46 Amendments of Carmen AVRAM related to 2020/0266(COD)
Amendment 157 #
Proposal for a regulation
Recital 1
Recital 1
(1) In the digital age, information and communication technology (ICT) supports complex systems used for everyday societal activities. It keeps our economies running in key sectors, including finance, and enhances the functioning of the single market. Increased digitalisation and interconnectedness also amplify ICT risks making society as a whole - and the financial system in particular - more vulnerable to cyber threats or ICT disruptions. While the ubiquitous use of ICT systems and high digitalisation and connectivity are nowadays core features of all activities of Union financial entities, digital resilience is not yethas yet to be sufficiently built in their operational frameworks.
Amendment 167 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14 a) However, that approach should in no way be taken to mean that, in its implementation, this Regulation should serve to hamper innovation and flexibility with regard to how financial entities deal with resilience issues while complying with its provisions. Through dialogue with supervisory authorities, which should acknowledge the virtues of flexibility, there will be full scope for adaptation and innovation while fully maintaining a high level of resilience.
Amendment 193 #
Proposal for a regulation
Recital 35
Recital 35
(35) Moreover, as solely those financial entities identified as significant for the purposes of the advanced digital resilience testing should be required to conduct threat led penetration tests, the administrative processes and financial costs entailed by the performance of such tests should be devolved to a small percentage of financial entities. Finally, with a view to ease regulatory burdens, only financial entities other than micro enterprises should be asked to regularly report to the competent authorities all costs and losses caused by significant ICT disruptions and the results of post- incident reviews after significantuch ICT disruptions.
Amendment 197 #
Proposal for a regulation
Recital 41 a (new)
Recital 41 a (new)
(41 a) The definition of critical or important functions in this Regulation should encompass critical functions as defined in Directive (EU) 2014/59. Thereby, functions that are deemed to be critical functions pursuant to Directive (EU) 2014/59 should be deemed to be critical or important within the meaning of this Regulation.
Amendment 208 #
Proposal for a regulation
Recital 52
Recital 52
(52) To ensure that financial entities remain in full control of all developments which may impair their ICT security, notice periods and reporting obligations of the ICT third-party service provider should be set out in case of developments with a potential material impact on the ICT third- party service provider’s ability to effectively carry out critical or important functions, including the provision of assistance by the latter in case of an ICT- related incident at no additional cost or at a cost that is determined ex-anterelevant to the services being provided by the ICT third-party service provider to the financial institution at no additional cost or at a cost that is determined ex-ante. Ancillary ICT services on which the financial entities are not operationally dependent shall not be covered by this Regulation.
Amendment 211 #
Proposal for a regulation
Recital 53
Recital 53
(53) Rights of access, inspection and audit by the financial entity or an appointed third party shall cover only critical and important functions and are crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the latter’s full cooperation during inspections. In the same vein, the competent authority of the financial entity should have those rights, based on notices, to inspect and audit the ICT third-party service provider, subject to confidentiality.
Amendment 213 #
Proposal for a regulation
Recital 54
Recital 54
(54) Contractual arrangements should provide for clear termination rights and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the relevant functions with a view to reduce the risk of disruptions at the level of the financial entity or allow the latter to effectively switch to other ICT third-party service providers, or alternatively resort to the use of on-premises solutions, consistent with the complexity of the provided service. Moreover, credit institutions should also ensure that the relevant ICT contracts are robust and fully enforceable in the event of resolution of the credit institution. In line with the resolution authorities’ expectations, credit institutions should ensure that the relevant contracts for ICT services are resolution-resilient. As long as critical and important ICT functions continue to be performed, those financial entities should ensure that the contracts foresee, among other requirements, non- termination, non-suspension and non- modification clauses on the grounds of restructuring or resolution.
Amendment 239 #
Proposal for a regulation
Article 1 – paragraph 1 – point a – indent 2 a (new)
Article 1 – paragraph 1 – point a – indent 2 a (new)
- reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in points (a) to (c) of Article 2 (1);
Amendment 242 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
2 a. This Regulation is without prejudice to the competences of Member States concerning the maintenance of public security, defence and national security in compliance with Union law.
Amendment 246 #
Proposal for a regulation
Article 2 – paragraph 1 – point f
Article 2 – paragraph 1 – point f
(f) central securities depositories, and operators of securities settlement systems,
Amendment 249 #
Proposal for a regulation
Article 2 – paragraph 1 – point n
Article 2 – paragraph 1 – point n
Amendment 265 #
Proposal for a regulation
Article 2 – paragraph 1 – point u a (new)
Article 2 – paragraph 1 – point u a (new)
(u a) payment cards' networks,
Amendment 277 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
(4) ‘ICT risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems, - including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non- malicious event - which, if materialised, may compromise the security of the network and information systems, of any technologyICT-dependaent tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects;
Amendment 279 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5 a (new)
Article 3 – paragraph 1 – point 5 a (new)
(5 a) ‘incident’ means any event having the potential to disrupt, or that in fact disrupts, the operations of a financial entity;
Amendment 286 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6 a (new)
Article 3 – paragraph 1 – point 6 a (new)
(6 a) ‘operational or security payment- related incident’, means an event or a series of linked occurrences unforeseen by financial entities referred to in points (a) to (c) of Article 2(1) which has or is likely to have an adverse impact on the integrity, availability, confidentiality, authenticity or continuity of payment- related services;
Amendment 292 #
Proposal for a regulation
Article 3 – paragraph 1 – point 8 a (new)
Article 3 – paragraph 1 – point 8 a (new)
(8 a) ‘significant cyber threat’ means a cyber threat whose characteristics clearly indicate that it is likely to result in a major ICT-related incident or a major operational or security payment-related incident;
Amendment 305 #
Proposal for a regulation
Article 3 – paragraph 1 – point 17
Article 3 – paragraph 1 – point 17
(17) ‘critical or important function’ means a function whose discontinued, defective orthat is essential to the operation of a financial entity as it would be unable to deliver its services without the function, or whose failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation, or its financial performance or the soundness, or continuity of its services and activities;
Amendment 333 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50 b (new)
Article 3 – paragraph 1 – point 50 b (new)
(50 b) 'service' means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services, and where: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present; (ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means; and (iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.
Amendment 397 #
Proposal for a regulation
Article 8 – paragraph 3 – point a
Article 8 – paragraph 3 – point a
(a) guarantemaximize the security of the means of transfer of information;
Amendment 400 #
Proposal for a regulation
Article 8 – paragraph 4 – point a
Article 8 – paragraph 4 – point a
(a) develop and document an information security policy defining rules to protect the confidentiality, integrity and availability of theirs, and their ICT resources, data and information assets while ensuring full protection of customers’ ICT resources, data and information assets; within financial entities’ own ICT systems
Amendment 439 #
Proposal for a regulation
Article 11 – paragraph 4
Article 11 – paragraph 4
4. Financial entities shallother than small and microenterprises shall assess the need to maintain redundant ICT capacities equipped with resources capabilities and functionalities that are sufficient and adequate to ensure business needs.
Amendment 471 #
Proposal for a regulation
Article 15 a (new)
Article 15 a (new)
Article 15 a Operational or security payment-related incidents concerning financial entities referred to in points (a), (b) and (c) of Article 2(1) The requirements laid down in Chapter III of this Regulation shall apply to operational or security payment-related incidents and to major operational or security payment-related incidents where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 474 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
1 a. The classification requirements laid down in paragraph 1 shall apply to operational or security payment-related incidents and major operational or security payment-related incidents in cases where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 475 #
Proposal for a regulation
Article 16 – paragraph 1 b (new)
Article 16 – paragraph 1 b (new)
1 b. 1b. Financial entities shall classify significant cyber threats based on the following criteria: (a) the number or relevance of clients or financial counterparts targeted and, where applicable, the amount or number of transactions targeted by the significant cyber threat; (b) the duration or the frequency of the significant cyber threat; (c) the geographical spread with regard to the areas targeted by the significant cyber threat, particularly if it affects more than two Member States; (d) the criticality of the services targeted, including the financial entity’s transactions and operations;
Amendment 479 #
Proposal for a regulation
Article 16 – paragraph 2 – point b
Article 16 – paragraph 2 – point b
(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT- related incidents or, as applicable, major operational or security payment-related incidents, to other Member States’ jurisdictions, and the details of ICT-related incidents reporor, as applicable, major operational or security payment-related incidents, to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.
Amendment 482 #
Proposal for a regulation
Article 16 – paragraph 2 – point b a (new)
Article 16 – paragraph 2 – point b a (new)
(b a) the criteria set out in paragraph 1b, including high materiality thresholds for determining significant cyber threats which are subject to the reporting obligation laid down in Article 17 (1a);
Amendment 485 #
Proposal for a regulation
Article 16 – paragraph 3 – subparagraph 1
Article 16 – paragraph 3 – subparagraph 1
The ESAs shall submit those common draft regulatory technical standards to the Commission by [PO: insert date 13 years after the date of entry into force].
Amendment 487 #
Proposal for a regulation
Article 17 – title
Article 17 – title
17 Reporting of major ICT-related incidents and significant cyber threats
Amendment 492 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1 a. Financial entities shall notify significant cyber threats without undue delay to the relevant competent authority as referred to in Article 41.
Amendment 498 #
Proposal for a regulation
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2 a. Where a significant cyber threat could adversely impact the financial interests of clients, financial entities shall inform their clients, without undue delay, of the significant cyber threat and of the measures which the financial entity intends to take to mitigate the adverse effects of such threat. Where appropriate, the financial entity shall also advise its clients on the measures they can take to mitigate the adverse effects of the threat.
Amendment 529 #
Proposal for a regulation
Article 18 – paragraph 1 – point b
Article 18 – paragraph 1 – point b
(b) common draft implementing technical standards in order to establish the standard forms, templates and procedures for financial entities to report a major ICT- related incident and notify a significant cyber threat.
Amendment 530 #
Proposal for a regulation
Article 18 – paragraph 1 – subparagraph 1
Article 18 – paragraph 1 – subparagraph 1
The ESAs shall submit the common draft regulatory technical standards referred to in point (a) of paragraph 1 and the common draft implementing technical standards referred to in point (b) of the paragraph 1 to the Commission by xx 202x [PO: insert date 12 years after the date of entry into force].
Amendment 545 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Upon receipt of a report as referred to in Article 17(1) and (1a), the competent authority shall acknowledge receipt of notification and shall as quickly as possible provide all necessary feedback or guidance to the financial entity, in particular to discuss remedies at the level of the entity or ways to minimise adverse impact across sectors and also provide appropriately anonymised feedback, insight and intelligence to all relevant financial entities where it could be beneficial, based on any major incident reports they receive.
Amendment 576 #
Proposal for a regulation
Article 23 – paragraph 4 – point c
Article 23 – paragraph 4 – point c
(c) the type of supervisory cooperation needed for the implementation and to facilitate full mutual recognition of threat led penetration testing in the context of financial entities which operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub- sectors or local financial markets..
Amendment 577 #
Proposal for a regulation
Article 23 – paragraph 4 – subparagraph 1
Article 23 – paragraph 4 – subparagraph 1
The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 26 months before the date of entry into force].
Amendment 578 #
Proposal for a regulation
Article 23 – paragraph 4 – subparagraph 1 a (new)
Article 23 – paragraph 4 – subparagraph 1 a (new)
Until the entry into force of this Regulation, and the development and adoption of regulatory technical standards specified in Article 23 (4), financial entities shall follow those relevant guidelines and frameworks in the Union which apply to intelligence-based penetration tests, as these will continue to apply when this Regulation comes into force.
Amendment 581 #
Proposal for a regulation
Article 24 – paragraph 1 – point c
Article 24 – paragraph 1 – point c
(c) are certified by an accreditation body in a Member State or are certified by a well-established accreditation body in a third country or adhere to formal codes of conduct or ethical frameworks;
Amendment 589 #
Proposal for a regulation
Article 25 – paragraph 1 – point 4 – introductory part
Article 25 – paragraph 1 – point 4 – introductory part
4. As part of their ICT risk management framework, financial entities shall maintain and update at entity level and, at sub-consolidated and consolidated levels, a Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third- party service providers. Where available, financial entities shall follow the guidelines and other measures issued by the ESAs and competent authorities until the entry into force of the implementing technical standards referred in Article 25(10). Where relevant, the register of information may be constituted by records pursuant to Article 30 of Regulation (EU) 2016/79.
Amendment 590 #
Proposal for a regulation
Article 25 – paragraph 1 – point 6
Article 25 – paragraph 1 – point 6
6. Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with high, appropriate and t security standards. The latest information security standardstandards shall also be considered when determining whether the information standards in place are appropriate.
Amendment 602 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point d
Article 25 – paragraph 1 – point 8 – point d
(d) verifiable circumstances where the competent authority demonstrably can no longer effectively supervise the financial entity as a result of the respective contractual arrangement.
Amendment 608 #
Proposal for a regulation
Article 25 – paragraph 1 – point 9 – introductory part
Article 25 – paragraph 1 – point 9 – introductory part
9. Financial entities shall put in place exit strategies, to be reviewed periodically, in order to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function.
Amendment 626 #
Proposal for a regulation
Article 27 – paragraph 2 – point c
Article 27 – paragraph 2 – point c
(c) provisions on accessibility, availability, integrity, securconfidentiality and protection of data including personal data and on ensuring access, recover and return in an easily accessible format of personal and non- personal data processed by the financial entity in the case of insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider;
Amendment 633 #
Proposal for a regulation
Article 27 – paragraph 2 – point h – point i a (new)
Article 27 – paragraph 2 – point h – point i a (new)
i a) the obligation to allow competent authorities to have access to all contractual arrangements;
Amendment 643 #
Proposal for a regulation
Article 27 – paragraph 2 a (new)
Article 27 – paragraph 2 a (new)
2 a. Competent authorities shall be able to access the contractual arrangements.
Amendment 720 #
Proposal for a regulation
Article 33 – paragraph 2 – point e
Article 33 – paragraph 2 – point e
(e) request records of telephone and data traffic, in accordance with the principle of proportionality.
Amendment 746 #
Proposal for a regulation
Article 40 – paragraph 3 a (new)
Article 40 – paragraph 3 a (new)
3 a. Processing of personal data for the purposes of this Article is in accordance with point (f) of Article 6(1) of Regulation (EU) 2016/679.