Activities of Frances FITZGERALD related to 2020/0266(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014
Amendments (122)
Amendment 159 #
Proposal for a regulation
Recital 4
Recital 4
(4) In recent years, ICT risks have attracted the attention of national, European and international policy makers, regulators and standard-setting bodies in an attempt to enhance resilience, set standards and coordinate regulatory or supervisory work. At international level, the Basel Committee on Banking Supervision, the Committee on Payments and Markets Infrastructures, the Financial Stability Board, the Financial Stability Institute, as well as the G7 and G20 groups of countries aim to provide competent authorities and market operators across different jurisdictions with tools to bolster the resilience of their financial systems. Consequently, it is necessary to consider cyber risk in the context of a highly interconnected global financial system in which consistency of international regulation and cooperation between competent authorities globally needs to be prioritised.
Amendment 160 #
Proposal for a regulation
Recital 8
Recital 8
(8) The Union financial sector is regulated by a harmonised Single Rulebook and governed by a European system of financial supervision. Nonetheless, provisions tackling digital operational resilience and ICT security are not fully or consistently harmonised yet, despite digital operational resilience being vital for ensuring financial stability and market integrity in the digital age, and no less important than for example common prudential or market conduct standards. The Single Rulebook and system of supervision should therefore be developed to also cover this component, by enlargstrengthening the mandates of financial supervisors tasked to monitor and protect financial stability and market integrityo manage cyber risks in the financial sector and to facilitate the integrity, efficiency and orderly functioning of the internal market.
Amendment 164 #
Proposal for a regulation
Recital 13 – introductory part
Recital 13 – introductory part
(13) Financial entities should follow the same approach and the same principle- based rules when addressing ICT risk, according to their size, nature, complexity and risk profile. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of overuse of ICT systems, platforms and infrastructures, which entails increased digital risk.
Amendment 169 #
Proposal for a regulation
Recital 16 – introductory part
Recital 16 – introductory part
(16) As this Regulation raises the level of harmonisation on digital resilience components, by introducing requirements on ICT risk management and ICT-related incident reporting that are more stringent in respect to those laid down in the current Union financial services legislation, this constitutes an increased harmonisation also by comparison to requirements laid down in Directive (EU) 2016/1148. Consequently, for financial entities, this Regulation constitutes lex specialis to Directive (EU) 2016/1148.
Amendment 177 #
Proposal for a regulation
Recital 21 a (new)
Recital 21 a (new)
(21 a) In order to reduce the administrative burden and avoid complexity and duplicative reporting requirements for payment service providers that fall within the scope of this Regulation, the incident reporting requirements under Directive (EU) 2015/2366 should cease to apply. As such, credit institutions, e-money institutions and payment institutions should report, under this Regulation, all operational or security payment-related and non- payment related incidents that were previously reported under Directive (EU) 2015/2366, irrespective of whether the incidents are ICT-related or not.
Amendment 178 #
Proposal for a regulation
Recital 22
Recital 22
(22) To enable competent authorities to fulfil their supervisory roles by obtaining a complete overview of the nature, frequency, significance and impact of ICT- related incidents and to enhance the exchange of information between relevant public authorities, including law enforcement authorities and resolution authorities, it is necessary to lay down rules in order to complete theachieve a robust ICT- related incident reporting regime with the requirements that are currently missing inddress the gaps in sectoral financial subsectorervices legislation and remove any existing overlaps and duplications to alleviate costs. It is therefore essential to harmonise the ICT- related incident reporting regime by requiring all financial entities to report to their competent authorities through a single streamlined framework as set out in this Regulationly. In addition, the ESAs should be empowered to further specify ICT-related incident reporting elements such as taxonomy, timeframes, data sets, templates and applicable thresholds.
Amendment 183 #
Proposal for a regulation
Recital 29
Recital 29
(29) Taking into account the potential systemic risks entailed by the increased outsourcing practices and by the ICT third- party concentration, and mindful of the insufficiency of national mechanisms enabling financial superiors to quantify, qualify and redress the consequences of ICT risks occurring at critical ICT third- party service providers, it is necessary to establish an appropriate Union oversight framework allowing for a continuousfrequent monitoring of the activities of ICT third- party service providers that arprovide critical providerservices to financial entities.
Amendment 187 #
Proposal for a regulation
Recital 33
Recital 33
(33) Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience rules should take into consideration significant differences between financial entities in terms of size, business profiles or exposure to digital risknature, complexity and risk profile. As a general principle, when directing resources and capabilities to the implementation of the ICT risk management framework, financial entities should duly balance their ICT-related needs to their size and business, nature, complexity and risk profile, while competent authorities should continue to assess and review the approach of such distribution. Accordingly, the risk management framework should be applied to financial entities according to a risk-based approach which takes due account of their size, nature, complexity and risk profile.
Amendment 194 #
Proposal for a regulation
Recital 35
Recital 35
(35) Moreover, as solely those financial entities identified as significant for the purposes of the advanced digital resilience testing should be required to conduct threat led penetration tests, the administrative processes and financial costs entailed by the performance of such tests should be devolved to a small percentage of financial entities. Finally, with a view to ease regulatory burdens, only financial entities other than micro enterprises should be asked to regularly report to the competent authorities all estimated costs and losses caused by ICT disruptions and the results of post- incident reviews after significant ICT disruptions.
Amendment 201 #
Proposal for a regulation
Recital 45
Recital 45
(45) To ensure a sound monitoring of ICT third-party risk, it is necessary to lay down a set of principle-based rules to guide financial entities’ monitoring of risk arising in the context of outsourced functions to ICT third-party services providers, particularly regarding the provision of critical or important functions by ICT third-party service providers, and, more generally, in the context of ICT third- party dependencies.
Amendment 202 #
Proposal for a regulation
Recital 47
Recital 47
(47) The conduct of such monitoring should follow a strategic approach to ICT third-party risk formalised through the adoption by the financial entity’s management body of a dedicated strategy, rooted in a continuousfrequent screening of all such ICT third-party dependencies. To enhance supervisory awareness over ICT third-party dependencies, and with a view to further support the Oversight Framework established by this Regulation, financial supervisors should regularly receive essential information from the Registers and should be able to request extracts thereof on an ad-hoc basis.
Amendment 204 #
Proposal for a regulation
Recital 48
Recital 48
(48) A thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements, while termination of contracts should be prompted bycorrective and remedial measures, which may include contract termination, should be taken in the case of at least a set of circumstances that show shortfalls at the ICT third-party service provider.
Amendment 210 #
Proposal for a regulation
Recital 53
Recital 53
(53) Rights of access, inspection and audit by the financial entity or an appointed third party, in relation to the use of ICT services provided by the third-party service provider concerning critical or important functions, are crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the latter’s full cooperation during inspections. In the same vein, the competent authority of the financial entity should have those rights, based on notices, to inspect and audit the ICT third-party service provider, subject to confidentiality.
Amendment 215 #
Proposal for a regulation
Recital 57
Recital 57
(57) Since only critical third-party service providers warrant a special treatment, a designation mechanism for the purposes of applying the Union Oversight Framework should be put in place to take into account the dimension and nature of the financial sector’s reliance on such ICT third-party service providers, which translates into a set of quantitative and qualitative criteria that would set the criticality parameters as a basis for inclusion into the Oversight. Critical ICT third-party service providers which are not automatically designated by virtue of the application of the above-mentioned criteria should have the possibility to voluntary opt-in to the Oversight Framework, while those ICT third-party providers already subject to oversight mechanisms frameworks established at Eurosystem level with the aim to supporting the tasks referred to in Article 127(2) of the Treaty on the Functioning of the European Union should consequently be exempted. Similarly, undertakings which are part of a financial group and which provide ICT services exclusively to financial entities within the same financial group should not be subject to the designation mechanism.
Amendment 216 #
Proposal for a regulation
Recital 58
Recital 58
Amendment 218 #
Proposal for a regulation
Recital 58 a (new)
Recital 58 a (new)
(58 a) Due to the significant impact that designation as critical may have on ICT third-party service providers, prior hearing rights should be established as an obligation imposed on the Lead Overseer to duly take into consideration any additional information provided by ICT third-party service providers in the course of the designation process.
Amendment 221 #
Proposal for a regulation
Recital 61
Recital 61
(61) To ensure that ICT third-party service providers fulfilling a critical role to the functioning of the financial sector are commensurately overseen on a Union scale, one of the ESAs should be designatedthis Regulation foresees that the European Banking Authority (EBA) should act as Lead Overseer for each critical ICT third-party service provider.
Amendment 222 #
Proposal for a regulation
Recital 62 – introductory part
Recital 62 – introductory part
(62) The Lead Overseers should enjoy the necessary powers to conduct investigations, onsite and offsite inspections at critical ICT third-party service providers, access all relevant premises and locations and obtain complete and updated information to enable them Lead Overseer to acquire real insight into the type, dimension and impact of the ICT third- party risk posed to the financial entities and ultimately to the Union’s financial system.
Amendment 224 #
Proposal for a regulation
Recital 62 – point 1
Recital 62 – point 1
Entrusting the ESAsBA with the lead oversight role, in close cooperation with EIOPA and ESMA, is a prerequisite for grasping and addressing the systemic dimension of ICT risk in finance. The Union footprint of critical ICT third-party service providers and the potential issues of ICT concentration risk attached to it call for taking a collective approach exercised at Union level. The exercise of multiple audits and access rights, conducted by numerous competent authorities in separation with little or no coordination would not lead to a complete overview on ICT third-party risk while creating unnecessary redundancy, burden and complexity at the level of critical ICT third-party providers facing such numerous requests.
Amendment 225 #
Proposal for a regulation
Recital 63
Recital 63
(63) In addition, the Lead Overseers should be able to submit recommendations on ICT risk matters and suitable remedies, including opposing certain contractual arrangements ultimately affecting the stability of the financial entity or the financial system. Prior to the finalisation of such recommendations, critical ICT third-party service providers should be given the opportunity to provide information which it reasonably believes should be taken into account before the recommendation is finalised and issued. Compliance with such substantive recommendations laid down by the Lead Overseers should be duly taken into account by national competent authorities as part of their function relating to the prudential supervision of financial entities.
Amendment 226 #
Proposal for a regulation
Recital 63 a (new)
Recital 63 a (new)
(63 a) In order to avoid duplication and contradictions with the technical and organisational measures that may apply to critical ICT third-party service providers, Lead Overseers should take due account of the framework established by Directive (EU) 2016/1148 in the exercise of their powers according to the Oversight Framework in this Regulation. Before exercising such powers, the Lead Overseer should consult the relevant competent authorities that have jurisdiction under Directive (EU) 2016/1148 and the Oversight Forum.
Amendment 240 #
Proposal for a regulation
Article 1 – paragraph 1 – point a – indent 5
Article 1 – paragraph 1 – point a – indent 5
— measures for athe sound management by financial entities of the ICT third-party riskof ICT third-party risk by financial entities;
Amendment 255 #
Proposal for a regulation
Article 2 – paragraph 1 – point n
Article 2 – paragraph 1 – point n
(n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, unless they are micro, small or medium-sized enterprises,
Amendment 257 #
Proposal for a regulation
Article 2 – paragraph 1 – point o
Article 2 – paragraph 1 – point o
(o) institutions for occupational retirement pensionrovisions (IORPs), unless they operate pension schemes which together do not have more than a total of 15 members,
Amendment 272 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1
Article 3 – paragraph 1 – point 1
(1) ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its technological operational integrity from a technological perspective by ensuring, either directly or indirectly, through the useby ensuring the continued provision of services of ICTand theird- party providers, the full range of ICT- related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality quality in the face of operational disruptions impacting its ICT capabilities;
Amendment 275 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
(4) ‘ICT risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems, - including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non-malicious event - which, if materialised, may compromise the security of the network and information systems, of any technology-dependant tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects;
Amendment 278 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
(5) ‘information asset’ means a collection of information, either tangible or intangible, that is worthhas value for an entity and requires protectiong;
Amendment 283 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
Article 3 – paragraph 1 – point 6
(6) ‘ICT-related incident’ means an unforeseen identified occurrence or a series of linked occurrences in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity;
Amendment 288 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
(7) ‘major ICT-related incident’ means an ICT-related incident with a potentiallyhich has or is likely to have a high adverse impact on the network and information systems that support critical functions of the financial entity;
Amendment 293 #
Proposal for a regulation
Article 3 – paragraph 1 – point 12
Article 3 – paragraph 1 – point 12
(12) ‘vulnerability’ means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited by a cyber threat;
Amendment 294 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15
Article 3 – paragraph 1 – point 15
(15) ‘ICT third-party service provider’ means an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centres, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council43 ; _________________ 43Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)(OJ L 321, 17.12.2018, p. 36).ICT services;
Amendment 299 #
Proposal for a regulation
Article 3 – paragraph 1 – point 15 a (new)
Article 3 – paragraph 1 – point 15 a (new)
(15 a) 'ICT intra-group third-party service provider' means an undertaking that is part of a financial group and provides ICT services exclusively to financial entities within the same group, including to their parent undertakings, subsidiaries and branches or other entities that are under common ownership or control;
Amendment 306 #
Proposal for a regulation
Article 3 – paragraph 1 – point 17
Article 3 – paragraph 1 – point 17
(17) ‘critical or important function’ means an ICT function whose discontinued, defective or failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation, or its financial performance or the soundness or continuity of its services and activities;
Amendment 308 #
Proposal for a regulation
Article 3 – paragraph 1 – point 18
Article 3 – paragraph 1 – point 18
(18) ‘critical ICT third-party service provider’ means an ICT third-party service provider designated in accordance with Article 298 and subject to the Oversight Framework referred to in Articles 3029 to 376;
Amendment 309 #
Proposal for a regulation
Article 3 – paragraph 1 – point 19
Article 3 – paragraph 1 – point 19
(19) ‘ICT third-party service provider established in a third country’ means an ICT third-party service provider that is a legal person established in a third-country, has not set up business/presencea legal entity in the Union, and has entered into a contractual arrangement with a financial entity for the provision of ICT services;
Amendment 310 #
Proposal for a regulation
Article 3 – paragraph 1 – point 20
Article 3 – paragraph 1 – point 20
(20) ‘ICT sub-contractor established in a third country’ means an ICT sub-contractor that is a legal person established in a third- country, has not set up business/presencea legal entity in the Union and has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third country;
Amendment 311 #
Proposal for a regulation
Article 3 – paragraph 1 – point 21
Article 3 – paragraph 1 – point 21
(21) ‘ICT concentration risk’ means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the ability of a financial entity, and ultimately of the Union’s financial system as a whole,financial stability of the Union as a whole or the ability of a financial entity to deliver critical functions, or to suffer other type of adverse effects, including large losses;
Amendment 327 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50
Article 3 – paragraph 1 – point 50
(50) ‘micro, small and medium-sized enterprise’ means a financial entity as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC.
Amendment 332 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50 a (new)
Article 3 – paragraph 1 – point 50 a (new)
(50 a) 'Lead Overseer' means the European Banking Authority.
Amendment 336 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Financial entities shall have in place an effective internal governance and control frameworks that ensures an effective and prudent management of all ICT risks, which is proportionate to the nature, scale and complexity of the entity, with a view to achieving a high level of digital operational resilience.
Amendment 338 #
Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point a
Article 4 – paragraph 2 – subparagraph 1 – point a
(a) bear the finalultimate responsibility for managing the financial entity’s ICT risks;
Amendment 339 #
Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point a a (new)
Article 4 – paragraph 2 – subparagraph 1 – point a a (new)
Amendment 343 #
Proposal for a regulation
Article 4 – paragraph 2 – subparagraph 1 – point i
Article 4 – paragraph 2 – subparagraph 1 – point i
(i) be duly informed about major ICT- related incidents and their impact and about response, recovery and corrective measures.
Amendment 347 #
Proposal for a regulation
Article 4 a (new)
Article 4 a (new)
Article 4 a Proportionality principle Financial entities shall implement the rules on ICT risk management foreseen in this Chapter in accordance with the principle of proportionality, by taking into account the size of their undertaking, the nature, scale and complexity of their activities and their overall risk profile.
Amendment 349 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Financial entities shall have a sound, comprehensive and well- documented ICT risk management framework, which enables them to address and manage ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience that matches their business needs, size and complexityis commensurate to their size, nature, complexity and risk profile.
Amendment 350 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. Financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, protocols and tools as determined in the ICT risk management framework. They shall provide complete and updated information on their ICT risks management framework as requirested by the competent authorities in accordance with this Regulation.
Amendment 358 #
Proposal for a regulation
Article 5 – paragraph 7
Article 5 – paragraph 7
7. TAs regards financial entities other than microenterprises, the ICT risk management framework referred to in paragraph 1 shall be audited on a regular basis by ICT auditors possessing sufficient knowledge, skills and expertise in ICT risk. The frequency and focus of ICT audits shall be commensurate to the ICT risks of the financial entity.
Amendment 366 #
Proposal for a regulation
Article 5 – paragraph 9 – point g
Article 5 – paragraph 9 – point g
(g) defining a holistic ICT multi- vendor strategy at entity level showexplaining key dependencies oin ICT third-party service providers and explaining the rationale behind the procurement mix ofrelation to the use of ICT third-party service providers, where relevant;
Amendment 367 #
Proposal for a regulation
Article 5 – paragraph 9 – point h
Article 5 – paragraph 9 – point h
(h) implementing digital operational resilience testing, in accordance with Chapter IV of this Regulation;
Amendment 372 #
Proposal for a regulation
Article 5 – paragraph 10
Article 5 – paragraph 10
10. Upon approval of competent authorities, financial entities may delegate the tasks of verifying compliance with the ICT risk management requirements to intra-group or externalexternal undertakings. Upon notification to competent authorities, financial entities may delegate the task of verifying compliance with the ICT risk management requirements to intra-group undertakings.
Amendment 375 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. FIn accordance with their risk profile, financial entities shall use and maintain updated ICT systems, protocols and tools, in order to address and manage ICT risk, which fulfil the following conditions:
Amendment 377 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all ICT-related business functions that could pose ICT risks, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems. Financial entities shall review as needed, and at least yearly, the adequacy of the classification of the information assets and of any relevant documentation.
Amendment 380 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. Financial entities shall on a continuous basis identifyregular basis monitor and assess all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT-related business functions and information assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.
Amendment 392 #
Proposal for a regulation
Article 8 – paragraph 3 – introductory part
Article 8 – paragraph 3 – introductory part
3. To achieve the objectives referred to in paragraph 2, financial entities shall use state-of-the-art ICT technology and processes, in accordance with their risk profile, which:
Amendment 395 #
Proposal for a regulation
Article 8 – paragraph 3 – point a
Article 8 – paragraph 3 – point a
(a) guaranteeminimize the risk for the security of the means of transfer of information;
Amendment 405 #
Proposal for a regulation
Article 8 – paragraph 4 – subparagraph 1
Article 8 – paragraph 4 – subparagraph 1
For the purposes of point (b), financial entities shall design the network connection infrastructure in a way that allows it to be instantaneously severedsevered as quickly as possible in case of an incident and shall ensure its compartmentalisation and segmentation, in order to minimise and prevent contagion, especially for interconnected financial processes.
Amendment 407 #
Proposal for a regulation
Article 9 – paragraph 1 – introductory part
Article 9 – paragraph 1 – introductory part
1. Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 15, including ICT network performance issues and ICT-related incidents, and to identify allnd monitor the potential material single points of failure.
Amendment 410 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
3. Financial entities shall devote sufficient resources and capabilities, with due consideration to their sizeappropriate to their size, nature, complexity, business and risk profiles, to monitor user activity, occurrence of ICT anomalies and ICT- related incidents, in particular cyber- attacks.
Amendment 434 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
9. Financial entities other than microenterprises shall report to competent authorities all estimated financial costs and losses caused by ICT disruptions and ICT-related incidents.
Amendment 437 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Backup systems shall begin processing without undue delay, unless such start wouldIn accordance with the backup policies specified in paragraph 1(a), financial entities shall ensure that backup systems are operating adequately according to the backup processes. The activation of backup systems shall not jeopardize the security of the network and information systems or the integrity or confidentiality of data.
Amendment 444 #
Proposal for a regulation
Article 11 – paragraph 6
Article 11 – paragraph 6
6. In determining the recovery time and point objectives for each function, financial entities shall take into account the potential overall impact on market efficiencydigital operational resilience and critical or important functions. Such time objectives shall ensure that, in extremsevere scenarios, the agreed service levels are met.
Amendment 447 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. Financial entities shall have in place capabilities and staff, suiappropriated to their size, nature, complexity, business and risk profiles, to gather information on vulnerabilities and cyber threats, ICT- related incidents, in particular cyber- attacks, and analyse their likely impacts on their digital operational resilience.
Amendment 452 #
Proposal for a regulation
Article 12 – paragraph 2 – subparagraph 1
Article 12 – paragraph 2 – subparagraph 1
When implementing changes related to addressing ICT-risk, financial entities other than microenterprises shall communicate those changes to the competent authorities.
Amendment 455 #
Proposal for a regulation
Article 12 – paragraph 6 – subparagraph 1
Article 12 – paragraph 6 – subparagraph 1
Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understand possible impacts of deployment of such new technologies upon the ICT security requirements and digital operational resilience. They shall keep abreast of the latest ICT risk management processes, effectively countering current or new forms of cyber-attacks.
Amendment 458 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall have in place communication plans enabling a responsible disclosure of major ICT- related incidents or major vulnerabilities to clients and counterparts as well as to the public, as appropriate.
Amendment 459 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
3. At least one person in the entity shall be tasked with implementing the communication strategy for major ICT- related incidents and fulfil the role of public and media spokesperson for that purpose.
Amendment 461 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
Article 14 – paragraph 1 – point b
Amendment 462 #
Proposal for a regulation
Article 14 – paragraph 1 – point b a (new)
Article 14 – paragraph 1 – point b a (new)
(b a) incorporate security controls into systems from inception (security by design)
Amendment 463 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
Amendment 464 #
Proposal for a regulation
Article 14 – paragraph 1 a (new)
Article 14 – paragraph 1 a (new)
When developing those draft regulatory technical standards, the ESAs shall take into account the size, nature, scale, complexity and overall risk profile of the financial entities.
Amendment 467 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. FAs part of the ICT-incident management process, financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to make sure that root causes are identified and eradicated to prevent the occurrence of such incidents.
Amendment 468 #
Proposal for a regulation
Article 15 – paragraph 3 – point d
Article 15 – paragraph 3 – point d
(d) ensure that at least major ICT- related incidents are reported to relevant senior management and inform the management body on major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of major ICT-related incidents;
Amendment 472 #
Proposal for a regulation
Article 16 – paragraph 1 – point a
Article 16 – paragraph 1 – point a
(a) the number of users or financial counterparts affected by the disruption caused by the ICT-related incident, and whether the ICT-related incident has caused reputational impact;
Amendment 473 #
Proposal for a regulation
Article 16 – paragraph 1 – point c
Article 16 – paragraph 1 – point c
(c) the geographical spread in the Union with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
Amendment 481 #
Proposal for a regulation
Article 16 – paragraph 2 – point b
Article 16 – paragraph 2 – point b
(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT- related incidents to other Member States’ jurisdictions, and the details of major ICT- related incidents reports to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.
Amendment 486 #
Proposal for a regulation
Article 16 – paragraph 3 – subparagraph 1
Article 16 – paragraph 3 – subparagraph 1
The ESAs shall submit those common draft regulatory technical standards to the Commission by [PO: insert date 1 year8 months after the date of entry into force].
Amendment 494 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where a major ICT-related incident occurs and has ora may have anterial impact on the financial interests of service users and clients, financial entities shall, without undue delay, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of all pertinent measures which have been taken to mitigate the adverse effects of such incident.
Amendment 509 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
Article 17 – paragraph 3 – point a
(a) an initial notification, without undue delay, but no later than the end of the business day after the ICT-related incident is classified as major by the financial entity, or, in case of a major ICT- related incident that took place later than 2 hours before the end of the business day, not later than 4 hours from the beginning of the next business day after the ICT- related incident is classified as major by the financial entity, or, where reporting channels are not available, as soon as they become available;
Amendment 515 #
Proposal for a regulation
Article 17 – paragraph 3 a (new)
Article 17 – paragraph 3 a (new)
3 a. Due consideration shall be given to the ability of financial entities to provide accurate and meaningful information in relation to major ICT- related incidents within the timeframes set out in points (a) and (b) of paragraph 3.
Amendment 519 #
Proposal for a regulation
Article 17 – paragraph 4
Article 17 – paragraph 4
4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider upon approval of the delegation by the relevant competent authority referred to in Article 41. In cases of such delegation, the financial entity shall remain fully accountable for the fulfilment of the incident reporting requirements.
Amendment 548 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
1. For the purpose of assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities, other than microenterprises, shall establish, maintain and review, with due consideration to their size, businessin accordance with their size, nature, complexity and risk profiles, a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework referred to in Article 5.
Amendment 556 #
1. The digital operational resilience testing programme referred to in Article 21 shall provide for the execution of a full range of appropriate tests, according to a risk-based approach, which may includinge vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing or penetration testing.
Amendment 562 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
Article 23 – paragraph 2 – subparagraph 2
Where critical ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers.
Amendment 566 #
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 4 a (new)
Article 23 – paragraph 2 – subparagraph 4 a (new)
Competent authorities shall issue an attestation confirming, based on the documentation referred to in the fifth subparagraph, that the test was performed in accordance with the requirements in order to allow - where applicable - for mutual recognition of threat led penetration tests between competent authorities. Without prejudice to such attestation, financial entities shall remain at all times fully responsible for the impacts of the tests referred to in this paragraph.
Amendment 573 #
Proposal for a regulation
Article 23 – paragraph 4 – introductory part
Article 23 – paragraph 4 – introductory part
4. EBA, ESMA and EIOPA shall, after consulting the ECB and taking into account relevant frameworks in the Union which apply to intelligence-basthreat led penetration tests, including the TIBER-EU framework, develop draft regulatory technical standards to specify further:
Amendment 584 #
Proposal for a regulation
Article 25 – paragraph 1 – point 2 – point a
Article 25 – paragraph 1 – point 2 – point a
(a) the nature, scale, complexity and importance of ICT-related dependencies,
Amendment 586 #
Proposal for a regulation
Article 25 – paragraph 1 – point 3
Article 25 – paragraph 1 – point 3
3. As part of their ICT risk management framework, financial entities, other than microenterprises, shall adopt and regularly review a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in point (g) of Article 5(9). That strategy shall include a policy on the use of ICT services provided by ICT third-party service providers and shall apply on an individual and, as relevant, on a sub- consolidated and consolidated basis. The management body shall regularly review the risks identified in respect of outsourcing of critical or important functions.
Amendment 591 #
7. In exercising access, inspection and audit rights over the ICT third-party service provider in relation to critical or important functions, financial entities shall on a risk-based approach pre-determine the frequency of audits and inspections and the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.
Amendment 594 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – introductory part
Article 25 – paragraph 1 – point 8 – introductory part
8. Financial entities shall ensure that contractual arrangements on the use of ICT services are terminatedtake appropriate corrective or remedial measures, which could include terminating the contractual arrangements as a measure of last resort, in cases where at least underany of the following circumstances are identified:
Amendment 599 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – point a
Article 25 – paragraph 1 – point 8 – point a
(a) significant breach by the ICT third- party service provider of applicable laws, regulations or contractual terms;
Amendment 606 #
Proposal for a regulation
Article 25 – paragraph 1 – point 9 – introductory part
Article 25 – paragraph 1 – point 9 – introductory part
9. For ICT services related to critical or important functions, financial entities shall put in place exit strategies in order to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function.
Amendment 609 #
Proposal for a regulation
Article 25 – paragraph 1 – point 11 – paragraph 1
Article 25 – paragraph 1 – point 11 – paragraph 1
The ESAs shall submit those draft regulatory technical standards to the Commission by [PO: insert date 1 year8 months after the date of entry into force].
Amendment 611 #
Proposal for a regulation
Article 26 – title
Article 26 – title
Preliminary assessment of ICT concentration risk and further sub- outsourccontracting arrangements
Amendment 612 #
Proposal for a regulation
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. When performing the identification and assessment of ICT concentration risk referred to in point (c) of Article 25(5), financial entities shall take into account whether the conclusion of a contractual arrangement in relation to the ICT services concerning critical or important functions would lead to any of the following:
Amendment 613 #
Proposal for a regulation
Article 26 – paragraph 1 – point b
Article 26 – paragraph 1 – point b
(b) having in place multiple contractual arrangements in relation to the provision of ICT services concerning critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.
Amendment 615 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
Article 26 – paragraph 2 – introductory part
2. Where the contractual arrangement on the use of ICT services concerning critical or important functions includes the possibility that an ICT third-party service provider further sub-contracts a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such possible sub- contracting, in particular in the case of an ICT sub-contractor established in a third- country.
Amendment 621 #
Proposal for a regulation
Article 27 – paragraph 2 – introductory part
Article 27 – paragraph 2 – introductory part
2. The contractual arrangements on the use of ICT services concerning critical or important functions shall include at least the following:
Amendment 630 #
Proposal for a regulation
Article 27 – paragraph 2 – point h – point i
Article 27 – paragraph 2 – point h – point i
i) rights of access, inspection and audit by the financial entity or by an appointed third-party, and the right to take copies of relevant documentationin relation to the use of ICT services provided by the ICT third- party service provider concerning critical or important functions, and the right of access of relevant documentation in a way which does not compromise the security of the providers and its customers, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
Amendment 635 #
Proposal for a regulation
Article 27 – paragraph 2 – point j
Article 27 – paragraph 2 – point j
(j) termination rights and related minimum notices period for the termination of the contract, in accordance with competent authorities’ expectations; where that consideration impacts an ICT intra-group third-party service provider within the same group, it shall be analysed following a risk-based approach;
Amendment 638 #
Proposal for a regulation
Article 27 – paragraph 2 – point k – introductory part
Article 27 – paragraph 2 – point k – introductory part
(k) exit strategies, in particular the establishment of a mandatory adequate transition period - where that consideration impacts an ICT intra-group third-party service provider within the same group, it shall be analysed following a risk-based approach:
Amendment 645 #
Proposal for a regulation
Article 27 – paragraph 4 – introductory part
Article 27 – paragraph 4 – introductory part
4. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the elements which a financial entity needs to determine and assess when sub-contracting critical or important functions to properly give effect to the provisions of point (a) of paragraph 2. When developing those draft regulatory technical standards, the ESAs shall take into account the size, nature, complexity and overall risk profile of the financial entities.
Amendment 647 #
Proposal for a regulation
Article 27 – paragraph 4 – subparagraph 1
Article 27 – paragraph 4 – subparagraph 1
The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 1 year8 months after the date of entry into force].
Amendment 650 #
Proposal for a regulation
Article 28 – paragraph 1 – point b
Article 28 – paragraph 1 – point b
Amendment 659 #
Proposal for a regulation
Article 28 – paragraph 2 a (new)
Article 28 – paragraph 2 a (new)
2 a. The designation mechanism referred to in points (a) and (b) of paragraph 1 shall not apply in relation to ICT intra-group third-party service providers.
Amendment 666 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
3. The Commission is empowered to adopt a delegated acts in accordance with Article 50 to supplementpecify further the criteria referred to in paragraph 2 by [OJ: insert date 12 months after the date of entry into force].
Amendment 668 #
Proposal for a regulation
Article 28 – paragraph 5 a (new)
Article 28 – paragraph 5 a (new)
Amendment 670 #
Proposal for a regulation
Article 28 – paragraph 8 – subparagraph 1
Article 28 – paragraph 8 – subparagraph 1
For the purpose of the first subparagraph, the ICT third-party service provider shall submit a reasoned application to EBA, ESMA or EIOPAthe Lead Overseer, which, through the Joint Committee, shall decide whether to include that ICT third-party service provider in that list in accordance with point (a) of paragraph 1.
Amendment 672 #
Proposal for a regulation
Article 28 – paragraph 9
Article 28 – paragraph 9
9. Financial entities shall not make use, for critical or important functions, of an ICT third-party service provider established in a third country that would be designateunless it has established a legal entity in the Union and has critical pursuant to point (a) of paragraph 1 if it were established in the Unionentered into a contractual arrangement with a financial entity for the provision of ICT services.
Amendment 680 #
Proposal for a regulation
Article 29 – paragraph 1 – introductory part
Article 29 – paragraph 1 – introductory part
1. The Joint Committee, in accordance with Article 57 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, shall establish the Oversight Forum as a sub-committee for the purposes of supporting the work of the Joint Committee and the Lead Overseer referred to in point (b) of Article 28(1) in the area of ICT third-party risk across financial sectors. The Oversight Forum shall prepare the draft joint positions and common acts of the Joint Committee in that area. The role of the Oversight Forum shall be limited to supervisory and oversight responsibilities related to ICT risks concerning the ICT services provided by critical ICT third-party service providers to financial entities.
Amendment 686 #
Proposal for a regulation
Article 29 – paragraph 5
Article 29 – paragraph 5
5. In accordance with Article 16 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAs shall issue guidelines by [OJ: insert date 18 months after the date of entry into force] on the cooperation between the ESAs and the competent authorities for the purposes of this Section on the detailed procedures and conditions relating to the execution of tasks between competent authorities and the ESAs and details on exchanges of information needed by competent authorities to ensure the follow- up of recommendations addressed by Lead Overseers pursuant to point (d) of Article 31(1) to critical ICT third-party providers.
Amendment 694 #
Proposal for a regulation
Article 30 – paragraph 3 a (new)
Article 30 – paragraph 3 a (new)
3 a. Prior to the finalisation of the oversight plan referred to in paragraph 2, the Lead Overseer shall consult the relevant competent authorities that have jurisdiction under Directive (EU) 2016/1148 to assess if compliance with Directive (EU) 2016/1148 satisfies one or more of the requirements set out in the oversight framework in this section.
Amendment 697 #
Proposal for a regulation
Article 31 – paragraph 1 – introductory part
Article 31 – paragraph 1 – introductory part
1. For the purposes of carrying out the duties laid down in this Section, the Lead Overseer shall have the following powers related to ICT risks concerning the ICT services provided by critical ICT third- party service providers to financial entities:
Amendment 701 #
Proposal for a regulation
Article 31 – paragraph 1 a (new)
Article 31 – paragraph 1 a (new)
1 a. When exercising the powers referred to in paragraph 1, the Lead Overseer shall take due account of the framework established by Directive (EU) 2016/1148, in order to avoid unnecessary duplication of technical and organisational measures that might apply to critical ICT third-party service providers pursuant to that Directive.
Amendment 705 #
Proposal for a regulation
Article 31 – paragraph 3 a (new)
Article 31 – paragraph 3 a (new)
3 a. For the purposes of paragraph 1(d), prior to issuing a recommendation, the Lead Overseer shall inform the critical ICT third-party service provider of its intention to issue a recommendation and shall provide an opportunity for the critical ICT third-party service provider to provide information which it reasonably believes should be taken into account before the recommendation is finalised and issued.
Amendment 708 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. The amount of the periodic penalty payment, calculated from the date stipulated in the decision imposing the periodic penalty payment, shall be 1% of the average daily worldwide turnover related to services provided to financial entities covered in this regulation of the critical ICT third-party service provider in the preceding business year.
Amendment 716 #
Proposal for a regulation
Article 32 – paragraph 5
Article 32 – paragraph 5
5. The Lead Overseer shall, without delay, send a copy of the decision to supply information to the competent authorities of the financial entities using the critical ICT third-party providers’ services. That critical ICT third-party service provider shall notify its clients about the Lead Overseer's recommendations.
Amendment 717 #
Proposal for a regulation
Article 33 – paragraph 2 – point b
Article 33 – paragraph 2 – point b
(b) take or obtainaccess, in a secured way, to certified copies of, or extracts from, such records, data, procedures and other material;
Amendment 723 #
Proposal for a regulation
Article 34 – paragraph 2 – introductory part
Article 34 – paragraph 2 – introductory part
2. The officials and other persons authorised by the Lead Overseer to conduct an on-site inspection, may enter any such business premises, land or property and shall have all the powers to seal any business premises and books or records for the period of, and to the extent necessary for, the inspection, in a way which does not compromise the security of the provider and its customers.
Amendment 733 #
Proposal for a regulation
Article 37 – paragraph 3
Article 37 – paragraph 3
3. Competent authorities may, as a measure of last resort and following consultation with the Oversight Forum, in accordance with Article 44, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, and as a measure of last resort, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers. Competent authorities shall allow sufficient time to financial entities to adjust their outsourcing and contractual arrangements with critical ICT third- party service providers.
Amendment 740 #
Proposal for a regulation
Article 37 – paragraph 4 – point d a (new)
Article 37 – paragraph 4 – point d a (new)
(d a) whether the suspension or termination means a risk for the business operations of the customer of the critical ICT third-party service provider.
Amendment 748 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. To foster cooperation and enable supervisory exchanges between the competent authorities designated under this Regulation and the Cooperation Group established by Article 11 of Directive (EU) 2016/1148, the ESAs and the competent authorities, may request to be invited to the workings of Cooperation Groupshall be invited to participate in the work of the Cooperation Group insofar as that work concerns supervisory and oversight activities, respectively, in relation to entities listed under point (7) of Annex II to Directive (EU) 2016/1148 which have also been designated as critical ICT third-party service providers pursuant to Article 28 of this Regulation.
Amendment 765 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
It shall apply from [PO: insert date - 124 months after the date of entry into force].