 #
Proposal for a regulation
Recital 23
(23) Digital operational resilience testing requirements have developed in some financial subsectors within several and unsometimes under-coordinated, national frameworks addressing the same issues in a different way. This leads to duplication of costs for cross-border financial entities and makes difficultcould hamper the mutual recognition of results. Uncoordinated testing can therefore segment the single market.
2021/06/01
Committee: ECON
Amendment 181 #
Proposal for a regulation
Recital 24
(24) In addition, where no testing is required, vulnerabilities remain undetected putting the financial entity and ultimately the financial sector’s stability and integrity at higher risk. Without Union intervention, digital operational resilience testing would continue to be patchy and there would be no mutual recognition of testing results across different jurisdictions. Also, as it is unlikely that other financial subsectors would adopt such schemes on a meaningful scale, they would miss out on the potential benefits, such as revealing vulnerabilities and risks, testing defence capabilities and business continuity, and increased trust of customers, suppliers and business partners. To remedy such overlaps, divergences and gaps, it is necessaryTo remedy such overlaps, divergences and gaps, it could be useful to lay down rules aiming at coordinated testing by financial entities and competent authorities, thus facilitating the mutual recognition of advanced testing for significant financial entities.
2021/06/01
Committee: ECON
Amendment 199 #
Proposal for a regulation
Recital 43
(43) Further reflection on the possible centralisation of ICT-related incident reports should be envisaged, by means of a single central EU Hub either directly receiving the relevant reports and automatically notifying national competent authorities, or merely centralising reports forwarded by the national competent authorities and fulfilling a coordination role. The ESAs should be required to prepare, in consultation with ECB and, ENISA and national supervisory authorities, by a certain date a joint report exploring the feasibility of setting up such a central EU Hub.
2021/06/01
Committee: ECON
Amendment 203 #
Proposal for a regulation
Recital 47
(47) The conduct of such monitoring should follow a strategic approach to ICT third-party risk formalised through the adoption by the financial entity’s management body of a dedicated strategy, rooted in a continuous screening of all such ICT third-party dependencies. To enhance supervisory awareness over ICT third-party dependencies, and with a view to further support the Oversight Framework established by this Regulation, financial supervisors should regularly receive essential information from the Registers and should be able to request extracts thereof on an ad-hoc basis. The frequency of such interactions should be proportionate to the risk assessment of the entities, their size, and the reliability and security of the information sharing systems.
2021/06/01
Committee: ECON
Amendment 207 #
Proposal for a regulation
Recital 49
(49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements, notably when concluded with ICT third-party service providers established in a third country. This Regulation should forbid outsourcing arrangements with third country ICT third-party service providers if those third parties have, or are suspected of having, ties to foreign governments or to foreign militaries. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The ESA designated to conduct the oversight for each critical ICT third- party provider (“the Lead Overseer”) should in the exercise of oversight tasks pay particular attention to fully grasp the magnitude of interdependences and discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and should provide instead for a dialogue with critical ICT third-party service providers where that risk is identified.38 _________________ 38In addition, should the risk of abuse by an ICT third-party service provider considered dominant arise, financial entities should also have the possibility to bring either a formal or an informal complaint with the European Commission or with the national competition law authorities.
2021/06/01
Committee: ECON
Amendment 232 #
Proposal for a regulation
Recital 67
(67) Competent authorities should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant national competent authorities, includingand the ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/201339 , and consultation with the ESAs should be ensured by the mutual exchange of information and provision of assistance in the context of supervisory activities. _________________ 39 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
2021/06/01
Committee: ECON
Amendment 234 #
Proposal for a regulation
Recital 69 – point 1
Technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation without hindering innovation and equal treatment of different types of technology. As bodies with highly specialised expertise, the ESAs should be mandated to develop draft regulatory technical standards which do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk.
2021/06/01
Committee: ECON
Amendment 245 #
Proposal for a regulation
Article 2 – paragraph 1 – point e
(e) crypto-asset service providers, issuers and offerors of crypto-assets, issuers of asset- referenced tokens and issuers of significant asset-referenced tokens,
2021/06/01
Committee: ECON
Amendment 258 #
Proposal for a regulation
Article 2 – paragraph 1 – point o
(o) institutions for occupational retirement pensions, unless they are micro, small or medium-sized enterprises,
2021/06/01
Committee: ECON
Amendment 266 #
Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)
(u a) central banks, including the ECB.
2021/06/01
Committee: ECON
Amendment 269 #
Proposal for a regulation
Article 2 – paragraph 2
2. For the purposes of this Regulation, entities referred to in paragraph (a) to (t) and central banks, including the ECB, shall collectively be referred to as ‘financial entities’.
2021/06/01
Committee: ECON
Amendment 323 #
Proposal for a regulation
Article 3 – paragraph 1 – point 44 a (new)
(44 a) ‘offeror of crypto-assets’ means offeror of ‘crypto-assets’ as defined in point [(h) of Article 3 (1)] of [OJ: insert reference to MICA Regulation];
2021/06/01
Committee: ECON
Amendment 324 #
Proposal for a regulation
Article 3 – paragraph 1 – point 45 a (new)
(45 a) ‘offeror of asset-referenced tokens’ means an offeror of asset- referenced payment tokens as defined in point [(i) of Article 3 (1]) of [OJ: insert reference to MICA Regulation];
2021/06/01
Committee: ECON
Amendment 325 #
Proposal for a regulation
Article 3 – paragraph 1 – point 46 a (new)
(46 a) ‘offeror of significant asset- referenced tokens’ means an offeror of significant asset-referenced payment tokens as defined in point ([j) of Article 3 (1)] of [OJ: insert reference to MICA Regulation];
2021/06/01
Committee: ECON
Amendment 326 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50
(50) 'micro, small and medium-sized enterprise’ means a financial entity as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC.
2021/06/01
Committee: ECON
Amendment 365 #
Proposal for a regulation
Article 5 – paragraph 9 – point g
(g) assessing the need for a multi- vendor strategy and, if applicable, and depending on the risk profile of the financial institution, defining a holistic ICT multi- vendor strategy at entitygroup level showing key dependencies on ICT third- party service providers and explaining the rationale behind the procurement mix of third-party and intra-group service providers. Upon the request of the competent authorities, the multi-vendor strategy may be defined at entity level. A multi-vendor strategy shall be defined at entity level for ICT third-party service providers from third countries.
2021/06/01
Committee: ECON
Amendment 394 #
Proposal for a regulation
Article 8 – paragraph 3 – introductory part
3. To achieve the objectives referred to in paragraph 2, financial entities shall use state-of-the-art ICT technology and processes that are proportionate to the risks identified and the size and client base of the relevant financial entity, which:
2021/06/01
Committee: ECON
Amendment 476 #
Proposal for a regulation
Article 16 – paragraph 2 – introductory part
2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and after consultation with the European Central Bank (ECB) and, ENISA and national supervisory authorities, develop common draft regulatory technical standards further specifying the following:
2021/06/01
Committee: ECON
Amendment 506 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
(a) an initial notification, without delay, but no latin case of a major ICT-related incident, a notification from critical ICT third-party providers thano the end of the business day, or, in casecompetent authority of athe major ICT- related incident that took place later than 2 hours before the end of the business day,, without undue delay and not later than 472 hours from the beginning of the next business day, or, where reporting channels are not available, as soon as they become availableafter becoming aware of it;
2021/06/01
Committee: ECON
Amendment 526 #
Proposal for a regulation
Article 18 – paragraph 1 – introductory part
1. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB and national supervisory authorities, shall develop:
2021/06/01
Committee: ECON
Amendment 535 #
Proposal for a regulation
Article 19 – paragraph 1
1. The ESAs, through the Joint Committee and in consultation with ECB and, ENISA and national supervisory authorities, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.
2021/06/01
Committee: ECON
Amendment 550 #
Proposal for a regulation
Article 21 – paragraph 2
2. The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with the provisions of Articles 22 and 23. Where Union legislation requires financial entities to carry out any digital operational or resilience testing and monitoring, the financial entities may pool such programmes and activities, provided they meet the requirements of any applicable legislation.
2021/06/01
Committee: ECON
Amendment 560 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Participation means that ICT third-party service providers shall conduct separate TLPT or join with the financial entity in the financial entity's TLPT. Those ICT third-party service providers shall not be required to communicate information or provide any details in relation to items which are not relevant to the risk management controls of the relevant critical or important services of the relevant financial entities.
2021/06/01
Committee: ECON
Amendment 571 #
Proposal for a regulation
Article 23 – paragraph 4 – introductory part
4. EBA, ESMA and EIOPAThe ESAs shall, after consulting the ECB, ENISA and the national supervisory authorities, and taking into account relevant frameworks in the Union which apply to intelligence-based penetration tests, develop draft regulatory technical standards to specify further:
2021/06/01
Committee: ECON
Amendment 603 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point d a (new)
(d a) ICT third-party service provider becomes or is suspected of becoming at least partially owned or controlled by foreign governments or foreign militaries;
2021/06/01
Committee: ECON
Amendment 610 #
Proposal for a regulation
Article 25 – paragraph 1 – point 11 a (new)
11 a. The rules of this Regulation concerning ICT services shall apply without prejudice to the right of financial entities to use decentralised cryptographic solutions, or to form consortia in order to deploy or use such solutions, in which case such ICT services shall not be subject to this Chapter.
2021/06/01
Committee: ECON
Amendment 676 #
Proposal for a regulation
Article 28 – paragraph 9 a (new)
9 a. Financial entities shall not make use of an ICT third-party established in a third country if that third party has, or is suspected of having, ties with foreign governments or foreign militaries.
2021/06/01
Committee: ECON
Amendment 699 #
Proposal for a regulation
Article 31 – paragraph 1 – point d – point iv a (new)
(iv a) refraining from entering into a further subcontracting arrangement, when the envisaged sub-contractor is an ICT third-party service provider or an ICT sub-contractor established in a third country, if this third-party has or is suspected of having ties to foreign governments or foreign militaries;
2021/06/01
Committee: ECON