BETA

Activities of Bogdan RZOŃCA related to 2020/0266(COD)

Shadow reports (1)

2021/12/07
Committee: ECON
Dossiers: 2020/0266(COD)
Documents: PDF(481 KB) DOC(172 KB)
Authors: [{'name': 'Billy KELLEHER', 'mepid': 197818}]

Amendments (105)

Proposal for a regulation
Recital 44

(44) In order to achieve robust digital operational resilience, and in line with international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testing, financial entities should regularly test their ICT systems and staff with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities. To respond to differences across and within the financial subsectors regarding the financial entities’ cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from an assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing (e.g. TLPT for those financial entities mature enough from an ICT perspective to be capable of carrying out such tests). Digital operational resilience testing should thus be more demanding for significant financial entities (such as large credit institutions, stock exchanges, central securities depositories, central counterparties, etc.). At the same time, digital operational resilience testing should also be more relevant for some subsectors playing a core systemic role (e.g. payments, banking, clearing and settlement), and less relevant for other subsectors (e.g. asset managers, credit rating agencies, etc.). Cross-border financial entities exercising their freedom of establishment or provision of services within the Union should comply with a single set of advanced testing requirements (e.g. TLPT) in their home Member State, and that test should include the ICT infrastructures in all jurisdictions where the cross-border group operates within the Union, thus allowing cross-border groups to incur testing costs in one jurisdiction only. Furthermore, in order to strengthen cooperation in the field of resilience of financial entities with trusted third countries, the Commission and competent authorities should seek to establish a framework for mutual recognition of TLPTs results.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 2 – paragraph 1 – point n

~~(n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries,~~deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 2 – paragraph 1 – point q

~~(q) statutory auditors and audit firms,~~deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)

(u a) ICT intra-group service providers, when providing ICT services related to critical or important functions, with the exception of Section II of Chapter V of this Regulation that is not applicable to such providers,

2021/06/01
Committee: ECON

Proposal for a regulation
Article 3 – paragraph 1 – point 6

(6) ‘ICT-related incident’ means an ~~unforeseen identified occurrence~~ y event compromising the ~~network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, st~~availability, authenticity, integrity or confidentiality of stored, transmitted or processed data ore orf t~~ransmit, or has adverse effects on the availability, confidentiality, continuity~~ he related services offered by, or accessible via, network a~~uthenticity of financial services provided by the financial entity;~~nd information systems.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 3 – paragraph 1 – point 7

(7) ‘major ICT-related incident’ means an ICT-related incident with a ~~potentially high~~n anticipated significant adverse impact on the network and information systems that support critical functions of the financial entity;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 3 – paragraph 1 – point 15

(15) ‘ICT third-party service provider’ means an undertaking providing ~~digital and data services, including providers of cloud computing services, software, data analytics services, data centr~~ICT services, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council43 ; ; _________________ 43Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)(OJ L 321, 17.12.2018, p. 36).

2021/06/01
Committee: ECON

Proposal for a regulation
Article 3 – paragraph 1 – point 15 a (new)

(15 a) ‘ICT intra-group service provider’ means an undertaking that provides ICT services exclusively to financial entities within the same group;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 3 – paragraph 1 – point 16

(16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external users~~, including provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services~~;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point d

(d) approve, oversee and periodically review the implementation of the financial entity's ICT Business Continuity Policy and ICT Disaster Recovery Plan ~~referred to in, respectively, paragraphs 1 and 3 of Article 10;~~which may be prepared as a independent section of the broader Business Continuity Policy and Disaster Recovery Plan respectively, in order to manage and mitigate risks that could have a harmful effect on the financial entity's ICT systems and ICT services and to facilitate their swift recovery if necessary.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point i

(i) be duregularly informed about major ICT-related incidents and their impact and about response, recovery and corrective measures.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 4 – paragraph 4

4. Members of the management body shall, on a regular basis, follow specific training to gain and keep up to date ~~sufficient~~general knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 5

5. Financial entities other than microenterprises shall ensure appropriate ~~segregation~~independence of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 7

7. The ICT risk management 7. framework referred to in paragraph 1 shall be audited on a regular basis by internal ICT auditors possessing sufficient knowledge, skills and expertise in ICT risk. The frequency and focus of the internal ICT audits shall be commensurate to the ICT risks of the financial entity. Additionally, at least every three years the internal auditing team shall be accompanied by an external audit firm possessing sufficient knowledge, skills and expertise in ICT risks, to develop an independent opinion on the financial entity's ICT risk management framework.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 9 – introductory part

9. The ICT risk management framework referred to in paragraph 1 shall include a ~~digital resilience~~ strategy setting out how the framework is implemented. To that effect it shall include the methods to address ICT risk and attain specific ICT objectives, by:

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 9 – point b

(b) establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact ~~tolerance~~ of ICT disruptions;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 9 – point d

(d) explaining the ICT ~~reference~~ architecture and any changes needed to reach specific business objectives;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 9 – point g

(g) defining a holistic ICT multi- vendor strategy at entity level showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of third-party service providersdeleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 9 – point i

(i) outlining a communication strategy in case of ICT-related incidents for the purpose of the requirements set out in Article 13.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 9 – point i a (new)

(i a) reflecting on other available technology tools and solutions that could enhance the continuity and resilience of the financial entity's critical operations.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 5 – paragraph 10

10. Upon ~~approval of~~informing the competent authorities, financial entities may delegate the tasks of verifying compliance with the ICT risk management requirements to intra-group or, after prior approval, to external undertakings.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 7 – paragraph 1

1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all ~~ICT-related business~~critical or important functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems. Financial entities shall review as needed, and at least yearly, the adequacy of the classification of the information assets and of any relevant documentation.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 7 – paragraph 2

2. Financial entities shall on a continuous basis identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ~~ICT-related business~~critical or important functions and information assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 7 – paragraph 3

3. Financial entities other than microenterprises shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their functions, supporting processes or information assets. Subject to supervisory assessment, it shall be for the financial entity in each case to determine whether a major change for the purposes of this paragraph has occurred.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 7 – paragraph 4

4. Financial entities shall identify all ICT systems accounts, including those on remote sites, the network resources and hardware equipment, and shall map physical equipment considered critical. They shall map the configuration of the ~~ICT assets~~critical or important ICT assets having regard to their purpose and the links and interdependencies between those different ICT assets.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 7 – paragraph 7

7. Following a risk-based approach, financial entities other than microenterprises shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on ~~all~~relevant legacy ICT systems, especially before and after connecting old and new technologies, applications or systems.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 8 – paragraph 2

2. Financial entities shall design, procure and implement ICT security ~~strategies,~~ policies, procedures, protocols and tools that aim at, in particular, ensuring the resilience, continuity and availability of ICT systems, and maintaining high standards of security, confidentiality and integrity of data, whether at rest, in use or in transit.

2021/06/01
Committee: ECON

3. To achieve the objectives referred to in paragraph 2, financial entities shall use ~~state-of-the-art~~ ICT technology and processes which:

2021/06/01
Committee: ECON

Proposal for a regulation
Article 8 – paragraph 3 – point a

(a) ~~guarantee~~keep at a minimum the security of the means of transfer of information;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 8 – paragraph 4 – introductory part

4. AFollowing a risk-based approach and taking into account the financial entity's risk profile, as part of the ICT risk management framework referred to in Article 5(1), financial entities shall:

2021/06/01
Committee: ECON

Proposal for a regulation
Article 8 – paragraph 4 – point b

(b) ~~following a risk-based approach,~~ establish a sound network and infrastructure management using appropriate techniques, methods and protocols ~~including~~and which may consist of implementing automated mechanisms to isolate affected information assets in case of cyber-attacks;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 9 – paragraph 1 – introductory part

1. Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 15, including ICT network performance issues and ICT-related incidents, and if technologically available, to identify all potential material single points of failure.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 9 – paragraph 2

2. The detection mechanisms referred to in paragraph 1 shall ~~enable multiple layers of control, define alert thresholds and criteria to~~ trigger ICT-related incident detection and ICT-related incident response processes, ~~and shall put in place~~including automatic alert mechanisms for relevant staff in charge of ICT-related incident response.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 1

1. ~~As part of the ICT risk management framework referred to in Article 5(1) and b~~Based on the identification requirements set out in Article 7, financial entities shall put in place a dedicated and comprehensive ~~ICT Business Continuity Policy as an integral part of the operational business continuity policy of the financial entity.~~ business continuity and disaster recovery plans, which could be prepared as a dedicated ICT Business Continuity Policy. Financial entities shall implement those dedicated, appropriate and documented arrangements, plans, procedures and mechanisms. Financial entities shall specifically consider risks that could have a harmful impact on ICT services and ICT systems. The plans shall support objectives to protect, and, if necessary, re-establish the confidentiality, integrity and availability of their business functions, supporting processes and information assets. The plans shall further aim to: a) activate without delay dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored responses and recovery methods established in accordance with Article 11; b) estimate preliminary impacts, damages and losses; Financial entities shall coordinate with relevant internal and external stakeholders, as appropriate, during the establishment of these plans.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 2 – introductory part

2. ~~Financial entities shall implement the ICT B~~The overseeing authority, in cooperation with the Platform on Cybersecurity of Financial Sector, shall develop guidelines containing best practices and recommendations concerning the business Ccontinuity ~~Policy~~and disaster recovery plans referred to in paragraph 1 ~~through dedicated, appropriate and documented arrangements, plans, procedures an~~by [PO: insert date 1 year after the date of entry into force of this Regulation]. Those guidelines shall be reviewed at least once a year, or whenever deemed mnec~~hanisms aimed at:~~essary by the Platform on Cybersecurity of Financial Sector.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 2 – point a

~~(a) recording all ICT-related incidents;~~deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 2 – point b

~~(b) ensuring the continuity of the financial entity’s critical functions;~~deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 2 – point c

(c) quickly, appropriately and effectively responding to and resolving all ICT-related incidents, in particular but not limited to cyber-attacks, in a way which limits damage and prioritises resumption of activities and recovery actions;deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 2 – point d

(d) activating without delay dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and preventing further damage, as well as tailored response and recovery procedures established in accordance with Article 11;deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 2 – point e

~~(e) estimating preliminary impacts, damages and losses;~~deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 2 – point f

(f) setting out communication and crisis management actions which ensure that updated information is transmitted to all relevant internal staff and external stakeholders in accordance with Article 13, and reported to competent authorities in accordance with Article 17.deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 3

3. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall implement an associated ICT Disaster Recovery Plan, which, in the case of financial entities other than microenterprises, shall be subject to independent audit reviews.deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 4

4. Financial entities shall put in place, maintain and periodically test appropriate ~~ICT~~ business continuity plans, notably with regard to critical or important ICT functions outsourced or contracted through arrangements with ICT third-party service providers.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 5 – point a

(a) test the ~~ICT~~ Business Continuity Policy and the ~~ICT~~ Disaster Recovery Plan at least yearly and after ~~substantive~~major changes to ~~the~~critical or important ICT systems;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 7

7. Financial entities shall keep records of relevant activities ~~before and~~ during disruption events when their ICT Business Continuity Policy or ICT Disaster Recovery Plan is activated. Such records shall be readily available to the relevant competent authority if requested.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 10 – paragraph 9

~~9. Financial entities other than microenterprises shall report to competent authorities all costs and losses caused by ICT disruptions and ICT-related incidents.~~deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 11 – paragraph 1 – introductory part

1. For the purpose of ensuring the restoration of ICT systems with minimum downtime and limited disruption, as part of their ~~ICT risk management framework~~business continuity and disaster recovery plans referred to in Article 10, financial entities shall develop:

2021/06/01
Committee: ECON

Proposal for a regulation
Article 11 – paragraph 4

4. Financial entities shall maintain redundant ICT capacities equipped with resources capabilities and functionalities that are sufficient and adequate to ensure ~~business need~~the financial entity is capable to ensure its resilience objectives for critical and important functions.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 11 – paragraph 5 – subparagraph 1 – point a

(a) located ~~at a geographical distance from the primary processing site to ensure that it bears a distinct risk profile~~, designed or capable, in order to ensure a distinct risk profile as compared to the primary site, and to prevent it from being affected by the evincident which has affected the primary site;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 11 – paragraph 7

7. When recovering from an ICT- related incident, ~~financial entities shall perform multiple checks, including reconciliations, in order to ensure that the level of data integrity is of the highest level. These checks shall also be performed~~as well as when reconstructing data from external stakeholders, fin ~~order to ensure that all data is consistent between systems~~ancial entities shall ensure that the level of data integrity is of the highest level.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 12 – paragraph 2 – introductory part

2. Financial entities shall put in place post major ICT-related incident reviews after significant ICT disruptions of their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ~~ICT~~ Business Continuity Policy referred to in Article 10.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 13 – paragraph 1

1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall have in place communication plans enabling a responsible disclosure of major ICT- related incidents ~~or major vulnerabilities~~ to clients and counterparts as well as to the public, as appropriate.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 15 – paragraph 2

2. Financial entities shall establish appropriate processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to make sure that root causes are identified and ~~eradicated~~addressed in order to prevent the occurrence of such incidents.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 15 – paragraph 3 – point d

(d) ensure that major ICT-related incidents are reported to relevant senior management and inform the management body on major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of major ICT-related incidents;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 16 – paragraph 2 – introductory part

2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and ~~after consult~~in coordination with the European Central Bank (ECB) and ENISA, develop common draft regulatory technical standards further specifying the following:

2021/06/01
Committee: ECON

Proposal for a regulation
Article 16 – paragraph 2 – point b

(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT- related incidents to other Member States’ jurisdictions, and the details of major ICT- related incidents reports to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 17 – paragraph 2

2. Where a major ICT-related incident has ~~or may have~~ an impact on the financial interests of service users and clients, financial entities shall, without undue delay, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of ~~all~~relevant measures which have been taken to mitigate the adverse effects of such incident.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 17 – paragraph 3 – point a

(a) an initial notification, without delay~~, but no later than the end of the business day, or, in case of a major ICT- related incident that took place later~~ and in any event withain 24 hours ~~before the end of the business day, not later than 4 hours from the beginning of the next business day~~of becoming aware of the incident, or, where reporting channels are not available, as soon as they become available;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 17 – paragraph 3 – point b

(b) an in~~termediate~~itial report, nto ~~later than 1 week after the initial notification referred to in point (a), followed as appropriate by updated notifications every time a relevant status update is available~~be updated as soon as possible after a financial entity becomes aware that the status of the original incident has changed significantly or new information has come to light that could have a major impact on how the incident is addressed by the competent authority, as well as upon a specific request of the competent authority;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 17 – paragraph 3 – subparagraph 1 (new)

The relevant competent authority as referred to in Article 41 shall provide that, in duly justified cases, a financial entity is permitted to deviate from the deadlines set out in points (a), (b) and (c) of this paragraph.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 17 – paragraph 4

4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider after agreeing a contractual provision with the ICT third-party service provider concerned, upon approval of the delegation by the relevant competent authority referred to in Article 41.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 17 – paragraph 5 – introductory part

5. Upon receipt of the report referred to in paragraph 1, the competent authority shall, without undue delay~~, provide details~~ and while respecting high security standards and after assessing potential risks, provide relevant information ofn the incident to:

2021/06/01
Committee: ECON

Proposal for a regulation
Article 19 – paragraph 1

1. The ESAs, through the Joint Committee and in co~~nsult~~operation with ECB ~~and~~, ENISA and the Platform on Cybersecurity of Financial Sector, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 19 – paragraph 2 – point b a (new)

(b a) capability to establish the interoperability and assess its added value with regard to other relevant reporting schemes, such as in Directive (EU) 2016/1148.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 20 – paragraph 2 – introductory part

2. The ESAs shall, through the Joint Committee, report yearly on an anonymised and aggregated basis on the major ICT-related incident notifications received from competent authorities, setting out at least the number of ICT- related major incidents, their nature, impact on the operations of financial entities or customers, estimated costs and remedial actions taken.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 21 – paragraph 5

5. Financial entities shall establish procedures and policies to prioritise, classify and ~~remedy~~address all issues acknowledged throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 21 – paragraph 6

6. F~~inancial entities shall~~allowing a risk-based approach, financial entities shall ensure that appropriate tests allre performed on critical ICT systems and applications at least yearly.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 23 – paragraph 2 – introductory part

2. Threat led penetration testing shall cover at least the critical or important functions and services of a financial entity, and shall be performed on live production systems supporting such functions. The precise scope of threat led penetration testing, based on the assessment of critical functions and services, shall be determined by financial entities and shall be validated by the competent authorities. Numerous tests may be required to cover all of the critical functions and services of financial entities.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2

Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Where the involvement of an ICT third- party service provider in the threat led penetration testing could have an impact on the quality, confidentiality or security of the provision of the ICT third-party service provider's services to other customers that do not fall within the scope of this Regulation or on the overall integrity of the ICT third-party service provider's operations, the financial entity and the ICT third-party service provider may contractually agree that the ICT third party service provider is permitted to directly enter into contractual arrangements with an external tester to conduct pooled testing for its financial entity customers.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 3

Financial entities shall apply effective risk management controls to ~~reduc~~mitigate the risks of any potential impact to data, damage to assets and disruption to critical or important services or operations at the financial entity itself, its counterparties or to the financial sector.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 4

At the end of the test, after reports and remediation plans have been agreed, the financial entity ~~and~~with the support of the external testers shall provide to the competent authority the documentation required to confirm~~ing~~ that the threat led penetration testing has been conducted in accordance with the requirements. Competent authorities may request further details concerning the outcome of the test and any risk discovered, and shall validate the documentation and issue an attestation. at the end of the process.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 23 – paragraph 4 – introductory part

4. EBA, ESMA and EIOPA shall, after consulting the ECB and taking into account relevant frameworks in the Union which apply to ~~intelligence-bas~~threat led penetration tests, develop draft regulatory technical standards to specify further:

2021/06/01
Committee: ECON

Proposal for a regulation
Article 25 – paragraph 1 – point 2 – point b a (new)

(b a) whether a provider of ICT services is an ICT intra-group service provider.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 25 – paragraph 1 – point 3

3. As part of their ICT risk management framework, financial entities shall adopt and regularly review a strategy on ICT third-party risk~~, taking into account the multi-vendor strategy referred to in point (g) of Article 5(9)~~. That strategy shall include a policy on the use of ICT services provided by ICT third-party service providers and shall apply on an individual and, as relevant, on a sub- consolidated and consolidated basis. The management body shall regularly review the risks identified in respect of outsourcing of critical or important functions.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 25 – paragraph 1 – point 7 – paragraph 1

For contractual arrangements that entail a ~~high level of~~detailed technological complexity, the financial entity shall verify that auditors, whether internal, pools of auditors or external auditors possess appropriate skills and knowledge to effectively perform relevant audits and assessments.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 25 – paragraph 1 – point 8 – introductory part

8. Financial entities shall ensure that contractual arrangements on the use of ICT services are ~~terminated~~able to be terminated, after all other remedies have been exhausted and after issuing a prior warning, at least under the following circumstances:

2021/06/01
Committee: ECON

Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point a

(a) significant breach by the ICT third- party service provider of applicable laws, regulations or contractual terms;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 25 – paragraph 1 – point 8 a (new)

8 a. Financial entities shall not bear the cost of transferring out data from an ICT third-party service provider in cases where a contract is terminated under any of the circumstances listed in points (a) to (d) of point 8.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 25 – paragraph 1 – point 9 – introductory part

9. For critical and important functions, financial entities shall put in place exit strategies in order to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 26 – paragraph 1 – point b

(b) having in place multiple contractual arrangements in relation to the provision of ~~ICT service~~critical or important ICT services and functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 27 – paragraph 2 – point b

(b) the country locations where the contracted or sub-contracted functions and services are to be provided and where data is to be processed, including the storage country location, and the requirement for the ICT third-party service provider to notify the financial entity if it envisages changing such locations;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 27 – paragraph 2 – point d

(d) full service level descriptions, if considered to be necessary by the financial entity, including updates and revisions thereof, and precise quantitative and qualitative performance targets within the agreed service levels to allow an effective monitoring by the financial entity and enable without undue delay appropriate corrective actions when agreed service levels are not met;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 27 – paragraph 2 – point e

(e) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development, including major ICT-related incidents, which may have a material impact on the ICT third- party service provider’s ability to effectively carry out critical or important functions in line with agreed service levels;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 27 – paragraph 2 – point g

(g) requirements for the ICT third- party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies which ~~adequately guarantee a~~provide an appropriate level of secure provision of services by the financial entity in line with its regulatory framework;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 27 – paragraph 2 – point h – point i

i) rights of access, inspection and audit by the financial entity or by an appointed third-party, and the right to ~~take~~review copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 27 – paragraph 3

3. When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed for specific services and refrain from supplementing them in the areas set out in this Regulation or further detailed by the ESAs referred to in paragraph 4.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 28 – paragraph 2 b (new)

2 b. The ICT third-party service provider may, within 90 calendar days of receipt of the notification referred to in paragraph 2a, provide additional information to the Lead Overseer that is considered to be relevant to the designation referred to in point (a) of paragraph 1 and to its outcome.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 28 – paragraph 2 a (new)

2 a. The Lead Overseer shall notify the ICT third-party service provider before initiating its assessment for the purposes of the designation referred to in point (a) of paragraph 1.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 28 – paragraph 2 c (new)

2 c. The Lead Overseer shall make public the reason for the designation referred to in point (a) of paragraph 1 unless to do so could have a harmful impact on the designated ICT third-party service provider or on another entity subject to this Regulation.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 28 – paragraph 2 d (new)

2 d. Upon receipt of the draft recommendation, the ICT third-party service provider shall have a period of six weeks within which to review and comment on it, and shall communicate if an additional period of time is needed in order to make necessary adjustments as set out in this Article.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 28 – paragraph 2 e (new)

2 e. The ESAs shall notify the ICT third-party service provider of its designation as critical. The ICT third party service provider shall have at least three months to make any necessary adjustments to allow the Joint Oversight Executive Body to carry out its duties pursuant to Article 29, as well as to notify its financial entity customers. The Joint Oversight Executive Body may allow the adjustment period to be extended for a minimum period of three months, if requested by the designated ICT third- party service provider and duly justified.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 28 – paragraph 9

9. Financial entities shall not make use of an ICT third-party service provider established in a third country that ~~would be~~is designated as critical pursuant to point (a) of paragraph 1 ~~if it were established~~and does not have legal representation in the Union.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 30 – paragraph 2 – point e

(e) the identification, monitoring and prompt reporting of major ICT-related incidents to the financial entities, the management and resolution of those incidents, in particular cyber-attacks;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 30 – paragraph 3

3. Based on the assessment referred to in paragraph 1, the Lead Overseer shall adopt a clear, detailed and reasoned individual Oversight plan for each critical ICT third-party service provider. Before publication of the Oversight plan, the Lead Overseer shall engage in dialogue with the ICT third-party service provider, specifically for the purpose of exchanging information relevant to the final Oversight plan, including the possibility for the ICT third-party service provider to challenge individual recommendations. That plan shall be communicated each year to the critical ICT third-party service provider.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 32 – paragraph 1

1. The Lead Overseer may by simple request or by decision require the critical ICT third-party providers to provide all information concerning ICT services delivered to a financial entity that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party provider has outsourced operational functions or activities. The Lead Overseer shall not be authorised to request information on any customers of the critical ICT third-party service provider which do not fall within the scope of this Regulation or are not using the ICT third-party service provider for critical or important functions.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 32 – paragraph 2 – point d

(d) set a reasonable time limit within which the information is to be provided;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 33 – paragraph 2 – point b

(b) take or obtain certified copies of or review them on-site where they are deemed to be critical to the operations of the ICT third-party service provider, or extracts from, such records, data, procedures and other material;

2021/06/01
Committee: ECON

Proposal for a regulation
Article 33 – paragraph 2 – point e

~~(e) request records of telephone and data traffic.~~deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 34 – paragraph 1

1. In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the examination teams referred to in Article 35(1), may enter and conduct all necessary on-site inspections on any business premises, land or property of the ICT third-party providers, which are relevant to the ongoing investigation and financial entity in question, such as head offices, operation centres, secondary premises, as well as to conduct off-line inspections.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 34 – paragraph 2 – introductory part

2. The officials and other persons authorised by the Lead Overseer to conduct an on-site inspection, may enter any such business premises, land or property and shall have all the powers to seal any business premises, unless it does not interrupt operations of other ICT third- party service provider customers and books or records for the period of, and to the extent necessary for, the inspection.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 37 – paragraph 3

3. CAfter exhausting all other options and issuing warnings to financial entities as a result of the oversight process, and subject to the approval of the Oversight Forum, competent authorities may, in accordance with Article 44, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers. Competent authorities shall notify the financial entities concerned as soon as possible and allow them sufficient time, at a minimum 30 business days, to adjust the outsourcing of relevant ICT services on an individual basis.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 40 – paragraph 3

3. Financial entities shall notify competent authorities of their participation in the information-sharing arrangements referred to in paragraph 1, upon validation of their membership, or, as applicable, of the cessation of their membership, once the latter takes effect.deleted

2021/06/01
Committee: ECON

Proposal for a regulation
Article 43 a (new)

Article 43 a Platform on Cybersecurity of Financial Sector 1. The Commission shall establish or designate an advisory body on standards in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk (‘Platform on Cybersecurity of Financial Sector’). 2. The Platform on Cybersecurity of Financial Sector shall be composed in a balanced manner of the following groups: (a) representatives of: (i) the Commission; (ii) the ESAs; ENISA and (iii) the competent authorities; (b) experts representing relevant private stakeholders, including financial and non-financial market participants and business sectors, representing relevant industries, and persons with accounting and reporting expertise; (c) experts appointed in a personal capacity, who have proven knowledge and experience in the areas covered by this Regulation. 3. The Platform on Cybersecurity of Financial Sector shall: (a) advise the ESAs on the drawing up of the regulatory technical standards referred to in Articles 14, 16, 18, 23, 25, 27, 35, 36 as well as on the possible need to update those standards; (b) analyse the impact of those regulatory technical standards in terms of potential costs and benefits of their application; (c) assist the Commission in analysing requests from stakeholders to develop or revise those regulatory technical standards; (d) monitor and regularly report to the Commission on trends at Union and Member State level regarding developments in the areas covered by those regulatory technical standards; (e) advise the Commission on the possible need to amend this Regulation. 4. The Platform on Cybersecurity of Financial Sector shall be chaired by the Commission and constituted in accordance with the horizontal rules on the creation and operation of Commission expert groups. In that context the Commission may invite experts with specific expertise on an ad hoc basis. 5. The Platform on Cybersecurity of Financial Sector shall carry out its tasks in accordance with the principle of transparency. The Commission shall publish the minutes of the meetings of the Platform on Cybersecurity of Financial Sector and other relevant documents on the Commission website.“

2021/06/01
Committee: ECON

Proposal for a regulation
Article 51 – paragraph 1 a (new)

1a. By [PO: insert date 5 years after the date of entry into force of this Regulation] the Commission shall, after consulting EBA, ESMA, EIOPA and Platform on Cybersecurity of Financial Sector, as appropriate, carry out a review and submit a report to the European Parliament and the Council accompanied, if appropriate, by a legislative proposal, regarding the desirability of setting up an optional regulatory sandbox whereby critical ICT third-party service providers would: (a) be able to apply for permission to operate in a controlled environment provided by the Lead Overseer in order to test the application of innovative cybersecurity measures required for the purposes of this Regulation; and (b) be temporarily exempted from some specific requirements under Union financial services legislation that could otherwise prevent them from verifying solutions for the development or application of such cybersecurity measures. In the report referred to in the first subparagraph, the Commission shall also consider how the regulatory sandbox would best enable it, the ESAs and competent authorities to gain experience on the opportunities and specific risks created by the innovative cybersecurity measures, and by their underlying technology.

2021/06/01
Committee: ECON

Proposal for a regulation
Article 56 – paragraph 2

It shall apply from [PO: insert date - 124 months after the date of entry into force].

2021/06/01
Committee: ECON