105 Amendments of Bogdan RZOŃCA related to 2020/0266(COD)
Amendment 200 #
Proposal for a regulation
Recital 44
Recital 44
(44) In order to achieve robust digital operational resilience, and in line with international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testing, financial entities should regularly test their ICT systems and staff with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities. To respond to differences across and within the financial subsectors regarding the financial entities’ cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from an assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing (e.g. TLPT for those financial entities mature enough from an ICT perspective to be capable of carrying out such tests). Digital operational resilience testing should thus be more demanding for significant financial entities (such as large credit institutions, stock exchanges, central securities depositories, central counterparties, etc.). At the same time, digital operational resilience testing should also be more relevant for some subsectors playing a core systemic role (e.g. payments, banking, clearing and settlement), and less relevant for other subsectors (e.g. asset managers, credit rating agencies, etc.). Cross-border financial entities exercising their freedom of establishment or provision of services within the Union should comply with a single set of advanced testing requirements (e.g. TLPT) in their home Member State, and that test should include the ICT infrastructures in all jurisdictions where the cross-border group operates within the Union, thus allowing cross-border groups to incur testing costs in one jurisdiction only. Furthermore, in order to strengthen cooperation in the field of resilience of financial entities with trusted third countries, the Commission and competent authorities should seek to establish a framework for mutual recognition of TLPTs results.
Amendment 250 #
Proposal for a regulation
Article 2 – paragraph 1 – point n
Article 2 – paragraph 1 – point n
Amendment 261 #
Proposal for a regulation
Article 2 – paragraph 1 – point q
Article 2 – paragraph 1 – point q
Amendment 262 #
Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)
Article 2 – paragraph 1 – point u a (new)
(u a) ICT intra-group service providers, when providing ICT services related to critical or important functions, with the exception of Section II of Chapter V of this Regulation that is not applicable to such providers,
Amendment 280 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
Article 3 – paragraph 1 – point 6
(6) ‘ICT-related incident’ means an unforeseen identified occurrence y event compromising the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, stavailability, authenticity, integrity or confidentiality of stored, transmitted or processed data ore orf transmit, or has adverse effects on the availability, confidentiality, continuity he related services offered by, or accessible via, network authenticity of financial services provided by the financial entity;nd information systems.
Amendment 287 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
(7) ‘major ICT-related incident’ means an ICT-related incident with a potentially highn anticipated significant adverse impact on the network and information systems that support critical functions of the financial entity;
Amendment 296 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15
Article 3 – paragraph 1 – point 15
(15) ‘ICT third-party service provider’ means an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centrICT services, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council43 ; ; _________________ 43Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)(OJ L 321, 17.12.2018, p. 36).
Amendment 301 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15 a (new)
Article 3 – paragraph 1 – point 15 a (new)
(15 a) ‘ICT intra-group service provider’ means an undertaking that provides ICT services exclusively to financial entities within the same group;
Amendment 302 #
Proposal for a regulation
Article 3 – paragraph 1 – point 16
Article 3 – paragraph 1 – point 16
(16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services;
Amendment 340 #
Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point d
Article 4 – paragraph 2 – subparagraph 1 – point d
(d) approve, oversee and periodically review the implementation of the financial entity's ICT Business Continuity Policy and ICT Disaster Recovery Plan referred to in, respectively, paragraphs 1 and 3 of Article 10;which may be prepared as a independent section of the broader Business Continuity Policy and Disaster Recovery Plan respectively, in order to manage and mitigate risks that could have a harmful effect on the financial entity's ICT systems and ICT services and to facilitate their swift recovery if necessary.
Amendment 342 #
Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point i
Article 4 – paragraph 2 – subparagraph 1 – point i
(i) be duregularly informed about major ICT-related incidents and their impact and about response, recovery and corrective measures.
Amendment 346 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Members of the management body shall, on a regular basis, follow specific training to gain and keep up to date sufficientgeneral knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity.
Amendment 354 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
5. Financial entities other than microenterprises shall ensure appropriate segregationindependence of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.
Amendment 357 #
Proposal for a regulation
Article 5 – paragraph 7
Article 5 – paragraph 7
Amendment 359 #
Proposal for a regulation
Article 5 – paragraph 9 – introductory part
Article 5 – paragraph 9 – introductory part
9. The ICT risk management framework referred to in paragraph 1 shall include a digital resilience strategy setting out how the framework is implemented. To that effect it shall include the methods to address ICT risk and attain specific ICT objectives, by:
Amendment 360 #
Proposal for a regulation
Article 5 – paragraph 9 – point b
Article 5 – paragraph 9 – point b
(b) establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance of ICT disruptions;
Amendment 362 #
Proposal for a regulation
Article 5 – paragraph 9 – point d
Article 5 – paragraph 9 – point d
(d) explaining the ICT reference architecture and any changes needed to reach specific business objectives;
Amendment 363 #
Proposal for a regulation
Article 5 – paragraph 9 – point g
Article 5 – paragraph 9 – point g
Amendment 368 #
Proposal for a regulation
Article 5 – paragraph 9 – point i
Article 5 – paragraph 9 – point i
(i) outlining a communication strategy in case of ICT-related incidents for the purpose of the requirements set out in Article 13.
Amendment 369 #
Proposal for a regulation
Article 5 – paragraph 9 – point i a (new)
Article 5 – paragraph 9 – point i a (new)
(i a) reflecting on other available technology tools and solutions that could enhance the continuity and resilience of the financial entity's critical operations.
Amendment 373 #
Proposal for a regulation
Article 5 – paragraph 10
Article 5 – paragraph 10
10. Upon approval ofinforming the competent authorities, financial entities may delegate the tasks of verifying compliance with the ICT risk management requirements to intra-group or, after prior approval, to external undertakings.
Amendment 378 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all ICT-related businesscritical or important functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems. Financial entities shall review as needed, and at least yearly, the adequacy of the classification of the information assets and of any relevant documentation.
Amendment 381 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. Financial entities shall on a continuous basis identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT-related businesscritical or important functions and information assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.
Amendment 384 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. Financial entities other than microenterprises shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their functions, supporting processes or information assets. Subject to supervisory assessment, it shall be for the financial entity in each case to determine whether a major change for the purposes of this paragraph has occurred.
Amendment 385 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. Financial entities shall identify all ICT systems accounts, including those on remote sites, the network resources and hardware equipment, and shall map physical equipment considered critical. They shall map the configuration of the ICT assetscritical or important ICT assets having regard to their purpose and the links and interdependencies between those different ICT assets.
Amendment 389 #
Proposal for a regulation
Article 7 – paragraph 7
Article 7 – paragraph 7
7. Following a risk-based approach, financial entities other than microenterprises shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on allrelevant legacy ICT systems, especially before and after connecting old and new technologies, applications or systems.
Amendment 390 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
2. Financial entities shall design, procure and implement ICT security strategies, policies, procedures, protocols and tools that aim at, in particular, ensuring the resilience, continuity and availability of ICT systems, and maintaining high standards of security, confidentiality and integrity of data, whether at rest, in use or in transit.
Amendment 393 #
3. To achieve the objectives referred to in paragraph 2, financial entities shall use state-of-the-art ICT technology and processes which:
Amendment 396 #
Proposal for a regulation
Article 8 – paragraph 3 – point a
Article 8 – paragraph 3 – point a
(a) guaranteekeep at a minimum the security of the means of transfer of information;
Amendment 399 #
Proposal for a regulation
Article 8 – paragraph 4 – introductory part
Article 8 – paragraph 4 – introductory part
4. AFollowing a risk-based approach and taking into account the financial entity's risk profile, as part of the ICT risk management framework referred to in Article 5(1), financial entities shall:
Amendment 402 #
Proposal for a regulation
Article 8 – paragraph 4 – point b
Article 8 – paragraph 4 – point b
(b) following a risk-based approach, establish a sound network and infrastructure management using appropriate techniques, methods and protocols includingand which may consist of implementing automated mechanisms to isolate affected information assets in case of cyber-attacks;
Amendment 408 #
Proposal for a regulation
Article 9 – paragraph 1 – introductory part
Article 9 – paragraph 1 – introductory part
1. Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 15, including ICT network performance issues and ICT-related incidents, and if technologically available, to identify all potential material single points of failure.
Amendment 409 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. The detection mechanisms referred to in paragraph 1 shall enable multiple layers of control, define alert thresholds and criteria to trigger ICT-related incident detection and ICT-related incident response processes, and shall put in placeincluding automatic alert mechanisms for relevant staff in charge of ICT-related incident response.
Amendment 412 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. As part of the ICT risk management framework referred to in Article 5(1) and bBased on the identification requirements set out in Article 7, financial entities shall put in place a dedicated and comprehensive ICT Business Continuity Policy as an integral part of the operational business continuity policy of the financial entity. business continuity and disaster recovery plans, which could be prepared as a dedicated ICT Business Continuity Policy. Financial entities shall implement those dedicated, appropriate and documented arrangements, plans, procedures and mechanisms. Financial entities shall specifically consider risks that could have a harmful impact on ICT services and ICT systems. The plans shall support objectives to protect, and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. The plans shall further aim to: a) activate without delay dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored responses and recovery methods established in accordance with Article 11; b) estimate preliminary impacts, damages and losses; Financial entities shall coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans.
Amendment 413 #
Proposal for a regulation
Article 10 – paragraph 2 – introductory part
Article 10 – paragraph 2 – introductory part
2. Financial entities shall implement the ICT BThe overseeing authority, in cooperation with the Platform on Cybersecurity of Financial Sector, shall develop guidelines containing best practices and recommendations concerning the business Ccontinuity Policyand disaster recovery plans referred to in paragraph 1 through dedicated, appropriate and documented arrangements, plans, procedures anby [PO: insert date 1 year after the date of entry into force of this Regulation]. Those guidelines shall be reviewed at least once a year, or whenever deemed mnechanisms aimed at:essary by the Platform on Cybersecurity of Financial Sector.
Amendment 414 #
Proposal for a regulation
Article 10 – paragraph 2 – point a
Article 10 – paragraph 2 – point a
Amendment 415 #
Proposal for a regulation
Article 10 – paragraph 2 – point b
Article 10 – paragraph 2 – point b
Amendment 416 #
Proposal for a regulation
Article 10 – paragraph 2 – point c
Article 10 – paragraph 2 – point c
Amendment 417 #
Proposal for a regulation
Article 10 – paragraph 2 – point d
Article 10 – paragraph 2 – point d
Amendment 418 #
Proposal for a regulation
Article 10 – paragraph 2 – point e
Article 10 – paragraph 2 – point e
Amendment 419 #
Proposal for a regulation
Article 10 – paragraph 2 – point f
Article 10 – paragraph 2 – point f
Amendment 420 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
Amendment 423 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Financial entities shall put in place, maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important ICT functions outsourced or contracted through arrangements with ICT third-party service providers.
Amendment 425 #
Proposal for a regulation
Article 10 – paragraph 5 – point a
Article 10 – paragraph 5 – point a
(a) test the ICT Business Continuity Policy and the ICT Disaster Recovery Plan at least yearly and after substantivemajor changes to thecritical or important ICT systems;
Amendment 430 #
Proposal for a regulation
Article 10 – paragraph 7
Article 10 – paragraph 7
7. Financial entities shall keep records of relevant activities before and during disruption events when their ICT Business Continuity Policy or ICT Disaster Recovery Plan is activated. Such records shall be readily available to the relevant competent authority if requested.
Amendment 431 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
Amendment 435 #
Proposal for a regulation
Article 11 – paragraph 1 – introductory part
Article 11 – paragraph 1 – introductory part
1. For the purpose of ensuring the restoration of ICT systems with minimum downtime and limited disruption, as part of their ICT risk management frameworkbusiness continuity and disaster recovery plans referred to in Article 10, financial entities shall develop:
Amendment 438 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. Financial entities shall maintain redundant ICT capacities equipped with resources capabilities and functionalities that are sufficient and adequate to ensure business needthe financial entity is capable to ensure its resilience objectives for critical and important functions.
Amendment 442 #
Proposal for a regulation
Article 11 – paragraph 5 – subparagraph 1 – point a
Article 11 – paragraph 5 – subparagraph 1 – point a
(a) located at a geographical distance from the primary processing site to ensure that it bears a distinct risk profile, designed or capable, in order to ensure a distinct risk profile as compared to the primary site, and to prevent it from being affected by the evincident which has affected the primary site;
Amendment 446 #
Proposal for a regulation
Article 11 – paragraph 7
Article 11 – paragraph 7
7. When recovering from an ICT- related incident, financial entities shall perform multiple checks, including reconciliations, in order to ensure that the level of data integrity is of the highest level. These checks shall also be performedas well as when reconstructing data from external stakeholders, fin order to ensure that all data is consistent between systemsancial entities shall ensure that the level of data integrity is of the highest level.
Amendment 449 #
Proposal for a regulation
Article 12 – paragraph 2 – introductory part
Article 12 – paragraph 2 – introductory part
2. Financial entities shall put in place post major ICT-related incident reviews after significant ICT disruptions of their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT Business Continuity Policy referred to in Article 10.
Amendment 457 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall have in place communication plans enabling a responsible disclosure of major ICT- related incidents or major vulnerabilities to clients and counterparts as well as to the public, as appropriate.
Amendment 466 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. Financial entities shall establish appropriate processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to make sure that root causes are identified and eradicatedaddressed in order to prevent the occurrence of such incidents.
Amendment 469 #
Proposal for a regulation
Article 15 – paragraph 3 – point d
Article 15 – paragraph 3 – point d
(d) ensure that major ICT-related incidents are reported to relevant senior management and inform the management body on major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of major ICT-related incidents;
Amendment 477 #
Proposal for a regulation
Article 16 – paragraph 2 – introductory part
Article 16 – paragraph 2 – introductory part
2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and after consultin coordination with the European Central Bank (ECB) and ENISA, develop common draft regulatory technical standards further specifying the following:
Amendment 480 #
Proposal for a regulation
Article 16 – paragraph 2 – point b
Article 16 – paragraph 2 – point b
(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT- related incidents to other Member States’ jurisdictions, and the details of major ICT- related incidents reports to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.
Amendment 495 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where a major ICT-related incident has or may have an impact on the financial interests of service users and clients, financial entities shall, without undue delay, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of allrelevant measures which have been taken to mitigate the adverse effects of such incident.
Amendment 505 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
Article 17 – paragraph 3 – point a
(a) an initial notification, without delay, but no later than the end of the business day, or, in case of a major ICT- related incident that took place later and in any event withain 24 hours before the end of the business day, not later than 4 hours from the beginning of the next business dayof becoming aware of the incident, or, where reporting channels are not available, as soon as they become available;
Amendment 510 #
Proposal for a regulation
Article 17 – paragraph 3 – point b
Article 17 – paragraph 3 – point b
(b) an intermediateitial report, nto later than 1 week after the initial notification referred to in point (a), followed as appropriate by updated notifications every time a relevant status update is availablebe updated as soon as possible after a financial entity becomes aware that the status of the original incident has changed significantly or new information has come to light that could have a major impact on how the incident is addressed by the competent authority, as well as upon a specific request of the competent authority;
Amendment 514 #
Proposal for a regulation
Article 17 – paragraph 3 – subparagraph 1 (new)
Article 17 – paragraph 3 – subparagraph 1 (new)
The relevant competent authority as referred to in Article 41 shall provide that, in duly justified cases, a financial entity is permitted to deviate from the deadlines set out in points (a), (b) and (c) of this paragraph.
Amendment 517 #
Proposal for a regulation
Article 17 – paragraph 4
Article 17 – paragraph 4
4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider after agreeing a contractual provision with the ICT third-party service provider concerned, upon approval of the delegation by the relevant competent authority referred to in Article 41.
Amendment 522 #
Proposal for a regulation
Article 17 – paragraph 5 – introductory part
Article 17 – paragraph 5 – introductory part
5. Upon receipt of the report referred to in paragraph 1, the competent authority shall, without undue delay, provide details and while respecting high security standards and after assessing potential risks, provide relevant information ofn the incident to:
Amendment 533 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The ESAs, through the Joint Committee and in consultoperation with ECB and, ENISA and the Platform on Cybersecurity of Financial Sector, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.
Amendment 539 #
Proposal for a regulation
Article 19 – paragraph 2 – point b a (new)
Article 19 – paragraph 2 – point b a (new)
(b a) capability to establish the interoperability and assess its added value with regard to other relevant reporting schemes, such as in Directive (EU) 2016/1148.
Amendment 547 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. The ESAs shall, through the Joint Committee, report yearly on an anonymised and aggregated basis on the major ICT-related incident notifications received from competent authorities, setting out at least the number of ICT- related major incidents, their nature, impact on the operations of financial entities or customers, estimated costs and remedial actions taken.
Amendment 553 #
Proposal for a regulation
Article 21 – paragraph 5
Article 21 – paragraph 5
5. Financial entities shall establish procedures and policies to prioritise, classify and remedyaddress all issues acknowledged throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.
Amendment 554 #
Proposal for a regulation
Article 21 – paragraph 6
Article 21 – paragraph 6
6. Financial entities shallallowing a risk-based approach, financial entities shall ensure that appropriate tests allre performed on critical ICT systems and applications at least yearly.
Amendment 557 #
Proposal for a regulation
Article 23 – paragraph 2 – introductory part
Article 23 – paragraph 2 – introductory part
2. Threat led penetration testing shall cover at least the critical or important functions and services of a financial entity, and shall be performed on live production systems supporting such functions. The precise scope of threat led penetration testing, based on the assessment of critical functions and services, shall be determined by financial entities and shall be validated by the competent authorities. Numerous tests may be required to cover all of the critical functions and services of financial entities.
Amendment 559 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
Article 23 – paragraph 2 – subparagraph 2
Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Where the involvement of an ICT third- party service provider in the threat led penetration testing could have an impact on the quality, confidentiality or security of the provision of the ICT third-party service provider's services to other customers that do not fall within the scope of this Regulation or on the overall integrity of the ICT third-party service provider's operations, the financial entity and the ICT third-party service provider may contractually agree that the ICT third party service provider is permitted to directly enter into contractual arrangements with an external tester to conduct pooled testing for its financial entity customers.
Amendment 563 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 3
Article 23 – paragraph 2 – subparagraph 3
Financial entities shall apply effective risk management controls to reducmitigate the risks of any potential impact to data, damage to assets and disruption to critical or important services or operations at the financial entity itself, its counterparties or to the financial sector.
Amendment 565 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 4
Article 23 – paragraph 2 – subparagraph 4
At the end of the test, after reports and remediation plans have been agreed, the financial entity andwith the support of the external testers shall provide to the competent authority the documentation required to confirming that the threat led penetration testing has been conducted in accordance with the requirements. Competent authorities may request further details concerning the outcome of the test and any risk discovered, and shall validate the documentation and issue an attestation. at the end of the process.
Amendment 574 #
Proposal for a regulation
Article 23 – paragraph 4 – introductory part
Article 23 – paragraph 4 – introductory part
4. EBA, ESMA and EIOPA shall, after consulting the ECB and taking into account relevant frameworks in the Union which apply to intelligence-basthreat led penetration tests, develop draft regulatory technical standards to specify further:
Amendment 585 #
Proposal for a regulation
Article 25 – paragraph 1 – point 2 – point b a (new)
Article 25 – paragraph 1 – point 2 – point b a (new)
(b a) whether a provider of ICT services is an ICT intra-group service provider.
Amendment 588 #
Proposal for a regulation
Article 25 – paragraph 1 – point 3
Article 25 – paragraph 1 – point 3
3. As part of their ICT risk management framework, financial entities shall adopt and regularly review a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in point (g) of Article 5(9). That strategy shall include a policy on the use of ICT services provided by ICT third-party service providers and shall apply on an individual and, as relevant, on a sub- consolidated and consolidated basis. The management body shall regularly review the risks identified in respect of outsourcing of critical or important functions.
Amendment 592 #
Proposal for a regulation
Article 25 – paragraph 1 – point 7 – paragraph 1
Article 25 – paragraph 1 – point 7 – paragraph 1
For contractual arrangements that entail a high level ofdetailed technological complexity, the financial entity shall verify that auditors, whether internal, pools of auditors or external auditors possess appropriate skills and knowledge to effectively perform relevant audits and assessments.
Amendment 598 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – introductory part
Article 25 – paragraph 1 – point 8 – introductory part
8. Financial entities shall ensure that contractual arrangements on the use of ICT services are terminatedable to be terminated, after all other remedies have been exhausted and after issuing a prior warning, at least under the following circumstances:
Amendment 600 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point a
Article 25 – paragraph 1 – point 8 – point a
(a) significant breach by the ICT third- party service provider of applicable laws, regulations or contractual terms;
Amendment 605 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 a (new)
Article 25 – paragraph 1 – point 8 a (new)
8 a. Financial entities shall not bear the cost of transferring out data from an ICT third-party service provider in cases where a contract is terminated under any of the circumstances listed in points (a) to (d) of point 8.
Amendment 607 #
Proposal for a regulation
Article 25 – paragraph 1 – point 9 – introductory part
Article 25 – paragraph 1 – point 9 – introductory part
9. For critical and important functions, financial entities shall put in place exit strategies in order to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function.
Amendment 614 #
Proposal for a regulation
Article 26 – paragraph 1 – point b
Article 26 – paragraph 1 – point b
(b) having in place multiple contractual arrangements in relation to the provision of ICT servicecritical or important ICT services and functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.
Amendment 625 #
Proposal for a regulation
Article 27 – paragraph 2 – point b
Article 27 – paragraph 2 – point b
(b) the country locations where the contracted or sub-contracted functions and services are to be provided and where data is to be processed, including the storage country location, and the requirement for the ICT third-party service provider to notify the financial entity if it envisages changing such locations;
Amendment 627 #
Proposal for a regulation
Article 27 – paragraph 2 – point d
Article 27 – paragraph 2 – point d
(d) full service level descriptions, if considered to be necessary by the financial entity, including updates and revisions thereof, and precise quantitative and qualitative performance targets within the agreed service levels to allow an effective monitoring by the financial entity and enable without undue delay appropriate corrective actions when agreed service levels are not met;
Amendment 628 #
Proposal for a regulation
Article 27 – paragraph 2 – point e
Article 27 – paragraph 2 – point e
(e) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development, including major ICT-related incidents, which may have a material impact on the ICT third- party service provider’s ability to effectively carry out critical or important functions in line with agreed service levels;
Amendment 629 #
Proposal for a regulation
Article 27 – paragraph 2 – point g
Article 27 – paragraph 2 – point g
(g) requirements for the ICT third- party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies which adequately guarantee aprovide an appropriate level of secure provision of services by the financial entity in line with its regulatory framework;
Amendment 631 #
Proposal for a regulation
Article 27 – paragraph 2 – point h – point i
Article 27 – paragraph 2 – point h – point i
i) rights of access, inspection and audit by the financial entity or by an appointed third-party, and the right to takereview copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
Amendment 644 #
Proposal for a regulation
Article 27 – paragraph 3
Article 27 – paragraph 3
3. When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed for specific services and refrain from supplementing them in the areas set out in this Regulation or further detailed by the ESAs referred to in paragraph 4.
Amendment 661 #
Proposal for a regulation
Article 28 – paragraph 2 b (new)
Article 28 – paragraph 2 b (new)
2 b. The ICT third-party service provider may, within 90 calendar days of receipt of the notification referred to in paragraph 2a, provide additional information to the Lead Overseer that is considered to be relevant to the designation referred to in point (a) of paragraph 1 and to its outcome.
Amendment 662 #
Proposal for a regulation
Article 28 – paragraph 2 a (new)
Article 28 – paragraph 2 a (new)
2 a. The Lead Overseer shall notify the ICT third-party service provider before initiating its assessment for the purposes of the designation referred to in point (a) of paragraph 1.
Amendment 663 #
Proposal for a regulation
Article 28 – paragraph 2 c (new)
Article 28 – paragraph 2 c (new)
2 c. The Lead Overseer shall make public the reason for the designation referred to in point (a) of paragraph 1 unless to do so could have a harmful impact on the designated ICT third-party service provider or on another entity subject to this Regulation.
Amendment 664 #
Proposal for a regulation
Article 28 – paragraph 2 d (new)
Article 28 – paragraph 2 d (new)
2 d. Upon receipt of the draft recommendation, the ICT third-party service provider shall have a period of six weeks within which to review and comment on it, and shall communicate if an additional period of time is needed in order to make necessary adjustments as set out in this Article.
Amendment 665 #
Proposal for a regulation
Article 28 – paragraph 2 e (new)
Article 28 – paragraph 2 e (new)
2 e. The ESAs shall notify the ICT third-party service provider of its designation as critical. The ICT third party service provider shall have at least three months to make any necessary adjustments to allow the Joint Oversight Executive Body to carry out its duties pursuant to Article 29, as well as to notify its financial entity customers. The Joint Oversight Executive Body may allow the adjustment period to be extended for a minimum period of three months, if requested by the designated ICT third- party service provider and duly justified.
Amendment 674 #
Proposal for a regulation
Article 28 – paragraph 9
Article 28 – paragraph 9
9. Financial entities shall not make use of an ICT third-party service provider established in a third country that would beis designated as critical pursuant to point (a) of paragraph 1 if it were establishedand does not have legal representation in the Union.
Amendment 691 #
Proposal for a regulation
Article 30 – paragraph 2 – point e
Article 30 – paragraph 2 – point e
(e) the identification, monitoring and prompt reporting of major ICT-related incidents to the financial entities, the management and resolution of those incidents, in particular cyber-attacks;
Amendment 692 #
Proposal for a regulation
Article 30 – paragraph 3
Article 30 – paragraph 3
3. Based on the assessment referred to in paragraph 1, the Lead Overseer shall adopt a clear, detailed and reasoned individual Oversight plan for each critical ICT third-party service provider. Before publication of the Oversight plan, the Lead Overseer shall engage in dialogue with the ICT third-party service provider, specifically for the purpose of exchanging information relevant to the final Oversight plan, including the possibility for the ICT third-party service provider to challenge individual recommendations. That plan shall be communicated each year to the critical ICT third-party service provider.
Amendment 711 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. The Lead Overseer may by simple request or by decision require the critical ICT third-party providers to provide all information concerning ICT services delivered to a financial entity that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party provider has outsourced operational functions or activities. The Lead Overseer shall not be authorised to request information on any customers of the critical ICT third-party service provider which do not fall within the scope of this Regulation or are not using the ICT third-party service provider for critical or important functions.
Amendment 714 #
Proposal for a regulation
Article 32 – paragraph 2 – point d
Article 32 – paragraph 2 – point d
(d) set a reasonable time limit within which the information is to be provided;
Amendment 718 #
Proposal for a regulation
Article 33 – paragraph 2 – point b
Article 33 – paragraph 2 – point b
(b) take or obtain certified copies of or review them on-site where they are deemed to be critical to the operations of the ICT third-party service provider, or extracts from, such records, data, procedures and other material;
Amendment 719 #
Proposal for a regulation
Article 33 – paragraph 2 – point e
Article 33 – paragraph 2 – point e
Amendment 721 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
1. In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the examination teams referred to in Article 35(1), may enter and conduct all necessary on-site inspections on any business premises, land or property of the ICT third-party providers, which are relevant to the ongoing investigation and financial entity in question, such as head offices, operation centres, secondary premises, as well as to conduct off-line inspections.
Amendment 722 #
Proposal for a regulation
Article 34 – paragraph 2 – introductory part
Article 34 – paragraph 2 – introductory part
2. The officials and other persons authorised by the Lead Overseer to conduct an on-site inspection, may enter any such business premises, land or property and shall have all the powers to seal any business premises, unless it does not interrupt operations of other ICT third- party service provider customers and books or records for the period of, and to the extent necessary for, the inspection.
Amendment 732 #
Proposal for a regulation
Article 37 – paragraph 3
Article 37 – paragraph 3
3. CAfter exhausting all other options and issuing warnings to financial entities as a result of the oversight process, and subject to the approval of the Oversight Forum, competent authorities may, in accordance with Article 44, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers. Competent authorities shall notify the financial entities concerned as soon as possible and allow them sufficient time, at a minimum 30 business days, to adjust the outsourcing of relevant ICT services on an individual basis.
Amendment 745 #
Proposal for a regulation
Article 40 – paragraph 3
Article 40 – paragraph 3
Amendment 752 #
Proposal for a regulation
Article 43 a (new)
Article 43 a (new)
Amendment 760 #
Proposal for a regulation
Article 51 – paragraph 1 a (new)
Article 51 – paragraph 1 a (new)
Amendment 764 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
It shall apply from [PO: insert date - 124 months after the date of entry into force].