Activities of Mikuláš PEKSA related to 2020/0266(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014
Amendments (75)
Amendment 162 #
Proposal for a regulation
Recital 10 a (new)
Recital 10 a (new)
(10 a) Establishing and maintaining adequate network and information system infrastructures is also a fundamental precondition for effective risk data aggregation and risk reporting practices, which are in turn an essential requisite for the sound and sustainable risk management and decision-making processes of credit institutions. In 2013, the Basel Committee on Banking Supervision published a set of principles for effective risk data aggregation and risk reporting(‘BCBS 239’) based on two overarching principles of governance and IT infrastructure, to be implemented by the beginning of 2016. According to the Basel Progress Report of April 2020 and the ECB Report on the Thematic Review of May 2018 on effective risk data aggregation and risk reporting, the implementation progress made by global systemically important banks was unsatisfactory and a source of concern. In order to facilitate compliance and alignment with international standards, the Commission, in close cooperation with the ECB and after consulting EBA and ESRB, should produce a report in order to assess how the BCBS 239 principles interact with the provisions of the DORA Regulation and, if appropriate, how those principles should be incorporated into Union law.
Amendment 163 #
Proposal for a regulation
Recital 12 – point 1
Recital 12 – point 1
Through this exercise, which consolidates and updates rules on ICT risk, all provisions addressing digital risk in finance would for the first time be brought together in a consistent manner in a single legislative act. This initiative should thus fill in the gaps or remedy inconsistencies in some of those legal acts, including in relation to the terminology used therein, and should explicitly refer to ICT risk via targeted rules on ICT risk management capabilities, reporting and testing and third party risk monitoring. This initiative also intends to raise awareness of ICT risks and acknowledges that ICT incidents and lack of operational resilience might jeopardise the financial soundness of financial entities.
Amendment 165 #
Proposal for a regulation
Recital 13 – introductory part
Recital 13 – introductory part
(13) Financial entities should follow the same approach and the same principle- based rules when addressing ICT risk. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of overushigh reliance ofn ICT systems, platforms and infrastructures, which entails increased digital risk.
Amendment 168 #
Proposal for a regulation
Recital 16 – introductory part
Recital 16 – introductory part
(16) As this Regulation raises the level of harmonisation on digital resilience components, by introducing requirements on ICT risk management and ICT-related incident reporting that are more stringent in respect to those laid down in the current Union financial services legislation, this constitutes an increased harmonisation also by comparison to requirements laid down in Directive (EU) 2016/1148. Consequently, for the financial sector, this Regulation constitutes lex specialis to Directive (EU) 2016/1148.
Amendment 171 #
Proposal for a regulation
Recital 18
Recital 18
(18) It is also important to ensure consistency with both the European Critical Infrastructure (ECI) Directive, which is currently being reviewed in order to enhance the protection and resilience of critical infrastructures against non-cyber related threats, and the Directive on Resilience of Critical Entities, with possible implications for the financial sector.31 _________________ 31Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75).
Amendment 186 #
Proposal for a regulation
Recital 30
Recital 30
(30) With ICT threats becoming more complex and sophisticated, good detection and prevention measures depend to a great extent on regular threat and vulnerability intelligence sharing between financial entities. Information sharing contributes to increased awareness on cyber threats, which, in turn, enhances financial entities’ capacity to prevent threats from materialising into real incidents and enables financial entities to better contain the effects of ICT-related incidents and recover more efficiently. In the absence of guidance at Union level, several factors seem to have inhibited such intelligence sharing, notably uncertainty over the compatibility with the data protection, anti- trust and liability rules. It is therefore important to strengthen cooperation arrangements and reporting amongst financial entities and the competent authorities as well as information-sharing with the public, with a view to developing an open intelligence sharing framework and a 'security by design' approach, which are essential in order to increase the operational resilience and preparedness of the financial sector with regard to cyber threats.
Amendment 206 #
Proposal for a regulation
Recital 49
Recital 49
(49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements, notably when concluded with ICT third-party service providers established in a third country. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The ESA designated to conduct the oversight for eachJoint Oversight Body overseeing critical ICT third- party provider (“the Lead Overseer”) should in the exercise of oversight tasks pay particular attention to fully grasp the magnitude of interdependences and discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and should provide instead for a dialogue with critical ICT third-party service providers where that risk is identified.38 _________________ 38In addition, should the risk of abuse by an ICT third-party service provider considered dominant arise, financial entities should also have the possibility to bring either a formal or an informal complaint with the European Commission or with the national competition law authorities.
Amendment 214 #
Proposal for a regulation
Recital 54
Recital 54
(54) Contractual arrangements should provide for clear termination rights and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the relevant functions with a view to reduce the risk of disruptions at the level of the financial entity or allow the latter to effectively switch to other ICT third-party service providers, or alternatively resort to the use of on-premises solutions, consistent with the complexity of the provided service. In addition, credit institutions should also ensure that the relevant ICT contracts are robust and fully enforceable in the event of resolution of the credit institution. In that regard, credit institutions should include, in the relevant contracts for ICT services, resolution- resilient clauses, which ensure, among other requirements, non-termination, suspension or modification on the grounds of resolution as long as substantive obligations continue to be performed.
Amendment 219 #
Proposal for a regulation
Recital 60
Recital 60
(60) To leverage the current multi- layered institutional architecture in the financial services area, the Joint Committee of the ESAs should continue to ensure the overall cross-sectoral coordination in relation to all matters pertaining to ICT risk, in accordance with its tasks on cybersecurity, supported bythrough a new SubcCommittee (the Joint Oversight Forum) carrying out preparatory workBody) adopting for both individual decisions addressed to critical ICT third-party service providers and collective recommendations, notably on benchmarking the oversight programs of critical ICT third-party service providers, and identifying best practices for addressing ICT concentration risk issues.
Amendment 220 #
Proposal for a regulation
Recital 61
Recital 61
(61) To ensure that ICT third-party service providers fulfilling a critical role to the functioning of the financial sector are commensurately overseen on a Union scale, one of the ESAsthe Joint Oversight Body should be dresignated as Lead Overseer forponsible for the supervision of each critical ICT third-party service provider and rely on joint examination teams.
Amendment 223 #
Proposal for a regulation
Recital 62 – introductory part
Recital 62 – introductory part
(62) Lead OverseersThe Joint Oversight Body should enjoy the necessary powers to conduct investigations, onsite and offsite inspections at critical ICT third-party service providers, access all relevant premises and locations and obtain complete and updated information to enable them to acquire real insight into the type, dimension and impact of the ICT third- party risk posed to the financial entities and ultimately to the Union’s financial system.
Amendment 227 #
Proposal for a regulation
Recital 66
Recital 66
(66) To leverage technical expertise of competent authorities’ experts on operational and ICT risk management, Lead Overseers should draw on national supervisory experience and set up dedicated examination teamsthe Joint Oversight Body should rely on joint examination teams composed by national supervisory experts and dedicated ESAs staff for each individual critical ICT third- party service provider, pooling together multidisciplinary teams to supporting both the preparation and the actual execution of oversight activities, including onsite inspections of critical ICT third-party service providers, as well as needed follow-up thereof.
Amendment 233 #
Proposal for a regulation
Recital 67
Recital 67
(67) Competent authorities, including the Joint Oversight Body, should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant competent authorities, including ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/201339 , and consultation with the ESAs should be ensured by the mutual exchange of information and provision of assistance in the context of supervisory activities. The Single Resolution Board and national resolution authorities should be involved in the mechanisms for the mutual exchange of information for entities referred to in Article 7 of Regulation (EU) No 806/2014. National resolution authorities should provide a summary of the reported incidents for entities under their remit to the Single Resolution Board on a quarterly basis. _________________ 39 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
Amendment 247 #
Proposal for a regulation
Article 2 – paragraph 1 – point f
Article 2 – paragraph 1 – point f
(f) central securities depositories and operators of securities settlement systems,
Amendment 264 #
Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)
Article 2 – paragraph 1 – point u a (new)
(u a) operators of payment schemes and payment systems.
Amendment 268 #
Proposal for a regulation
Article 2 – paragraph 1 a (new)
Article 2 – paragraph 1 a (new)
1 a. Chapter III of this Regulation applies to all payment service providers as defined in Directive (EU) 2015/2366.
Amendment 273 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1
Article 3 – paragraph 1 – point 1
(1) ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third- party providers, the full range of ICT- related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality;
Amendment 276 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
(4) ‘ICToperational risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems, - including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non- malicious event - which, if materialised, may compromise the security of the network and information systems, of any technology-dependant tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects;
Amendment 282 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
Article 3 – paragraph 1 – point 6
(6) ‘ICT-relatedoperational incident’ means an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not,y event which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity;
Amendment 290 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
(7) ‘major ICT-relatedoperational incident’ means an ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity;
Amendment 300 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15 a (new)
Article 3 – paragraph 1 – point 15 a (new)
(15 a) 'intra-group ICT third-party service provider' means an ICT third- party service provider that is in a consolidated situation with a financial entity, or that is within the same group as a financial entity, as defined in Regulation (EU) No 575/2013.
Amendment 341 #
Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point f
Article 4 – paragraph 2 – subparagraph 1 – point f
(f) allocate and periodically review appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant training on ICT risks and skills for all relevant staff;
Amendment 355 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
5. Financial entities other than microenterprises shall assign the responsibility for managing and overseeing ICT-related risks to a control function and ensure the independence and objectivity of that control function to avoid conflicts of interest. They shall ensure appropriate segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.
Amendment 371 #
Proposal for a regulation
Article 5 – paragraph 10
Article 5 – paragraph 10
10. Upon approval of competent authorities, financial entities may delegate the tasks of verifying compliance with the ICT risk management requirements to intra-group or external undertakings. Where such outsourcing occurs, the financial entity shall remain fully accountable for the verification of compliance with ICT risk management requirements.
Amendment 398 #
Proposal for a regulation
Article 8 – paragraph 3 – point c
Article 8 – paragraph 3 – point c
(c) prevent information leakagebreach of confidentiality;
Amendment 440 #
Proposal for a regulation
Article 11 – paragraph 5 – introductory part
Article 11 – paragraph 5 – introductory part
5. Financial entities referred to in point (f) of Article 2(1) shall maintain or ensure that their ICT third-party providers maintain at least one secondary processing site endowed with resources, capabilities, functionalities and staffing arrangements sufficient and appropriate to ensure business needs.
Amendment 488 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. Financial entities shall report major ICT-relatedoperational incidents to the relevant competent authoritysingle EU hub as referred to in Article 419, within the time- limits laid down in paragraph 3. Where the major operational incident also amounts to a personal data breach, financial entities shall notify it to the relevant data protection authority and to the affected data subjects, where relevant, in line with Article 33 of Regulation 2016/679.
Amendment 491 #
Proposal for a regulation
Article 17 – paragraph 1 – subparagraph 1
Article 17 – paragraph 1 – subparagraph 1
For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, an incident report using the template referred to in Article 18 and submit it to the competent authoritysingle EU hub.
Amendment 497 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where a major ICT-related incident has or may have an impact on the financial interests of service users and clients, financial entities shall, without undue delay, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of all measures which have been taken to mitigate the adverse effects of such incident. Where such incident materialises, the financial entities shall release a public statement, in addition to individually informing their service users and clients.
Amendment 499 #
Proposal for a regulation
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2 a. Where the risk of a major ICT- related incident emerges but does not materialise due to the counter measures adopted, financial entities may release a public statement instead of individually informing their service users and clients.
Amendment 500 #
Proposal for a regulation
Article 17 – paragraph 2 b (new)
Article 17 – paragraph 2 b (new)
2 b. Where a major operational incident causes financial losses to their service users and clients, financial entities shall be liable for the compensation of the proven losses incurred by those service users and clients.
Amendment 501 #
Proposal for a regulation
Article 17 – paragraph 3 – introductory part
Article 17 – paragraph 3 – introductory part
3. Financial entities shall submit to the competent authoritysingle EU hub as referred to in Article 419:
Amendment 503 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
Article 17 – paragraph 3 – point a
(a) an initial notification, without delay, but no later than the end of the business day, or, in case of a major ICT- related incident that took place later than 2 hours before the end of the business day, not later than 4 hours from the beginning of the next business day, or, where reporting channels are not available, as soon as they become available24 hours after the operational incident is classified as major by the financial entity;
Amendment 516 #
Proposal for a regulation
Article 17 – paragraph 4
Article 17 – paragraph 4
Amendment 521 #
Proposal for a regulation
Article 17 – paragraph 5
Article 17 – paragraph 5
Amendment 525 #
Proposal for a regulation
Article 17 – paragraph 6
Article 17 – paragraph 6
6. EBA, ESMA or EIOPA and the ECB, in cooperation with ENISA, shall assess the relevance of the major ICT- related incident to other relevant public authorities and notify them accordingly as soon as possible. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system. Based on that notification, the competent authorities shall, where appropriate, take all of the necessary measures to protect the immediate stability of the financial system.
Amendment 527 #
Proposal for a regulation
Article 18 – paragraph 1 – introductory part
Article 18 – paragraph 1 – introductory part
1. The ESAs, through the Joint Committee and ENISA after consultation with ENISA and the ECB, shall develop:
Amendment 532 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The ESAs, through the Joint Committee and in consultation with ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of shall establish and operate a single EU Hub for major ICT-relatedoperational incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.
Amendment 536 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
Amendment 540 #
Proposal for a regulation
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
2 a. The EU Hub shall collect and maintain incident data and shall ensure that the entities referred to in paragraph 3 have direct and immediate access to the relevant information.
Amendment 542 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. The ESAsU Hub shall submit the report referred to in the paragraph 1 to the Commission, the European Parliament and to the Council by xx 202x [OJ: insert date 3 years after the date of entry into force]. make the necessary information available to the following entities to enable them to fulfil their respective responsibilities and mandates: (a) competent authorities as referred to in Article 41; (b) EBA, ESMA or EIOPA, as appropriate; (c) the ECB, as appropriate, in the case of financial entities referred to in points (a), (b) and (c) of Article 2(1); (d) the single point of contact designated under Article 8 of Directive (EU) 2016/1148; (e) the Single Resolution Board (SRB), for entities referred to in Article 7(2) of Regulation (EU) No 806/2014, and national resolution authorities in relation to entities referred to in Article 7(3) of Regulation (EU) No 806/2014.
Amendment 543 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
Article 19 – paragraph 3 a (new)
3 a. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB, shall develop common draft regulatory technical standards specifying the following: (a) modalities and operational standards for the collection and aggregation of incident reporting information and for the entities referred to in paragraph 3 to access that information; (b) the terms and conditions, the arrangements and the required documentation under which access to the EU Hub is granted to the entities referred to in paragraph 3; (c) the conditions for membership of financial entities.
Amendment 561 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
Article 23 – paragraph 2 – subparagraph 2
Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Such testing shall not adversely impact other users of the ICT third-party service providers.
Amendment 572 #
Proposal for a regulation
Article 23 – paragraph 4 – introductory part
Article 23 – paragraph 4 – introductory part
4. EBA, ESMA and EIOPA shall,The ESAs shall, in coordination with ENISA and after consulting the ECB and taking into account relevant frameworks in the Union which apply to intelligence-based penetration tests, develop one set of draft regulatory technical standards to specify further:
Amendment 604 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 a (new)
Article 25 – paragraph 1 – point 8 a (new)
8 a. With a view to reducing the risk of disruptions at the level of the financial entity, in duly justified circumstances and in agreement with their competent authorities, financial entities may not terminate the contractual arrangement with the ICT third-party service provider until they are able to switch to another ICT third-party service provider or change to on-premises solutions consistent with the complexity of the service provided, in accordance with the exit strategy referred to in paragraph 9.
Amendment 636 #
Proposal for a regulation
Article 27 – paragraph 2 – point j
Article 27 – paragraph 2 – point j
(j) termination rights and related minimum notices period for the termination of the contract, in accordance with competent authorities’ and resolution authorities' expectations;
Amendment 640 #
Proposal for a regulation
Article 27 – paragraph 2 – point k – point i
Article 27 – paragraph 2 – point k – point i
(i) during which the ICT third-party service provider will continue providing the respective functions or services with a view to reduce the risk of disruptions at the financial entity or to ensure its effective resolution and restructuring;
Amendment 648 #
Proposal for a regulation
Article 28 – paragraph 1 – introductory part
Article 28 – paragraph 1 – introductory part
1. The ESAs, through the Joint Committee and upon recommendation from theJoint Oversight ForumBody established pursuant to Article 29(1), after consultation with the ENISA, shall:
Amendment 649 #
Proposal for a regulation
Article 28 – paragraph 1 – point a a (new)
Article 28 – paragraph 1 – point a a (new)
(a a) be responsible for the supervision and oversight of critical ICT third-party service providers in relation to the services they provide to financial entities.
Amendment 651 #
Proposal for a regulation
Article 28 – paragraph 1 – point b
Article 28 – paragraph 1 – point b
(b) appoint either EBA, ESMA or EIOPA as Lead Overseer for each critical ICT third-party service provider, depending on whether the total value of assets of financial entities making use of the services of that critical ICT third-party service provider and which are covered by one of the Regulations (EU) No 1093/2010 (EU), No 1094/2010 or (EU) No 1095/2010 respectively, represents more than a half of the value of the total assets of all financial entities making use of the services of thedopt decisions addressed to critical ICT third- party service provider, as evidenced by the consolidated balance sheets, or the individual balance sheets where balance sheets are not consolidated, of those financial entities.
Amendment 669 #
Proposal for a regulation
Article 28 – paragraph 6
Article 28 – paragraph 6
6. The ESAs, through the Joint CommitteeJoint Oversight Body, in consultation with ENISA, shall establish, publish and yearly update the list of critical ICT third- party service providers at Union level.
Amendment 678 #
Proposal for a regulation
Article 28 a (new)
Article 28 a (new)
Amendment 679 #
Proposal for a regulation
Article 29 – paragraph 1 – introductory part
Article 29 – paragraph 1 – introductory part
1. The Joint Committee, in accordance with Article 57 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010,Oversight Body shall be establish the Oversight Forum as a sub-committeed for the purposes of supporting the work of the Joint Committee and the Lead Overseer referred to in point (b) of Article 28(1) in the area of ICT third-party risk across financial sectors. The Oversight Forum shall prepare the draft joint positions and common acts of the Joint Committee in that areaoverseeing ICT third-party risk across financial sectors and conducting direct oversight of ICT third-party service providers designated as critical pursuant to Article 28.
Amendment 681 #
Proposal for a regulation
Article 29 – paragraph 4
Article 29 – paragraph 4
Amendment 685 #
Proposal for a regulation
Article 29 – paragraph 5
Article 29 – paragraph 5
5. In accordance with Article 16 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAs shall issue guidelines onThe Commission is empowered to adopt a delegated act in accordance with Article 50 to specify the cooperation modalities between the ESAsJoint Oversight Body and the competent authorities for the purposes of this Section on the detailed procedures and conditions relating to the execution of tasks between competent authorities and the ESAsJoint Oversight Body and details on exchanges of information needed by competent authorities to ensure the follow-up of recommendatthe decisions addressopted by Lead Overseersthe Joint Oversight Body pursuant to point (d) of Article 31(1) to critical ICT third- party providers.
Amendment 688 #
Proposal for a regulation
Article 29 – paragraph 7
Article 29 – paragraph 7
7. The ESAs, through the Joint Committee and based on preparatory work conducted by theJoint Oversight Forum,Body shall present yearly to the European Parliament, the Council and the Commission a report on the application of this Section.
Amendment 689 #
Proposal for a regulation
Article 30 – title
Article 30 – title
Tasks of the LeadJoint Overseeright Body
Amendment 690 #
Proposal for a regulation
Article 30 – paragraph 1
Article 30 – paragraph 1
1. The LeadJoint Overseeright Body shall assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities.
Amendment 695 #
Proposal for a regulation
Article 31 – title
Article 31 – title
Powers and responsibilities of the LeadJoint Overseeright Body
Amendment 696 #
Proposal for a regulation
Article 31 – paragraph 1 – introductory part
Article 31 – paragraph 1 – introductory part
1. For the purposes of carrying out the duties laid down in this Section, the LeadJoint Overseeright Body shall have the following powers in respect of the services provided by critical ICT third-party service providers to financial entities:
Amendment 698 #
Proposal for a regulation
Article 31 – paragraph 1 – point d – introductory part
Article 31 – paragraph 1 – point d – introductory part
(d) to address recommendattake decisions on the areas referred to in Article 30(2), in particular concerning the following:
Amendment 702 #
Proposal for a regulation
Article 31 – paragraph 1 a (new)
Article 31 – paragraph 1 a (new)
1 a. When exercising the powers referred to in paragraph 1, the Joint Oversight Body shall coordinate with the relevant national competent authority established by Directive (EU) 2016/1148 to avoid inconsistencies or duplication with rules established under Directive (EU) 2016/1148.
Amendment 703 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
Amendment 710 #
Proposal for a regulation
Article 31 – paragraph 8
Article 31 – paragraph 8
8. The ESAsJoint Oversight Body shall disclose to the public every periodic penalty payment that has been imposed, unless such disclosure to the public would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.
Amendment 726 #
Proposal for a regulation
Article 37 – paragraph 1
Article 37 – paragraph 1
1. Within 30 calendar days after the receipt of the rdecommendatisions issued by Lead Overseersthe Joint Oversight Body pursuant to point (d) of Article 31(1), critical ICT third-party service providers shall notify the Lead Overseer whether they intend to followwhether they have complied with those rdecommendations. Lead Overseersisions. The Joint Oversight Body shall immediately transmit this information to the competent authorities of the financial entities concerned.
Amendment 729 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
2. Competent authorities shall monitor whether financial entities take into account the risks identified in the rdecommendatisions addressed to critical ICT third-party providers by the LeadJoint Overseeright Body in accordance with points (d) of Article 31(1). The Joint Oversight Body shall monitor whether the critical ICT third-party providers have addressed the risks identified in those decisions.
Amendment 731 #
Proposal for a regulation
Article 37 – paragraph 3
Article 37 – paragraph 3
3. Competent authoritiesThe Joint Oversight Body may, in accordance with Article 44, require financial entitiesafter consultation with the competent authorities of the financial entities concerned, require the critical ICT third- party service provider to temporarily suspend, either in part or completely, the use or deployment of a service provided byto the critical ICT third-party providerfinancial entities concerned until the risks identified in the rdecommendatisions addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entitiesthe critical ICT third-party service provider to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providerfinancial entities.
Amendment 738 #
Proposal for a regulation
Article 37 – paragraph 4 – introductory part
Article 37 – paragraph 4 – introductory part
4. When taking the decisions referred to in paragraph 3, competent authoritiesthe Joint Oversight Body shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provider, as well as the seriousness of the non-compliance, having regard to the following criteria:
Amendment 749 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. To foster cooperation and enable supervisory exchanges between the competent authorities designated under this Regulation and the Cooperation Group established by Article 11 of Directive (EU) 2016/1148, the ESAs and the competent authorities, may request to be invited to the workings of Cooperation Groupshall participate in the work of the Cooperation Group as set out in Article 11 of Directive (EU) 2016/1148 in so far as that work concerns any aspect of the subject matter set out in Article 1 of this Regulation.
Amendment 750 #
Proposal for a regulation
Article 42 – paragraph 2 a (new)
Article 42 – paragraph 2 a (new)
2 a. The Joint Oversight Executive Body shall inform and cooperate with the relevant competent authorities designated under Directive (EU) 2016/1148 before conducting general investigations and inspections in accordance with Article 31(1)(b), and Articles 33 and 34 of this Regulation.
Amendment 751 #
Proposal for a regulation
Article 43 – paragraph 2
Article 43 – paragraph 2
2. Competent authorities, EBA, ESMA or EIOPA, national resolution authorities, the SRB and the ECB shall cooperate closely with each other and exchange information to carry out their duties pursuant to Articles 42 to 48. They shall closely coordinate their supervision in order to identify and remedy breaches of this Regulation, develop and promote best practices, facilitate collaboration, foster consistency of interpretation and provide cross-jurisdictional assessments in the event of any disagreements.
Amendment 753 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. CThe Joint Oversight Body and the competent authorities shall have all supervisory, investigatory and sanctioning powers necessary to fulfil their duties under this Regulation.
Amendment 754 #
Proposal for a regulation
Article 44 – paragraph 4 – point e a (new)
Article 44 – paragraph 4 – point e a (new)
(e a) provide an automatic compensation to their service users and clients where an operational incident hampered the use of financial services for a period of more than 48 hours;
Amendment 756 #
Proposal for a regulation
Article 48 – paragraph 3 – introductory part
Article 48 – paragraph 3 – introductory part
3. Where the competent authority, following a case-by-case assessment, considers that the publication of the identity, in the case of legal persons, or of the identity and personal data, in the case of natural persons, would be disproportionate, jeopardise the stability of financial markets or the pursuit of an on- going criminal investigation, or cause, insofar as these can be determined, disproportionate damages to the person involved, it shall adopt either of the following solutions in respect to the decision imposing an administrative sanction:
Amendment 757 #
Proposal for a regulation
Article 48 – paragraph 3 – point c
Article 48 – paragraph 3 – point c
(c) refrain from publishing it, where the options set out in points (a) and (b) are deemed either insufficient to guarantee a lack of any danger for the stability of financial markets, or where such a publication would not be proportional with the leniency of the imposed sanction.