16 Amendments of Francesca DONATO related to 2020/0266(COD)
Amendment 179 #
Proposal for a regulation
Recital 22
Recital 22
(22) To enable competent authorities to fulfil their supervisory roles by obtaining a complete overview of the nature, frequency, significance and impact of ICT- related incidents and to enhance the exchange of information between relevant public authorities, including law enforcement authorities and resolution authorities, it is necessary to lay down rules in order to complete the ICT-related incident reporting regime with the requirements that are currently missing in financial subsector legislation and remove any existing overlaps and duplications to alleviate costs. It is therefore essential to harmonisstreamline the ICT-related incident reporting regime by requiring all financial entities to report to their competent authorities only. In addition, the ESAs should be empowered to further specify ICT-related incident reporting elements such as taxonomy, timeframes, data sets, templates and applicable thresholds, after consultation of the national supervisory authorities.
Amendment 185 #
Proposal for a regulation
Recital 30
Recital 30
(30) With ICT threats becoming more complex and sophisticated, good detection and prevention measures depend to a great extent on regular threat and vulnerability intelligence sharing between financial entities. Information sharing contributes to increased awareness on cyber threats, which, in turn, enhances financial entities’ capacity to prevent threats from materialising into real incidents and enables financial entities to better contain the effects of ICT-related incidents and recover more efficiently. In the absence of guidance at Union level, several factors seem to have inhibited such intelligence sharing, notably uncertainty over the compatibility with the data protection, anti-trust and liability rulesanti-trust and liability rules. Data protection does not constitute an obstacle to intelligence sharing in the financial sector because data protection requirements should be perceived as a basic requirement, which should be complied with to ensure that the rights of individuals within the data operational resilience framework of financial entities are safeguarded. In that regard, the national data protection authorities (DPAs) have an important role to play in promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to data processing, as well as the awareness of controllers and processors in relation to their obligations under the General Data Protection Regulation. Moreover, the European Data Protection Board's guidance set out in its guidelines, recommendations and best practices encourages consistent application of the General Data Protection Regulation.
Amendment 199 #
Proposal for a regulation
Recital 43
Recital 43
(43) Further reflection on the possible centralisation of ICT-related incident reports should be envisaged, by means of a single central EU Hub either directly receiving the relevant reports and automatically notifying national competent authorities, or merely centralising reports forwarded by the national competent authorities and fulfilling a coordination role. The ESAs should be required to prepare, in consultation with ECB and, ENISA and national supervisory authorities, by a certain date a joint report exploring the feasibility of setting up such a central EU Hub.
Amendment 207 #
Proposal for a regulation
Recital 49
Recital 49
(49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements, notably when concluded with ICT third-party service providers established in a third country. This Regulation should forbid outsourcing arrangements with third country ICT third-party service providers if those third parties have, or are suspected of having, ties to foreign governments or to foreign militaries. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The ESA designated to conduct the oversight for each critical ICT third- party provider (“the Lead Overseer”) should in the exercise of oversight tasks pay particular attention to fully grasp the magnitude of interdependences and discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and should provide instead for a dialogue with critical ICT third-party service providers where that risk is identified.38 _________________ 38In addition, should the risk of abuse by an ICT third-party service provider considered dominant arise, financial entities should also have the possibility to bring either a formal or an informal complaint with the European Commission or with the national competition law authorities.
Amendment 232 #
Proposal for a regulation
Recital 67
Recital 67
(67) Competent authorities should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant national competent authorities, includingand the ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/201339 , and consultation with the ESAs should be ensured by the mutual exchange of information and provision of assistance in the context of supervisory activities. _________________ 39 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
Amendment 303 #
Proposal for a regulation
Article 3 – paragraph 1 – point 16
Article 3 – paragraph 1 – point 16
(16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, on an ongoing basis, including data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services, hardware as a service, and hardware services which encompass technical support via software or firmware updates by the hardware provider;
Amendment 331 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50 a (new)
Article 3 – paragraph 1 – point 50 a (new)
(50 a) 'competent authorities' means national competent authorities in accordance with Article 41 or, for credit institutions considered to be significant, the ECB pursuant to Regulation (EU) No 1024/2013.
Amendment 348 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Financial entities shall have a sound, comprehensive and well- documented ICT risk management framework, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience that matches their business needs, size and, complexity and risk profile. Such ICT risk management framework shall be based on the three lines of defense model.
Amendment 370 #
Proposal for a regulation
Article 5 – paragraph 10
Article 5 – paragraph 10
10. Upon notification to, and approval of, competent authorities, financial entities may delegatoutsource the tasks of verifying compliance with the ICT risk management requirements to intra-group or external undertakings. Where such outsourcing occurs, the financial entity shall remain fully accountable for the verification of compliance with ICT risk management requirements.
Amendment 422 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Financial entities shall put in place, maintain and periodically test appropriate ICT business continuitResponse and Recovery plans, notably with regard to critical or important functions outsourced or contracted through arrangements with ICT third-party service providers.
Amendment 426 #
Proposal for a regulation
Article 10 – paragraph 5 – point a
Article 10 – paragraph 5 – point a
(a) test the ICT Bbusiness Ccontinuity Ppolicy and the ICT Disaster Recovery Plan at least yearly and after substantive changes to the ICT systems following a risk-based approach;
Amendment 552 #
Proposal for a regulation
Article 21 – paragraph 4
Article 21 – paragraph 4
4. Financial entities shall ensure that tests, including threat led penetration testing, are undertaken by independent parties, whether internal or external. In the case of an internal tester, an adequate analysis and identification of the proper resources to be allocated in the design and execution phases of the tests shall be performed, in order to avoid any conflicts of interest and other potential managerial issues.
Amendment 579 #
Proposal for a regulation
Article 23 – paragraph 4 a (new)
Article 23 – paragraph 4 a (new)
4 a. Results of threat led penetration testing, including those performed under the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), shall be mutually recognized within the Union among competent authorities.
Amendment 618 #
Proposal for a regulation
Article 26 – paragraph 2 – subparagraph 1 a (new)
Article 26 – paragraph 2 – subparagraph 1 a (new)
With regard to the respect of data protection referred to point (a), financial entities shall comply with the requirement of Chater V of Regulation (EU) 2016/679, as interpreted in the case-law of the Court of Justice of the European Union.
Amendment 653 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. The designation referred to in point (a) of paragraph 1 shall be based on all of the following criteria: -a) on the basis of a structured risk-based approach which takes into account both the provider and the nature of the service it provides;
Amendment 660 #
Proposal for a regulation
Article 28 – paragraph 2 a (new)
Article 28 – paragraph 2 a (new)
2 a. The designation shall not apply in relation to intragroup ICT third-party service providers.