BETA

Activities of Mikuláš PEKSA related to 2020/0266(COD)

Shadow reports (1)

REPORT on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014
2021/12/07
Committee: ECON
Dossiers: 2020/0266(COD)
Documents: PDF(481 KB) DOC(172 KB)
Authors: [{'name': 'Billy KELLEHER', 'mepid': 197818}]

Amendments (75)

Amendment 162 #
Proposal for a regulation
Recital 10 a (new)
(10 a) Establishing and maintaining adequate network and information system infrastructures is also a fundamental precondition for effective risk data aggregation and risk reporting practices, which are in turn an essential requisite for the sound and sustainable risk management and decision-making processes of credit institutions. In 2013, the Basel Committee on Banking Supervision published a set of principles for effective risk data aggregation and risk reporting(‘BCBS 239’) based on two overarching principles of governance and IT infrastructure, to be implemented by the beginning of 2016. According to the Basel Progress Report of April 2020 and the ECB Report on the Thematic Review of May 2018 on effective risk data aggregation and risk reporting, the implementation progress made by global systemically important banks was unsatisfactory and a source of concern. In order to facilitate compliance and alignment with international standards, the Commission, in close cooperation with the ECB and after consulting EBA and ESRB, should produce a report in order to assess how the BCBS 239 principles interact with the provisions of the DORA Regulation and, if appropriate, how those principles should be incorporated into Union law.
2021/06/01
Committee: ECON
Amendment 163 #
Proposal for a regulation
Recital 12 – point 1
Through this exercise, which consolidates and updates rules on ICT risk, all provisions addressing digital risk in finance would for the first time be brought together in a consistent manner in a single legislative act. This initiative should thus fill in the gaps or remedy inconsistencies in some of those legal acts, including in relation to the terminology used therein, and should explicitly refer to ICT risk via targeted rules on ICT risk management capabilities, reporting and testing and third party risk monitoring. This initiative also intends to raise awareness of ICT risks and acknowledges that ICT incidents and lack of operational resilience might jeopardise the financial soundness of financial entities.
2021/06/01
Committee: ECON
Amendment 165 #
Proposal for a regulation
Recital 13 – introductory part
(13) Financial entities should follow the same approach and the same principle- based rules when addressing ICT risk. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of overushigh reliance ofn ICT systems, platforms and infrastructures, which entails increased digital risk.
2021/06/01
Committee: ECON
Amendment 168 #
Proposal for a regulation
Recital 16 – introductory part
(16) As this Regulation raises the level of harmonisation on digital resilience components, by introducing requirements on ICT risk management and ICT-related incident reporting that are more stringent in respect to those laid down in the current Union financial services legislation, this constitutes an increased harmonisation also by comparison to requirements laid down in Directive (EU) 2016/1148. Consequently, for the financial sector, this Regulation constitutes lex specialis to Directive (EU) 2016/1148.
2021/06/01
Committee: ECON
Amendment 171 #
Proposal for a regulation
Recital 18
(18) It is also important to ensure consistency with both the European Critical Infrastructure (ECI) Directive, which is currently being reviewed in order to enhance the protection and resilience of critical infrastructures against non-cyber related threats, and the Directive on Resilience of Critical Entities, with possible implications for the financial sector.31 _________________ 31Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75).
2021/06/01
Committee: ECON
Amendment 186 #
Proposal for a regulation
Recital 30
(30) With ICT threats becoming more complex and sophisticated, good detection and prevention measures depend to a great extent on regular threat and vulnerability intelligence sharing between financial entities. Information sharing contributes to increased awareness on cyber threats, which, in turn, enhances financial entities’ capacity to prevent threats from materialising into real incidents and enables financial entities to better contain the effects of ICT-related incidents and recover more efficiently. In the absence of guidance at Union level, several factors seem to have inhibited such intelligence sharing, notably uncertainty over the compatibility with the data protection, anti- trust and liability rules. It is therefore important to strengthen cooperation arrangements and reporting amongst financial entities and the competent authorities as well as information-sharing with the public, with a view to developing an open intelligence sharing framework and a 'security by design' approach, which are essential in order to increase the operational resilience and preparedness of the financial sector with regard to cyber threats.
2021/06/01
Committee: ECON
Amendment 206 #
Proposal for a regulation
Recital 49
(49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements, notably when concluded with ICT third-party service providers established in a third country. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The ESA designated to conduct the oversight for eachJoint Oversight Body overseeing critical ICT third- party provider (“the Lead Overseer”) should in the exercise of oversight tasks pay particular attention to fully grasp the magnitude of interdependences and discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and should provide instead for a dialogue with critical ICT third-party service providers where that risk is identified.38 _________________ 38In addition, should the risk of abuse by an ICT third-party service provider considered dominant arise, financial entities should also have the possibility to bring either a formal or an informal complaint with the European Commission or with the national competition law authorities.
2021/06/01
Committee: ECON
Amendment 214 #
Proposal for a regulation
Recital 54
(54) Contractual arrangements should provide for clear termination rights and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the relevant functions with a view to reduce the risk of disruptions at the level of the financial entity or allow the latter to effectively switch to other ICT third-party service providers, or alternatively resort to the use of on-premises solutions, consistent with the complexity of the provided service. In addition, credit institutions should also ensure that the relevant ICT contracts are robust and fully enforceable in the event of resolution of the credit institution. In that regard, credit institutions should include, in the relevant contracts for ICT services, resolution- resilient clauses, which ensure, among other requirements, non-termination, suspension or modification on the grounds of resolution as long as substantive obligations continue to be performed.
2021/06/01
Committee: ECON
Amendment 219 #
Proposal for a regulation
Recital 60
(60) To leverage the current multi- layered institutional architecture in the financial services area, the Joint Committee of the ESAs should continue to ensure the overall cross-sectoral coordination in relation to all matters pertaining to ICT risk, in accordance with its tasks on cybersecurity, supported bythrough a new SubcCommittee (the Joint Oversight Forum) carrying out preparatory workBody) adopting for both individual decisions addressed to critical ICT third-party service providers and collective recommendations, notably on benchmarking the oversight programs of critical ICT third-party service providers, and identifying best practices for addressing ICT concentration risk issues.
2021/06/01
Committee: ECON
Amendment 220 #
Proposal for a regulation
Recital 61
(61) To ensure that ICT third-party service providers fulfilling a critical role to the functioning of the financial sector are commensurately overseen on a Union scale, one of the ESAsthe Joint Oversight Body should be dresignated as Lead Overseer forponsible for the supervision of each critical ICT third-party service provider and rely on joint examination teams.
2021/06/01
Committee: ECON
Amendment 223 #
Proposal for a regulation
Recital 62 – introductory part
(62) Lead OverseersThe Joint Oversight Body should enjoy the necessary powers to conduct investigations, onsite and offsite inspections at critical ICT third-party service providers, access all relevant premises and locations and obtain complete and updated information to enable them to acquire real insight into the type, dimension and impact of the ICT third- party risk posed to the financial entities and ultimately to the Union’s financial system.
2021/06/01
Committee: ECON
Amendment 227 #
Proposal for a regulation
Recital 66
(66) To leverage technical expertise of competent authorities’ experts on operational and ICT risk management, Lead Overseers should draw on national supervisory experience and set up dedicated examination teamsthe Joint Oversight Body should rely on joint examination teams composed by national supervisory experts and dedicated ESAs staff for each individual critical ICT third- party service provider, pooling together multidisciplinary teams to supporting both the preparation and the actual execution of oversight activities, including onsite inspections of critical ICT third-party service providers, as well as needed follow-up thereof.
2021/06/01
Committee: ECON
Amendment 233 #
Proposal for a regulation
Recital 67
(67) Competent authorities, including the Joint Oversight Body, should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant competent authorities, including ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/201339 , and consultation with the ESAs should be ensured by the mutual exchange of information and provision of assistance in the context of supervisory activities. The Single Resolution Board and national resolution authorities should be involved in the mechanisms for the mutual exchange of information for entities referred to in Article 7 of Regulation (EU) No 806/2014. National resolution authorities should provide a summary of the reported incidents for entities under their remit to the Single Resolution Board on a quarterly basis. _________________ 39 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
2021/06/01
Committee: ECON
Amendment 247 #
Proposal for a regulation
Article 2 – paragraph 1 – point f
(f) central securities depositories and operators of securities settlement systems,
2021/06/01
Committee: ECON
Amendment 264 #
Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)
(u a) operators of payment schemes and payment systems.
2021/06/01
Committee: ECON
Amendment 268 #
Proposal for a regulation
Article 2 – paragraph 1 a (new)
1 a. Chapter III of this Regulation applies to all payment service providers as defined in Directive (EU) 2015/2366.
2021/06/01
Committee: ECON
Amendment 273 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1
(1) ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third- party providers, the full range of ICT- related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality;
2021/06/01
Committee: ECON
Amendment 276 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
(4) ‘ICToperational risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems, - including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non- malicious event - which, if materialised, may compromise the security of the network and information systems, of any technology-dependant tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects;
2021/06/01
Committee: ECON
Amendment 282 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
(6) ‘ICT-relatedoperational incident’ means an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not,y event which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity;
2021/06/01
Committee: ECON
Amendment 290 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
(7) ‘major ICT-relatedoperational incident’ means an ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity;
2021/06/01
Committee: ECON
Amendment 300 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15 a (new)
(15 a) 'intra-group ICT third-party service provider' means an ICT third- party service provider that is in a consolidated situation with a financial entity, or that is within the same group as a financial entity, as defined in Regulation (EU) No 575/2013.
2021/06/01
Committee: ECON
Amendment 341 #
Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point f
(f) allocate and periodically review appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant training on ICT risks and skills for all relevant staff;
2021/06/01
Committee: ECON
Amendment 355 #
Proposal for a regulation
Article 5 – paragraph 5
5. Financial entities other than microenterprises shall assign the responsibility for managing and overseeing ICT-related risks to a control function and ensure the independence and objectivity of that control function to avoid conflicts of interest. They shall ensure appropriate segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.
2021/06/01
Committee: ECON
Amendment 371 #
Proposal for a regulation
Article 5 – paragraph 10
10. Upon approval of competent authorities, financial entities may delegate the tasks of verifying compliance with the ICT risk management requirements to intra-group or external undertakings. Where such outsourcing occurs, the financial entity shall remain fully accountable for the verification of compliance with ICT risk management requirements.
2021/06/01
Committee: ECON
Amendment 398 #
Proposal for a regulation
Article 8 – paragraph 3 – point c
(c) prevent information leakagebreach of confidentiality;
2021/06/01
Committee: ECON
Amendment 440 #
Proposal for a regulation
Article 11 – paragraph 5 – introductory part
5. Financial entities referred to in point (f) of Article 2(1) shall maintain or ensure that their ICT third-party providers maintain at least one secondary processing site endowed with resources, capabilities, functionalities and staffing arrangements sufficient and appropriate to ensure business needs.
2021/06/01
Committee: ECON
Amendment 488 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
1. Financial entities shall report major ICT-relatedoperational incidents to the relevant competent authoritysingle EU hub as referred to in Article 419, within the time- limits laid down in paragraph 3. Where the major operational incident also amounts to a personal data breach, financial entities shall notify it to the relevant data protection authority and to the affected data subjects, where relevant, in line with Article 33 of Regulation 2016/679.
2021/06/01
Committee: ECON
Amendment 491 #
Proposal for a regulation
Article 17 – paragraph 1 – subparagraph 1
For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, an incident report using the template referred to in Article 18 and submit it to the competent authoritysingle EU hub.
2021/06/01
Committee: ECON
Amendment 497 #
Proposal for a regulation
Article 17 – paragraph 2
2. Where a major ICT-related incident has or may have an impact on the financial interests of service users and clients, financial entities shall, without undue delay, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of all measures which have been taken to mitigate the adverse effects of such incident. Where such incident materialises, the financial entities shall release a public statement, in addition to individually informing their service users and clients.
2021/06/01
Committee: ECON
Amendment 499 #
Proposal for a regulation
Article 17 – paragraph 2 a (new)
2 a. Where the risk of a major ICT- related incident emerges but does not materialise due to the counter measures adopted, financial entities may release a public statement instead of individually informing their service users and clients.
2021/06/01
Committee: ECON
Amendment 500 #
Proposal for a regulation
Article 17 – paragraph 2 b (new)
2 b. Where a major operational incident causes financial losses to their service users and clients, financial entities shall be liable for the compensation of the proven losses incurred by those service users and clients.
2021/06/01
Committee: ECON
Amendment 501 #
Proposal for a regulation
Article 17 – paragraph 3 – introductory part
3. Financial entities shall submit to the competent authoritysingle EU hub as referred to in Article 419:
2021/06/01
Committee: ECON
Amendment 503 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
(a) an initial notification, without delay, but no later than the end of the business day, or, in case of a major ICT- related incident that took place later than 2 hours before the end of the business day, not later than 4 hours from the beginning of the next business day, or, where reporting channels are not available, as soon as they become available24 hours after the operational incident is classified as major by the financial entity;
2021/06/01
Committee: ECON
Amendment 516 #
Proposal for a regulation
Article 17 – paragraph 4
4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider upon approval of the delegation by the relevant competent authority referred to in Article 41.deleted
2021/06/01
Committee: ECON
Amendment 521 #
Proposal for a regulation
Article 17 – paragraph 5
5. Upon receipt of the report referred to in paragraph 1, the competent authority shall, without undue delay, provide details of the incident to: (a) EBA, ESMA or EIOPA, as appropriate; (b) the ECB, as appropriate, in the case of financial entities referred to in points (a), (b) and (c) of Article 2(1); and (c) the single point of contact designated under Article 8 of Directive (EU) 2016/1148.deleted
2021/06/01
Committee: ECON
Amendment 525 #
Proposal for a regulation
Article 17 – paragraph 6
6. EBA, ESMA or EIOPA and the ECB, in cooperation with ENISA, shall assess the relevance of the major ICT- related incident to other relevant public authorities and notify them accordingly as soon as possible. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system. Based on that notification, the competent authorities shall, where appropriate, take all of the necessary measures to protect the immediate stability of the financial system.
2021/06/01
Committee: ECON
Amendment 527 #
Proposal for a regulation
Article 18 – paragraph 1 – introductory part
1. The ESAs, through the Joint Committee and ENISA after consultation with ENISA and the ECB, shall develop:
2021/06/01
Committee: ECON
Amendment 532 #
Proposal for a regulation
Article 19 – paragraph 1
1. The ESAs, through the Joint Committee and in consultation with ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of shall establish and operate a single EU Hub for major ICT-relatedoperational incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.
2021/06/01
Committee: ECON
Amendment 536 #
Proposal for a regulation
Article 19 – paragraph 2
2. The report referred to in the paragraph 1 shall comprise at least the following elements: (a) prerequisites for the establishment of such an EU Hub; (b) benefits, limitations and possible risks; (c) elements of operational management; (d) conditions of membership; (e) modalities for financial entities and national competent authorities to access the EU Hub; (f) a preliminary assessment of financial costs entailed by the setting-up the operational platform supporting the EU Hub, including the required expertisedeleted
2021/06/01
Committee: ECON
Amendment 540 #
Proposal for a regulation
Article 19 – paragraph 2 a (new)
2 a. The EU Hub shall collect and maintain incident data and shall ensure that the entities referred to in paragraph 3 have direct and immediate access to the relevant information.
2021/06/01
Committee: ECON
Amendment 542 #
Proposal for a regulation
Article 19 – paragraph 3
3. The ESAsU Hub shall submit the report referred to in the paragraph 1 to the Commission, the European Parliament and to the Council by xx 202x [OJ: insert date 3 years after the date of entry into force]. make the necessary information available to the following entities to enable them to fulfil their respective responsibilities and mandates: (a) competent authorities as referred to in Article 41; (b) EBA, ESMA or EIOPA, as appropriate; (c) the ECB, as appropriate, in the case of financial entities referred to in points (a), (b) and (c) of Article 2(1); (d) the single point of contact designated under Article 8 of Directive (EU) 2016/1148; (e) the Single Resolution Board (SRB), for entities referred to in Article 7(2) of Regulation (EU) No 806/2014, and national resolution authorities in relation to entities referred to in Article 7(3) of Regulation (EU) No 806/2014.
2021/06/01
Committee: ECON
Amendment 543 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
3 a. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB, shall develop common draft regulatory technical standards specifying the following: (a) modalities and operational standards for the collection and aggregation of incident reporting information and for the entities referred to in paragraph 3 to access that information; (b) the terms and conditions, the arrangements and the required documentation under which access to the EU Hub is granted to the entities referred to in paragraph 3; (c) the conditions for membership of financial entities.
2021/06/01
Committee: ECON
Amendment 561 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Such testing shall not adversely impact other users of the ICT third-party service providers.
2021/06/01
Committee: ECON
Amendment 572 #
Proposal for a regulation
Article 23 – paragraph 4 – introductory part
4. EBA, ESMA and EIOPA shall,The ESAs shall, in coordination with ENISA and after consulting the ECB and taking into account relevant frameworks in the Union which apply to intelligence-based penetration tests, develop one set of draft regulatory technical standards to specify further:
2021/06/01
Committee: ECON
Amendment 604 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 a (new)
8 a. With a view to reducing the risk of disruptions at the level of the financial entity, in duly justified circumstances and in agreement with their competent authorities, financial entities may not terminate the contractual arrangement with the ICT third-party service provider until they are able to switch to another ICT third-party service provider or change to on-premises solutions consistent with the complexity of the service provided, in accordance with the exit strategy referred to in paragraph 9.
2021/06/01
Committee: ECON
Amendment 636 #
Proposal for a regulation
Article 27 – paragraph 2 – point j
(j) termination rights and related minimum notices period for the termination of the contract, in accordance with competent authorities’ and resolution authorities' expectations;
2021/06/01
Committee: ECON
Amendment 640 #
Proposal for a regulation
Article 27 – paragraph 2 – point k – point i
(i) during which the ICT third-party service provider will continue providing the respective functions or services with a view to reduce the risk of disruptions at the financial entity or to ensure its effective resolution and restructuring;
2021/06/01
Committee: ECON
Amendment 648 #
Proposal for a regulation
Article 28 – paragraph 1 – introductory part
1. The ESAs, through the Joint Committee and upon recommendation from theJoint Oversight ForumBody established pursuant to Article 29(1), after consultation with the ENISA, shall:
2021/06/01
Committee: ECON
Amendment 649 #
Proposal for a regulation
Article 28 – paragraph 1 – point a a (new)
(a a) be responsible for the supervision and oversight of critical ICT third-party service providers in relation to the services they provide to financial entities.
2021/06/01
Committee: ECON
Amendment 651 #
Proposal for a regulation
Article 28 – paragraph 1 – point b
(b) appoint either EBA, ESMA or EIOPA as Lead Overseer for each critical ICT third-party service provider, depending on whether the total value of assets of financial entities making use of the services of that critical ICT third-party service provider and which are covered by one of the Regulations (EU) No 1093/2010 (EU), No 1094/2010 or (EU) No 1095/2010 respectively, represents more than a half of the value of the total assets of all financial entities making use of the services of thedopt decisions addressed to critical ICT third- party service provider, as evidenced by the consolidated balance sheets, or the individual balance sheets where balance sheets are not consolidated, of those financial entities.
2021/06/01
Committee: ECON
Amendment 669 #
Proposal for a regulation
Article 28 – paragraph 6
6. The ESAs, through the Joint CommitteeJoint Oversight Body, in consultation with ENISA, shall establish, publish and yearly update the list of critical ICT third- party service providers at Union level.
2021/06/01
Committee: ECON
Amendment 678 #
Proposal for a regulation
Article 28 a (new)
Article 28 a Minimum requirements for critical ICT third-party providers 1. Critical ICT third-party providers shall have in place internal governance and control frameworks that ensure an effective and prudent management of all operational risks linked directly or indirectly to the services provided to financial entities. 2. Critical ICT third-party providers shall have an organisational structure with clear, transparent and consistent lines of responsibility and accountability rules enabling an effective ICT risk management of all ICT risks linked directly or indirectly to the services provided to financial entities. 3. The management body of the critical ICT third-party providers shall define, approve, oversee and be accountable for the implementation of all arrangements related to the operational risk management framework of all operational risks linked directly or indirectly to the services provided to financial entities. 4. Critical ICT third-party providers shall have a sound, comprehensive, up-to-date and well-documented operational risk management framework to address operational risk linked directly or indirectly to the services provided to financial entities quickly, efficiently and comprehensively and to ensure a maximal level of operational resilience. 5. Critical ICT third-party providers shall continually monitor and effectively identify operational risks and anomalies linked directly or indirectly to the services provided to financial entities. 6. Critical ICT third-party providers shall effectively manage and resolve all anomalies and incidents linked directly or indirectly to the services provided to financial entities, in particular cyber- attacks. 7. Critical ICT third-party providers shall ensure that regular and thorough ICT audits of the services provided to financial entities are conducted. 8. Critical ICT third-party providers shall use reliable and resilient ICT systems, protocols and tools (including premises, facilities and data centres) to provide their services to financial entities. Those ICT systems, protocols and tools shall: a. guarantee data security, integrity, confidentiality and continuity; and service availability, scalability and quality; b. have sufficient capacity to maintain performance through peaks in usage; c. minimise the impact of operational risks. 9. Critical ICT third-party providers shall maintain robust mechanisms for data portability, application portability and interoperability, which ensure an effective exercise of termination rights by the financial entities. 10. Critical ICT third-party providers shall use and maintain updated and state- of-the-art ICT systems, protocols and tools to provide their services to financial entities. 11. Critical ICT third-party providers shall ensure that any contracting arrangements they enter into with other ICT service providers do not create risks for the provision of services to financial entities or risks to financial stability. Critical ICT third-party providers should ensure that the Joint Oversight Body is able to obtain promptly, upon request, access to the relevant information concerning such arrangements. 12. Critical ICT third-party providers shall have in place a dedicated operational business continuity policy to enable them to quickly, appropriately and effectively respond to and resolve operational incidents linked directly or indirectly to the services provided to financial entities. Critical ICT third-party providers should have in place an associated dedicated disaster recovery plan. 13. To minimise downtime and disruption of the service they provide to financial entities, critical ICT third-party providers shall offer comprehensive, reliable and effective backup and recovery. 14. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by determining the specific minimum requirements applicable to critical ICT third-party service providers.
2021/06/01
Committee: ECON
Amendment 679 #
Proposal for a regulation
Article 29 – paragraph 1 – introductory part
1. The Joint Committee, in accordance with Article 57 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010,Oversight Body shall be establish the Oversight Forum as a sub-committeed for the purposes of supporting the work of the Joint Committee and the Lead Overseer referred to in point (b) of Article 28(1) in the area of ICT third-party risk across financial sectors. The Oversight Forum shall prepare the draft joint positions and common acts of the Joint Committee in that areaoverseeing ICT third-party risk across financial sectors and conducting direct oversight of ICT third-party service providers designated as critical pursuant to Article 28.
2021/06/01
Committee: ECON
Amendment 681 #
Proposal for a regulation
Article 29 – paragraph 4
4. The Joint Oversight ForumBody shall be 4. composed of the ChairpersonExecutive Directors of the ESAs, and one high-leveltwo independent members appointed on the basis of merit, skills and knowledge of ICT risks. One representative from the cEurrent staff of the relevant competent authority from each Member State. The Executive Directors of each ESA and one representative from the European Commission, from the ESRB, from ECB and from ENISA shall participate in the Oversight Forum as observersopean Commission, from the ESRB, from ECB and from ENISA shall participate in the Joint Oversight Body as observers. Following each designation of critical ICT third-party service providers pursuant to Article 28(6), the Joint Oversight Body shall decide, in addition to the dedicated staff from the ESAs, which national competent authorities are to be members of the joint examination team, taking into account the following factors: (a) the number of critical ICT third-party service providers established or providing services in a Member State; (b) the reliance of the financial entities in a Member State on critical ICT third- party service providers; (c) the relative expertise, available resources and capacity of a national competent authority.
2021/06/01
Committee: ECON
Amendment 685 #
Proposal for a regulation
Article 29 – paragraph 5
5. In accordance with Article 16 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAs shall issue guidelines onThe Commission is empowered to adopt a delegated act in accordance with Article 50 to specify the cooperation modalities between the ESAsJoint Oversight Body and the competent authorities for the purposes of this Section on the detailed procedures and conditions relating to the execution of tasks between competent authorities and the ESAsJoint Oversight Body and details on exchanges of information needed by competent authorities to ensure the follow-up of recommendatthe decisions addressopted by Lead Overseersthe Joint Oversight Body pursuant to point (d) of Article 31(1) to critical ICT third- party providers.
2021/06/01
Committee: ECON
Amendment 688 #
Proposal for a regulation
Article 29 – paragraph 7
7. The ESAs, through the Joint Committee and based on preparatory work conducted by theJoint Oversight Forum,Body shall present yearly to the European Parliament, the Council and the Commission a report on the application of this Section.
2021/06/01
Committee: ECON
Amendment 689 #
Proposal for a regulation
Article 30 – title
Tasks of the LeadJoint Overseeright Body
2021/06/01
Committee: ECON
Amendment 690 #
Proposal for a regulation
Article 30 – paragraph 1
1. The LeadJoint Overseeright Body shall assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities.
2021/06/01
Committee: ECON
Amendment 695 #
Proposal for a regulation
Article 31 – title
Powers and responsibilities of the LeadJoint Overseeright Body
2021/06/01
Committee: ECON
Amendment 696 #
Proposal for a regulation
Article 31 – paragraph 1 – introductory part
1. For the purposes of carrying out the duties laid down in this Section, the LeadJoint Overseeright Body shall have the following powers in respect of the services provided by critical ICT third-party service providers to financial entities:
2021/06/01
Committee: ECON
Amendment 698 #
Proposal for a regulation
Article 31 – paragraph 1 – point d – introductory part
(d) to address recommendattake decisions on the areas referred to in Article 30(2), in particular concerning the following:
2021/06/01
Committee: ECON
Amendment 702 #
Proposal for a regulation
Article 31 – paragraph 1 a (new)
1 a. When exercising the powers referred to in paragraph 1, the Joint Oversight Body shall coordinate with the relevant national competent authority established by Directive (EU) 2016/1148 to avoid inconsistencies or duplication with rules established under Directive (EU) 2016/1148.
2021/06/01
Committee: ECON
Amendment 703 #
Proposal for a regulation
Article 31 – paragraph 2
2. The Lead Overseer shall consult the Oversight Forum before exercising the powers referred to in paragraph 1.deleted
2021/06/01
Committee: ECON
Amendment 710 #
Proposal for a regulation
Article 31 – paragraph 8
8. The ESAsJoint Oversight Body shall disclose to the public every periodic penalty payment that has been imposed, unless such disclosure to the public would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.
2021/06/01
Committee: ECON
Amendment 726 #
Proposal for a regulation
Article 37 – paragraph 1
1. Within 30 calendar days after the receipt of the rdecommendatisions issued by Lead Overseersthe Joint Oversight Body pursuant to point (d) of Article 31(1), critical ICT third-party service providers shall notify the Lead Overseer whether they intend to followwhether they have complied with those rdecommendations. Lead Overseersisions. The Joint Oversight Body shall immediately transmit this information to the competent authorities of the financial entities concerned.
2021/06/01
Committee: ECON
Amendment 729 #
Proposal for a regulation
Article 37 – paragraph 2
2. Competent authorities shall monitor whether financial entities take into account the risks identified in the rdecommendatisions addressed to critical ICT third-party providers by the LeadJoint Overseeright Body in accordance with points (d) of Article 31(1). The Joint Oversight Body shall monitor whether the critical ICT third-party providers have addressed the risks identified in those decisions.
2021/06/01
Committee: ECON
Amendment 731 #
Proposal for a regulation
Article 37 – paragraph 3
3. Competent authoritiesThe Joint Oversight Body may, in accordance with Article 44, require financial entitiesafter consultation with the competent authorities of the financial entities concerned, require the critical ICT third- party service provider to temporarily suspend, either in part or completely, the use or deployment of a service provided byto the critical ICT third-party providerfinancial entities concerned until the risks identified in the rdecommendatisions addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entitiesthe critical ICT third-party service provider to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providerfinancial entities.
2021/06/01
Committee: ECON
Amendment 738 #
Proposal for a regulation
Article 37 – paragraph 4 – introductory part
4. When taking the decisions referred to in paragraph 3, competent authoritiesthe Joint Oversight Body shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provider, as well as the seriousness of the non-compliance, having regard to the following criteria:
2021/06/01
Committee: ECON
Amendment 749 #
Proposal for a regulation
Article 42 – paragraph 1
1. To foster cooperation and enable supervisory exchanges between the competent authorities designated under this Regulation and the Cooperation Group established by Article 11 of Directive (EU) 2016/1148, the ESAs and the competent authorities, may request to be invited to the workings of Cooperation Groupshall participate in the work of the Cooperation Group as set out in Article 11 of Directive (EU) 2016/1148 in so far as that work concerns any aspect of the subject matter set out in Article 1 of this Regulation.
2021/06/01
Committee: ECON
Amendment 750 #
Proposal for a regulation
Article 42 – paragraph 2 a (new)
2 a. The Joint Oversight Executive Body shall inform and cooperate with the relevant competent authorities designated under Directive (EU) 2016/1148 before conducting general investigations and inspections in accordance with Article 31(1)(b), and Articles 33 and 34 of this Regulation.
2021/06/01
Committee: ECON
Amendment 751 #
Proposal for a regulation
Article 43 – paragraph 2
2. Competent authorities, EBA, ESMA or EIOPA, national resolution authorities, the SRB and the ECB shall cooperate closely with each other and exchange information to carry out their duties pursuant to Articles 42 to 48. They shall closely coordinate their supervision in order to identify and remedy breaches of this Regulation, develop and promote best practices, facilitate collaboration, foster consistency of interpretation and provide cross-jurisdictional assessments in the event of any disagreements.
2021/06/01
Committee: ECON
Amendment 753 #
Proposal for a regulation
Article 44 – paragraph 1
1. CThe Joint Oversight Body and the competent authorities shall have all supervisory, investigatory and sanctioning powers necessary to fulfil their duties under this Regulation.
2021/06/01
Committee: ECON
Amendment 754 #
Proposal for a regulation
Article 44 – paragraph 4 – point e a (new)
(e a) provide an automatic compensation to their service users and clients where an operational incident hampered the use of financial services for a period of more than 48 hours;
2021/06/01
Committee: ECON
Amendment 756 #
Proposal for a regulation
Article 48 – paragraph 3 – introductory part
3. Where the competent authority, following a case-by-case assessment, considers that the publication of the identity, in the case of legal persons, or of the identity and personal data, in the case of natural persons, would be disproportionate, jeopardise the stability of financial markets or the pursuit of an on- going criminal investigation, or cause, insofar as these can be determined, disproportionate damages to the person involved, it shall adopt either of the following solutions in respect to the decision imposing an administrative sanction:
2021/06/01
Committee: ECON
Amendment 757 #
Proposal for a regulation
Article 48 – paragraph 3 – point c
(c) refrain from publishing it, where the options set out in points (a) and (b) are deemed either insufficient to guarantee a lack of any danger for the stability of financial markets, or where such a publication would not be proportional with the leniency of the imposed sanction.
2021/06/01
Committee: ECON