2020/0266(COD) Digital finance: Digital Operational Resilience Act (DORA)
Lead committee dossier:
Progress: Procedure completed
| Role | Committee | Rapporteur | Shadows |
|---|---|---|---|
| Lead | ECON |
KELLEHER Billy ( Renew)
|
FITZGERALD Frances ( EPP),
SANT Alfred ( S&D),
PEKSA Mikuláš ( Verts/ALE),
BECK Gunnar ( ID),
RZOŃCA Bogdan ( ECR),
GUSMÃO José ( GUE/NGL)
|
| Committee Opinion | ITRE | ||
| Committee Opinion | IMCO |
Lead committee dossier:
Legal Basis:
TFEU 114-p1
Legal Basis:
TFEU 114-p1Subjects
Events
2023/01/17
EC - Commission response to text adopted in plenary
Documents
2022/12/27
Final act published in Official Journal
Details
PURPOSE: to strengthen the IT security of financial entities such as banks, insurance companies and investment firms to enable the European financial sector to maintain resilient operations in the event of a serious operational breaches.
LEGISLATIVE ACT: Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
CONTENT: the Digital Operational Resilience Regulation ( DORA Regulation ) uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.
DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.
Uniform requirements
DORA sets uniform requirements for the security of networks and information systems of companies and organisations operating in the financial sector, as follows:
- requirements for financial entities with regard to: (i) information and communication technology (ICT) risk management ; (ii) reporting of major ICT incidents to the competent authorities and voluntary reporting of significant cyber threats to the competent authorities; (iii) reporting of major payment-related operational or security incidents by financial entities to the competent authorities; (iv) digital operational resilience testing; (v) information and intelligence sharing in relation to cyber threats and vulnerabilities; (vi) measures to ensure sound risk management of third-party ICT service providers;
- requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;
- rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities;
- rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.
Scope of application
The new Regulation will apply to almost all financial entities . It will not apply to insurance intermediaries that are micro, small or medium-sized enterprises. Auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.
Proportionality principle
The efforts asked from financial entities will be proportional to the potential risks. The Regulation states that financial entities will implement the rules on the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
Governance and organisation
Financial entities will:
- have a governance and internal control framework that ensures effective and prudent management of ICT risk to achieve a high level of digital operational resilience;
- have a robust, comprehensive and well-documented ICT risk management framework that enables them to respond to ICT risk in a timely, efficient and comprehensive manner and to ensure a high level of digital operational resilience;
- put in place mechanisms to promptly detect anomalous activities . All detection mechanisms will be regularly tested.
Framework for the supervision of critical third-party ICT service providers
Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.
To ensure that critical ICT third-party service providers are appropriately and effectively overseen on a Union level, this Regulation provides that any of the three European Supervisory Authorities (ESAs) will be designated as a Lead Overseer.
Lead Overseers will be granted the necessary powers to conduct investigations, to carry out onsite and offsite inspections at the premises and locations of critical ICT third-party service providers and to obtain complete and updated information.
To ensure a consistent approach to oversight activities and with a view to enabling coordinated general oversight strategies and cohesive operational approaches and work methodologies, the three Lead Overseers appointed will set up a Joint Oversight Network to coordinate among themselves in the preparatory stages and to coordinate the conduct of oversight activities over their respective overseen critical ICT third–party service providers.
The Lead Overseer will also exercise its supervisory powers in third countries.
Digital operational resilience testing
To assess preparedness to deal with ICT-related incidents, identify weaknesses, deficiencies and gaps in digital operational resilience and promptly implement corrective measures, financial entities, other than micro-enterprises, will establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework.
Under the Regulation, penetration tests will be carried out in functioning mode, and it will be possible to include several Member States’ authorities in the test procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to safeguard conditions.
ENTRY INTO FORCE: 16.1.2023. The Regulation will apply from 17.1.2025.
2022/12/14
CSL - Draft final act
Documents
2022/12/14
CSL - Final act signed
2022/11/28
EP/CSL - Act adopted by Council after Parliament's 1st reading
2022/11/10
EP - Results of vote in Parliament
Documents
2022/11/10
EP - Decision by Parliament, 1st reading
Details
The European Parliament adopted by 556 votes to 18, with 38 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014.
The Digital Operational Resilience Regulation (DORA) aims to achieve a high level of digital operational resilience for all regulated financial entities, such as banks, insurance companies and investment firms.
DORA creates a regulatory framework on digital operational resilience in which all firms must ensure that they can withstand, respond to and recover from all types of ICT-related disruptions and threats. The new rules will provide a strong framework to strengthen IT security in the financial sector.
The European Parliament's first reading position under the ordinary legislative procedure amends the proposal as follows:
Uniform requirements
DORA sets uniform requirements for the security of networks and information systems of companies and organisations operating in the financial sector, as follows:
- requirements for financial entities with regard to: (i) information and communication technology (ICT) risk management; (ii) reporting of major ICT incidents to the competent authorities and voluntary reporting of significant cyber threats to the competent authorities; (iii) reporting of major payment-related operational or security incidents by financial entities to the competent authorities; (iv) digital operational resilience testing; (v) information and intelligence sharing in relation to cyber threats and vulnerabilities; (vi) measures to ensure sound risk management of third-party ICT service providers;
- requirements for contractual arrangements between third party ICT service providers and financial entities;
- rules on the establishment of the supervisory framework applicable to critical third-party ICT service providers when providing services to financial entities, as well as those related to the exercise of tasks within that framework.
Scope of application
The new regulation should apply to almost all financial entities . It should not apply to insurance intermediaries that are micro, small or medium-sized enterprises. Auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.
Proportionality principle
The amended text clarifies that financial entities should implement risk management rules in accordance with the proportionality principle, taking into account their size and overall risk profile as well as the nature, scale and complexity of their services, activities and operations.
Governance and organisation
Financial entities should have a governance and internal control framework that ensures effective and prudent management of ICT risk to achieve a high level of digital operational resilience. The management body of the financial entity should define, approve, oversee and be responsible for the implementation of all provisions of the ICT risk management framework.
Critical ICT third–party service providers
The European Supervisory Authorities (ESAs), through the Joint Committee and upon recommendation from the Oversight Forum established pursuant to the Regulation should designate the ICT third–party service providers that are critical for financial entities, following an assessment.
In order for supervision to be properly implemented, financial entities should only be able to use the services of an ICT third-party service provider and which has been designated as critical if it has established a subsidiary in the EU within 12 months of the designation.
Oversight framework
Lead Overseers should be granted the necessary powers to conduct investigations, to carry out onsite and offsite inspections at the premises and locations of critical ICT third–party service providers and to obtain complete and updated information. Those powers should enable the Lead Overseer (i.e. the ESA designated in accordance with the Regulation) to acquire real insight into the type, dimension and impact of the ICT third–party risk posed to financial entities and ultimately to the Union’s financial system.
To ensure a consistent approach to oversight activities and with a view to enabling coordinated general oversight strategies and cohesive operational approaches and work methodologies, the three Lead Overseers appointed should set up a Joint Oversight Network to coordinate among themselves in the preparatory stages and to coordinate the conduct of oversight activities over their respective overseen critical ICT third–party service providers.
The Lead Overseer should also be able to exercise its supervisory powers in third countries . The exercise of these powers in third countries should enable the Lead Overseer to examine the facilities from which ICT or technical support services are actually provided or managed by the critical third party ICT service provider.
Digital operational resilience testing
In order to assess preparedness to deal with ICT-related incidents, identify weaknesses, deficiencies and gaps in digital operational resilience and promptly implement corrective measures, financial entities, other than micro-enterprises, should establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework.
Under the amended Regulation, penetration tests should be carried out in functioning mode, and it should be possible to include several Member States’ authorities in the test procedures. The use of internal auditors will be possible only in a number of strictly limited circumstances, subject to safeguard conditions.
Data protection
The ESAs and the competent authorities should be allowed to process personal data only where necessary for the purpose of carrying out their respective obligations and duties pursuant to this Regulation, in particular for investigation, inspection, request for information, communication, publication, evaluation, verification, assessment and drafting of oversight plans.
Documents
2022/11/09
EP - Debate in Parliament
Documents
2022/07/12
EP - Approval in committee of the text agreed at 1st reading interinstitutional negotiations
Documents
2022/07/07
EP - Text agreed during interinstitutional negotiations
Documents
2022/06/29
CSL - Coreper letter confirming interinstitutional agreement
Documents
2021/12/15
EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
2021/12/13
EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
2021/12/07
EP - Committee report tabled for plenary, 1st reading
Details
The Committee on Economic and Monetary Affairs adopted the report by Billy KELLEHER (Renew Europe, IE) on the proposal for a regulation of the European Parliament and of the Council on the digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014.
The Commission's proposal for a legislative act on digital operational resilience in the financial sector (DORA) aims to establish uniform requirements for the security of networks and information systems to provide a comprehensive framework that will improve the management of digital risks by financial entities.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Uniform requirements
The requirements for financial entities will concern: (i) information and communication technology (ICT) risk management; (ii) reporting of major IT-related incidents to the competent authorities; (iii) reporting of major payment-related operational or security incidents by credit, payment and electronic money institutions to the competent authorities; (iv) digital operational resilience testing; (v) information and intelligence sharing in relation to cyber threats and vulnerabilities; and (vi) measures to ensure sound risk management of third-party ICT service providers by financial entities.
This Regulation would be without prejudice to the competences of Member States concerning the maintenance of public security, defence and national security.
Scope of application
The proposal should apply to insurance intermediaries, that are not micro, small or medium-sized enterprises , with the exception of undertakings which rely exclusively on organised automated sales systems. Statutory auditors and small and medium-sized audit firms would also be excluded from the scope of the Regulation, with some exceptions. The Regulation would apply to ICT intra-group service providers, with the exception of the supervisory framework in Chapter V.
Proportionality principle
The amended text clarifies that financial entities should implement the rules introduced by Chapters II (risk management), III (management, classification and reporting of IT incidents) and IV (resilience testing) in accordance with the principle of proportionality, taking into account their size, the nature, scale and complexity of their services, activities and operations and their overall risk profile.
The Regulation should not apply to small non-interconnected investment firms, credit institutions and electronic money institutions exempted under the relevant EU directives. It should also not apply to small institutions for occupational retirement pensions. However, these exempted firms and entities would have to put in place a sound and well-documented ICT risk management framework, which would be reviewed at least once a year.
Governance and organisation
Financial entities should have in place an internal governance and a control framework that ensures an effective and prudent management of all ICT risks, with a view to achieving a high level of digital operational resilience. The management body should bear the ultimate responsibility for managing the financial entity’s ICT risks and put in place procedures and policies that aim to ensure the maintenance of high standards of security, confidentiality and integrity of data.
Risk identification, protection, prevention, detection
Financial entities should, inter alia , (i) review as needed, and at least yearly, the criticality or importance of ICT-related business functions; (ii) ensure that data is protected from internal ICT risks, including poor administration, processing-related risks and human error; (iii)
record all ICT-related incidents that have an impact on the stability, continuity or quality of financial services, including where the incident has or is likely to have an impact on such services.
The purpose of the ICT business continuity policy should be to manage and mitigate risks that may adversely affect the ICT systems and services of financial entities and to facilitate their rapid recovery if necessary.
ICT security awareness programmes should apply to all staff, while the digital operational resilience trainings should apply to, at least, all employees with rights of direct access to the ICT systems and to senior management staff.
Reporting major ICT-related incidents
Financial entities could notify, on a voluntary basis , significant cyber threats to the relevant competent authority where they deem the threat to be of relevance to the financial system, service users or clients.
The competent authority should be informed in any event within 24 hours of becoming aware of an incident in respect of incidents that significantly disrupt the availability of services provided by the entity or that affect the integrity, confidentiality or security of personal data held by the financial entity. For incidents that have a significant impact other than on the availability of services provided by the financial entity, the competent authority should be informed within 72 hours.
Upon receipt of the incident report, the competent authority should provide details of the major IT incident to EBA, ESMA or EIOPA, and the ECB, as appropriate, as soon as possible. The Single Resolution Board (SRB) should be informed where the affected financial entity falls under the Single Resolution Mechanism Regulation, while the CSIRTs should be notified where the affected entities fall under the CRS Directive.
Testing
Threat led penetration testing should cover at least the critical or important functions and services of a financial entity . In addition, the text has been amended with regard to the involvement of an ICT third-party service provider. Where the involvement of ICT third-party service provider could potentially have an impact on the quality, confidentiality or security of the ICT third-party provider’s services to other customers, the ICT third-party service provider may contractually agree that the ICT third-party service provider is permitted to enter directly into contractual arrangements with an external tester. ICT third-party service providers may also enter into such arrangements on behalf of all their financial entity service users in order to conduct pooled testing.
At the end of the test, once the reports and remediation plans have been approved, the financial entity and the external testers should provide the single public authority designated under the Regulation with a confidential summary of the test results and documentation confirming that the threat led penetration test was conducted in accordance with the requirements.
Sound management of ICT third-party risks by financial entities
Financial entities should maintain and update a register of information relating to all contractual arrangements for the use of IT services provided by third-party IT service providers that support critical or important functions. Contractual arrangements for the use of ICT services should allow financial entities to take appropriate remedial action, which could include wholly terminating the arrangements, if no rectification is possible, or partially terminating the arrangements, if rectification is possible, under applicable law.
With a view to reducing the risk of disruptions at the level of the financial entity, in duly justified circumstances and in agreement with its competent authorities, the financial entity may decide not to terminate the contractual arrangements with the ICT third-party service provider until it is able to switch to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.
Lastly, where contractual arrangements for the use of ICT services that support critical or important functions are entered into with a third-party ICT service provider established in a third country , financial entities should also take into account compliance with data protection and the effective enforcement of the rules set out in this Regulation.
Documents
2021/12/01
EP - Vote in committee, 1st reading
2021/12/01
EP - Committee decision to open interinstitutional negotiations with report adopted in committee
2021/10/26
IT_CHAMBER - Contribution
Documents
2021/05/27
EP - Amendments tabled in committee
Documents
2021/05/10
EDPS - Document attached to the procedure
Documents
2021/05/09
RO_SENATE - Contribution
Documents
2021/03/17
EP - Committee draft report
Documents
2021/03/08
PT_PARLIAMENT - Contribution
Documents
2021/02/21
ES_PARLIAMENT - Contribution
Documents
2020/12/17
EP - Committee referral announced in Parliament, 1st reading
2020/12/15
CZ_CHAMBER - Contribution
Documents
2020/10/15
EP - KELLEHER Billy (Renew) appointed as rapporteur in ECON
2020/09/24
EC - Document attached to the procedure
Documents
2020/09/24
EC - Document attached to the procedure
Documents
2020/09/24
EC - Document attached to the procedure
Documents
2020/09/24
EC - Legislative proposal published
Details
PURPOSE: to lay down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities with a view to achieving a high level of digital operational resilience for the financial sector.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: this proposal is part of the Digital Finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks. The digital finance package includes a new Strategy on digital finance for the EU financial sector with the aim to ensure that the Union’s financial services legislation is fit for the digital age, and contributes to a future-ready economy that works for the people, including by enabling the use of innovative technologies. The Union has a stated and confirmed policy interest in developing and promoting the uptake of transformative technologies in the financial sector, including blockchain and distributed ledger technology (DLT).
This package also includes a proposal for a pilot regime on distributed ledger technology market infrastructures, a proposal on crypto-asset markets, and a proposal to clarify or amend certain related EU financial services rules.
The use of digital, or Information and Communication Technologies (ICT) has in the last decades gained a pivotal role in finance, assuming today critical relevance in the operation of typical daily functions of all financial entities. Digitalisation covers, for instance, payments, which have increasingly moved from cash and paper-based methods to the use of digital solutions.
However, digital, or Information and Communication Technologies (ICT), gives rise to opportunities as well as risks. Risks include an increased threat to cyber attacks and ICT disruptions.
ICT risks pose challenges to the operational resilience, performance and stability of the EU financial system. The absence of detailed and comprehensive rules on digital operational resilience at EU level has led to the proliferation of national regulatory initiatives (e.g. on digital operational resilience testing) and supervisory approaches (e.g. addressing ICT third-party dependencies).
This situation fragments the single market, undermines the stability and integrity of the EU financial sector, and jeopardises the protection of consumers and investors.
It is therefore necessary to put in place a detailed and comprehensive framework on digital operational resilience for EU financial entities.
CONTENT: this proposal aims to put into place a comprehensive framework which shall enhance digital risk management. In particular, it seeks to strengthen and streamline the financial entities’ conduct of ICT risk management, establish a thorough testing of ICT systems, increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities, as well as introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers.
Scope of the Regulation
To ensure consistency around the ICT risk management requirements applicable to the financial sector, the proposed Regulation shall cover a range of financial entities regulated at Union level, namely inter alia: (i) credit institutions, (ii) payment institutions, (iii) electronic money institutions, (iv) investment firms, crypto-asset service providers, (v) central securities depositories, (vi) central counterparties, (vii) trading venues, (viii) trade repositories, (ix) credit rating agencies, (x) crowdfunding service providers.
Such a coverage facilitates a homogenous and coherent application of all components of the risk management on ICT-related areas, while safeguards the level playing field among financial entities in respect of their regulatory obligations on ICT risk.
Governance related requirements
As this proposed Regulation is designed to better aligning financial entities’ business strategies and the conduct of the ICT risk management, the management body shall be required to maintain a crucial, active role in steering the ICT risk management framework and shall pursue the respect of a string cyber hygiene.
ICT risk management requirements
Digital operational resilience is rooted in a set of key principles and requirements on ICT risk management framework, in line with the joint ESAs technical advice. These requirements, inspired from relevant international, national and industry-set standards, guidelines and recommendations, revolve around specific functions in ICT risk management (identification, protection and prevention, detection, response and recovery, learning and evolving and communication). To keep pace with a quickly evolving cyber threat landscape, financial entities are required to set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
ICT-related incident reporting
The proposal shall create a consistent incident reporting mechanism that will help reduce administrative burdens for financial entities and strengthen supervisory effectiveness. The reporting shall be processed using a common template and following a harmonised procedure as developed by the ESAs.
Digital operational resilience testing
The capabilities and functions included in the ICT risk management framework need to be periodically tested for preparedness and identification of weaknesses, deficiencies or gaps, as well as the prompt implementation of corrective measures. This proposal allows for a proportionate application of digital operational resilience testing requirements depending on the size, business and risk profiles of financial entities.
Information sharing
To raise awareness on ICT risk, minimise its spread, support financial entities’ defensive capabilities and threat detection techniques, the proposed Regulation shall allow financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence. All voluntary information sharing arrangements between financial entities that this Regulation promotes would be conducted in trusted environments in full respect of Union data protection rules.
Budgetary implications
As the current Regulation foresees an enhanced role for the ESAs by means of powers granted upon them to adequately oversee critical ICT third-party providers, the proposal would entail the deployment of increased resources, in particular to fulfil the oversight missions (such as onsite and online inspections and audits exercises) and the use of staff possessing specific ICT security expertise.
The scale and distribution of these costs will depend on the extent of the new oversight powers and the (precise) tasks to be performed by the ESAs.
The estimated total cost impact is approximately EUR 30.19 million for the period 2022 - 2027. Therefore, no impact on EU budget appropriations is foreseen (except for the additional staff), as these costs will be fully funded by fees.
Documents
Documents
- Commission response to text adopted in plenary: SP(2022)688
- Final act published in Official Journal: Regulation 2022/2554
- Final act published in Official Journal: OJ L 333 27.12.2022, p. 0001
- Draft final act: 00041/2022/LEX
- Results of vote in Parliament: Results of vote in Parliament
- Decision by Parliament, 1st reading: T9-0381/2022
- Debate in Parliament: Debate in Parliament
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: PE734.260
- Text agreed during interinstitutional negotiations: PE734.260
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2022)005010
- Committee report tabled for plenary, 1st reading: A9-0341/2021
- Contribution: COM(2020)0595
- Amendments tabled in committee: PE693.603
- Document attached to the procedure: OJ C 229 15.06.2021, p. 0016
- Document attached to the procedure: N9-0035/2021
- Contribution: COM(2020)0595
- Committee draft report: PE689.801
- Contribution: COM(2020)0595
- Contribution: COM(2020)0595
- Contribution: COM(2020)0595
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SEC(2020)0307
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2020)0198
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2020)0199
- Legislative proposal published: COM(2020)0595
- Legislative proposal published: EUR-Lex
- Document attached to the procedure: EUR-Lex SEC(2020)0307
- Document attached to the procedure: EUR-Lex SWD(2020)0198
- Document attached to the procedure: EUR-Lex SWD(2020)0199
- Committee draft report: PE689.801
- Document attached to the procedure: OJ C 229 15.06.2021, p. 0016 N9-0035/2021
- Amendments tabled in committee: PE693.603
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2022)005010
- Text agreed during interinstitutional negotiations: PE734.260
- Draft final act: 00041/2022/LEX
- Commission response to text adopted in plenary: SP(2022)688
- Contribution: COM(2020)0595
- Contribution: COM(2020)0595
- Contribution: COM(2020)0595
- Contribution: COM(2020)0595
- Contribution: COM(2020)0595
Activities
- Seán KELLY
Plenary Speeches (1)
- Gunnar BECK
Plenary Speeches (1)
Votes
Finance numérique: règlement sur la résilience opérationnelle numérique (DORA) - Digital finance: Digital Operational Resilience Act (DORA) - Digitales Finanzwesen: Verordnung über die Betriebsstabilität digitaler Systeme des Finanzsektors (DORA) - A9-0341/2021 - Billy Kelleher - Accord provisoire - Am 2 #
2022/11/10 Outcome: +: 556, 0: 38, -: 18
PPE
NI
The Left| Amendments | Dossier |
| 609 |
2020/0266(COD)
2021/06/01
ECON
609 amendments...
Amendment 157 #
Proposal for a regulation Recital 1 (1) In the digital age, information and communication technology (ICT) supports complex systems used for everyday societal activities. It keeps our economies running in key sectors, including finance, and enhances the functioning of the single market. Increased digitalisation and interconnectedness also amplify ICT risks making society as a whole - and the financial system in particular - more vulnerable to cyber threats or ICT disruptions. While the ubiquitous use of ICT systems and high digitalisation and connectivity are nowadays core features of all activities of Union financial entities, digital resilience
Amendment 158 #
Proposal for a regulation Recital 2 (2) The use of ICT has in the last decades gained a pivotal role in finance, assuming today critical relevance in the operation of typical daily functions of all financial entities. Digitalisation covers, for instance, payments, which have increasingly moved from cash and paper- based methods to the use of digital solutions, as well as securities clearing and settlement, electronic and algorithmic
Amendment 159 #
Proposal for a regulation Recital 4 (4) In recent years, ICT risks have attracted the attention of national, European and international policy makers, regulators and standard-setting bodies in an attempt to enhance resilience, set standards and coordinate regulatory or supervisory work. At international level, the Basel Committee on Banking Supervision, the Committee on Payments and Markets Infrastructures, the Financial Stability Board, the Financial Stability Institute, as well as the G7 and G20 groups of countries aim to provide competent authorities and market operators across different jurisdictions with tools to bolster the resilience of their financial systems. Consequently, it is necessary to consider cyber risk in the context of a highly interconnected global financial system in which consistency of international regulation and cooperation between competent authorities globally needs to be prioritised.
Amendment 160 #
Proposal for a regulation Recital 8 (8) The Union financial sector is regulated by a harmonised Single Rulebook and governed by a European system of financial supervision. Nonetheless, provisions tackling digital operational resilience and ICT security are not fully or consistently harmonised yet, despite digital operational resilience being vital for ensuring financial stability and market integrity in the digital age, and no less important than for example common prudential or market conduct standards. The Single Rulebook and system of supervision should therefore be developed to also cover this component, by
Amendment 161 #
Proposal for a regulation Recital 9 (9) L
Amendment 162 #
Proposal for a regulation Recital 10 a (new) (10 a) Establishing and maintaining adequate network and information system infrastructures is also a fundamental precondition for effective risk data aggregation and risk reporting practices, which are in turn an essential requisite for the sound and sustainable risk management and decision-making processes of credit institutions. In 2013, the Basel Committee on Banking Supervision published a set of principles for effective risk data aggregation and risk reporting(‘BCBS 239’) based on two overarching principles of governance and IT infrastructure, to be implemented by the beginning of 2016. According to the Basel Progress Report of April 2020 and the ECB Report on the Thematic Review of May 2018 on effective risk data aggregation and risk reporting, the implementation progress made by global systemically important banks was unsatisfactory and a source of concern. In order to facilitate compliance and alignment with international standards, the Commission, in close cooperation with the ECB and after consulting EBA and ESRB, should produce a report in order to assess how the BCBS 239 principles interact with the provisions of the DORA Regulation and, if appropriate, how those principles should be incorporated into Union law.
Amendment 163 #
Proposal for a regulation Recital 12 – point 1 Through this exercise, which consolidates and updates rules on ICT risk, all provisions addressing digital risk in finance would for the first time be brought together in a consistent manner in a single legislative act. This initiative should thus fill in the gaps or remedy inconsistencies in some of those legal acts, including in relation to the terminology used therein, and should explicitly refer to ICT risk via targeted rules on ICT risk management capabilities, reporting and testing and third party risk monitoring. This initiative also intends to raise awareness of ICT risks and acknowledges that ICT incidents and lack of operational resilience might jeopardise the financial soundness of financial entities.
Amendment 164 #
Proposal for a regulation Recital 13 – introductory part (13) Financial entities should follow the same approach and the same principle- based rules when addressing ICT risk, according to their size, nature, complexity and risk profile. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of overuse of ICT systems, platforms and infrastructures, which entails increased digital risk.
Amendment 165 #
Proposal for a regulation Recital 13 – introductory part (13) Financial entities should follow the same approach and the same principle- based rules when addressing ICT risk. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of
Amendment 166 #
Proposal for a regulation Recital 14 Amendment 167 #
Proposal for a regulation Recital 14 a (new) (14 a) However, that approach should in no way be taken to mean that, in its implementation, this Regulation should serve to hamper innovation and flexibility with regard to how financial entities deal with resilience issues while complying with its provisions. Through dialogue with supervisory authorities, which should acknowledge the virtues of flexibility, there will be full scope for adaptation and innovation while fully maintaining a high level of resilience.
Amendment 168 #
Proposal for a regulation Recital 16 – introductory part (16) As this Regulation raises the level of harmonisation on digital resilience components, by introducing requirements on ICT risk management and ICT-related incident reporting that are more stringent in respect to those laid down in the current Union financial services legislation, this constitutes an increased harmonisation also by comparison to requirements laid down in Directive (EU) 2016/1148. Consequently, for the financial sector, this Regulation constitutes lex specialis to Directive (EU) 2016/1148.
Amendment 169 #
Proposal for a regulation Recital 16 – introductory part (16) As this Regulation raises the level of harmonisation on digital resilience components, by introducing requirements on ICT risk management and ICT-related incident reporting that are more stringent in respect to those laid down in the current Union financial services legislation, this constitutes an increased harmonisation also by comparison to requirements laid down in Directive (EU) 2016/1148. Consequently, for financial entities, this Regulation constitutes lex specialis to Directive (EU) 2016/1148.
Amendment 170 #
Proposal for a regulation Recital 17 – point 1 ESAs and national competent authorities, respectively should be able to participate in the strategic policy discussions and the technical workings of the NIS Cooperation Group, respectively, exchanges information and further cooperate with the single points of contact designated under Directive (EU) 2016/1148. The competent authorities under this Regulation should also consult and cooperate with the national CSIRTs designated in accordance with Article 9 of Directive (EU) 2016/1148, in particular when finalising the Oversight plan for, or recommendations addressed to, critical ICT third-party service providers, in order to ensure that there are no inconsistencies or duplications with critical ICT third- party service providers' obligations under Directive (EU) 2016/1148.
Amendment 171 #
Proposal for a regulation Recital 18 (18) It is also important to ensure consistency with both the European Critical Infrastructure (ECI) Directive, which is
Amendment 172 #
Proposal for a regulation Recital 19 (19) Cloud computing service providers are one category of digital service providers covered by Directive (EU) 2016/1148. As such they are subject to ex- post supervision carried out by the national authorities designated according to that Directive, which is limited to requirements on ICT security and incident notification laid down in that act. Since the Oversight Framework established by this Regulation applies to all critical ICT third-party service providers, including cloud computing service providers, when they provide ICT services to financial entities, it should be considered complementary to the supervision that is taking place under Directive (EU) 2016/1148 and both substantive and procedural requirements applicable to critical ICT third-party service providers under this Regulation should be coherent and seamless with those applicable under that Directive. Moreover, the Oversight Framework established by this Regulation should cover cloud computing service providers in the absence of a Union horizontal sector-agnostic framework establishing a Digital Oversight Authority.
Amendment 173 #
Proposal for a regulation Recital 20 (20) To remain in full control of ICT risks, financial entities need to have in place comprehensive capabilities enabling a strong and effective ICT risk management, alongside specific mechanisms and policies for ICT-related incident reporting, testing of ICT systems, controls and processes, as well as for managing ICT third-party risk. The digital operational resilience bar for the financial system should be raised while allowing for a proportionate application of requirements
Amendment 174 #
Proposal for a regulation Recital 20 (20) To remain in full control of ICT risks, financial entities need to have in place comprehensive capabilities enabling a strong and effective ICT risk management, alongside specific mechanisms and policies for ICT-related incident reporting, testing of ICT systems, controls and processes, as well as for managing ICT third-party risk. The digital operational resilience bar for the financial system should be raised while allowing for a proportionate application of requirements for financial entities which are micro and small enterprises as defined in Commission
Amendment 175 #
Proposal for a regulation Recital 20 a (new) (20 a) Where financial entities are required to report ICT-related incidents under this Regulation or under other Union or national law, the competent authorities should ensure that the reporting process is streamlined and done in a manner which utilises the model of a ‘one-stop shop’ authority in order to facilitate efficient reporting. Furthermore, given the regulatory framework under the Single Rulebook and cybersecurity legislation, national legislators and competent authorities at both Union and national level should ensure that the principle of proportionality is strictly followed in order to prevent an excessive burden on market participants.
Amendment 176 #
Proposal for a regulation Recital 21 (21) ICT-related incident reporting thresholds and taxonomies vary significantly at national level.
Amendment 177 #
Proposal for a regulation Recital 21 a (new) (21 a) In order to reduce the administrative burden and avoid complexity and duplicative reporting requirements for payment service providers that fall within the scope of this Regulation, the incident reporting requirements under Directive (EU) 2015/2366 should cease to apply. As such, credit institutions, e-money institutions and payment institutions should report, under this Regulation, all operational or security payment-related and non- payment related incidents that were previously reported under Directive (EU) 2015/2366, irrespective of whether the incidents are ICT-related or not.
Amendment 178 #
Proposal for a regulation Recital 22 (22) To enable competent authorities to fulfil their supervisory roles by obtaining a complete overview of the nature, frequency, significance and impact of ICT-
Amendment 179 #
Proposal for a regulation Recital 22 (22) To enable competent authorities to fulfil their supervisory roles by obtaining a complete overview of the nature, frequency, significance and impact of ICT- related incidents and to enhance the exchange of information between relevant public authorities, including law enforcement authorities and resolution authorities, it is necessary to lay down rules in order to complete the ICT-related incident reporting regime with the requirements that are currently missing in financial subsector legislation and remove any existing overlaps and duplications to alleviate costs. It is therefore essential to
Amendment 180 #
Proposal for a regulation Recital 23 (23) Digital operational resilience testing requirements have developed in some financial subsectors within several and
Amendment 181 #
Proposal for a regulation Recital 24 (24) In addition, where no testing is required, vulnerabilities remain undetected putting the financial entity and ultimately the financial sector’s stability and integrity
Amendment 182 #
Proposal for a regulation Recital 28 (28) There exists a lack of homogeneity and convergence on ICT third party risk and ICT third-party dependencies. Despite some efforts to tackle the specific area of outsourcing such as the 2017 recommendations on outsourcing to cloud service providers,34 the issue of systemic risk which may be triggered by the financial sector’s exposure to a limited number of critical ICT third-party service providers is barely addressed in Union legislation. This lack at Union level is compounded by the absence of specific mandates and tools allowing national supervisors to acquire a good understanding of ICT third-party dependencies and adequately monitor risks
Amendment 183 #
Proposal for a regulation Recital 29 (29) Taking into account the potential systemic risks entailed by the increased outsourcing practices and by the ICT third- party concentration, and mindful of the insufficiency of national mechanisms enabling financial superiors to quantify, qualify and redress the consequences of ICT risks occurring at critical ICT third- party service providers, it is necessary to establish an appropriate Union oversight framework allowing for a
Amendment 184 #
Proposal for a regulation Recital 29 (29) Taking into account the potential systemic risks entailed by the increased outsourcing practices and by the ICT third- party concentration, and mindful of the insufficiency of national mechanisms enabling financial superiors to quantify, qualify and redress the consequences of ICT risks occurring at critical ICT third- party service providers, it is necessary to establish an appropriate Union oversight framework allowing for a continuous monitoring of the activities of ICT third- party service providers that are critical providers to financial entities. As intra- group provision of ICT services does not carry the same risks, service providers that are part of the same group or institutional protection scheme should not be defined as critical ICT third-party service providers.
Amendment 185 #
Proposal for a regulation Recital 30 (30) With ICT threats becoming more complex and sophisticated, good detection and prevention measures depend to a great extent on regular threat and vulnerability intelligence sharing between financial entities. Information sharing contributes to increased awareness on cyber threats, which, in turn, enhances financial entities’ capacity to prevent threats from materialising into real incidents and enables financial entities to better contain the effects of ICT-related incidents and recover more efficiently. In the absence of guidance at Union level, several factors
Amendment 186 #
Proposal for a regulation Recital 30 (30) With ICT threats becoming more complex and sophisticated, good detection and prevention measures depend to a great extent on regular threat and vulnerability intelligence sharing between financial entities. Information sharing contributes to increased awareness on cyber threats, which, in turn, enhances financial entities’ capacity to prevent threats from materialising into real incidents and enables financial entities to better contain
Amendment 187 #
Proposal for a regulation Recital 33 (33) Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience rules should take into consideration significant differences between financial entities in terms of size,
Amendment 188 #
Proposal for a regulation Recital 33 (33) Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience rules should take into consideration significant differences between financial entities in terms of size, business profiles or exposure to digital risk. As a general principle, when directing resources and capabilities to the implementation of the ICT risk management framework, financial entities should duly balance their ICT-related needs to their
Amendment 189 #
Proposal for a regulation Recital 34 Amendment 190 #
Proposal for a regulation Recital 34 – introductory part (34) As larger financial entities may enjoy wider resources and could swiftly deploy funds to develop governance structures and set up various corporate strategies, only financial entities which are not
Amendment 191 #
Proposal for a regulation Recital 35 Amendment 192 #
Proposal for a regulation Recital 35 (35) Moreover, as solely those financial entities identified as significant for the purposes of the advanced digital resilience testing should be required to conduct threat led penetration tests, the administrative processes and financial costs entailed by the performance of such tests should be devolved to a small percentage of financial entities. Finally, with a view to ease regulatory burdens, only financial entities other than
Amendment 193 #
Proposal for a regulation Recital 35 (35) Moreover, as solely those financial entities identified as significant for the purposes of the advanced digital resilience testing should be required to conduct threat led penetration tests, the administrative processes and financial costs entailed by the performance of such tests should be devolved to a small percentage of financial entities. Finally, with a view to ease regulatory burdens, only financial entities other than micro enterprises should be asked to regularly report to the competent authorities all costs and losses caused by significant ICT disruptions and the results of post-
Amendment 194 #
Proposal for a regulation Recital 35 (35) Moreover, as solely those financial entities identified as significant for the purposes of the advanced digital resilience testing should be required to conduct threat led penetration tests, the administrative processes and financial costs entailed by the performance of such tests should be devolved to a small percentage of financial entities. Finally, with a view to ease regulatory burdens, only financial entities other than micro enterprises should be asked to regularly report to the competent authorities all estimated costs and losses caused by ICT disruptions and the results of post-
Amendment 195 #
Proposal for a regulation Recital 39 a (new) (39 a) Sharing of threat intelligence should be compulsory; financial institutions should be legally obliged to file reports of known threats to their NCAs and relevant ESA. The information could then be shared if requested (confidentially and anonymously), through a central clearing house, such as an EU Hub for Incident Reporting.
Amendment 196 #
Proposal for a regulation Recital 39 b (new) (39 b) The collective interest in preventing systemic instability and wide- ranging harm to the financial system clearly outweighs any individual institution’s interest in protecting commercial secrets or preventing damage to its reputation. Nevertheless, proper mechanisms for the confidential exchange and handling of incident data should be put in place to mitigate the risk of leaks.
Amendment 197 #
Proposal for a regulation Recital 41 a (new) (41 a) The definition of critical or important functions in this Regulation should encompass critical functions as defined in Directive (EU) 2014/59. Thereby, functions that are deemed to be critical functions pursuant to Directive (EU) 2014/59 should be deemed to be critical or important within the meaning of this Regulation.
Amendment 198 #
Proposal for a regulation Recital 43 (43)
Amendment 199 #
Proposal for a regulation Recital 43 (43) Further reflection on the possible centralisation of ICT-related incident reports should be envisaged, by means of a single central EU Hub either directly receiving the relevant reports and automatically notifying national competent authorities, or merely centralising reports forwarded by the national competent authorities and fulfilling a coordination role. The ESAs should be required to prepare, in consultation with ECB
Amendment 200 #
Proposal for a regulation Recital 44 (44) In order to achieve robust digital operational resilience, and in line with international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testing, financial entities should regularly test their ICT systems and staff with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities. To respond to differences across and within the financial subsectors regarding the financial entities’ cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from an assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing (e.g. TLPT for those financial entities mature enough from an ICT perspective to be capable of carrying out such tests). Digital operational resilience testing should thus be more demanding for significant financial entities (such as large credit institutions, stock exchanges, central securities depositories, central counterparties, etc.). At the same time, digital operational resilience testing should also be more relevant for some
Amendment 201 #
Proposal for a regulation Recital 45 (45) To ensure a sound monitoring of ICT third-party risk, it is necessary to lay down a set of principle-based rules to guide financial entities’ monitoring of risk arising in the context of outsourced functions to ICT third-party services providers, particularly regarding the provision of critical or important functions by ICT third-party service providers, and, more generally, in the context of ICT third-
Amendment 202 #
Proposal for a regulation Recital 47 (47) The conduct of such monitoring should follow a strategic approach to ICT third-party risk formalised through the adoption by the financial entity’s management body of a dedicated strategy, rooted in a
Amendment 203 #
Proposal for a regulation Recital 47 (47) The conduct of such monitoring should follow a strategic approach to ICT third-party risk formalised through the adoption by the financial entity’s management body of a dedicated strategy, rooted in a continuous screening of all such ICT third-party dependencies. To enhance supervisory awareness over ICT third-party dependencies, and with a view to further support the Oversight Framework established by this Regulation, financial supervisors should regularly receive essential information from the Registers and should be able to request extracts
Amendment 204 #
Proposal for a regulation Recital 48 (48) A thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements, while
Amendment 205 #
Proposal for a regulation Recital 48 (48) A thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements, while termination of contracts should be prompted by at least a set of circumstances that show severe shortfalls at the ICT third- party service provider.
Amendment 206 #
Proposal for a regulation Recital 49 (49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements, notably when concluded with ICT third-party service providers established in a third country. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The
Amendment 207 #
Proposal for a regulation Recital 49 (49) To address the systemic impact of ICT third-party concentration risk, a balanced solution through a flexible and gradual approach should be promoted since rigid caps or strict limitations may hinder business conduct and contractual freedom. Financial entities should thoroughly assess contractual arrangements to identify the likelihood for such risk to emerge, including by means of in-depth analyses of sub-outsourcing arrangements, notably when concluded with ICT third-party service providers established in a third country. This Regulation should forbid outsourcing arrangements with third country ICT third-party service providers if those third parties have, or are suspected of having, ties to foreign governments or to foreign militaries. At this stage, and with a view to strike a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to provide for strict caps and limits to ICT third-party exposures. The ESA designated to conduct the oversight for each critical ICT third- party provider (“the Lead Overseer”) should in the exercise of oversight tasks pay particular attention to fully grasp the magnitude of interdependences and discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and should provide instead for a dialogue with critical ICT third-party service
Amendment 208 #
Proposal for a regulation Recital 52 (52) To ensure that financial entities remain in full control of all developments which may impair their ICT security, notice periods and reporting obligations of the ICT third-party service provider should be set out in case of developments with a potential material impact on the ICT third- party service provider’s ability to effectively carry out critical or important functions, including the provision of assistance by the latter in case of an ICT- related incident
Amendment 209 #
Proposal for a regulation Recital 53 (53) Rights of access, inspection and audit by the financial entity or an appointed third party should cover the full range of relevant ICT systems, networks, devices, information and data either used for, or contributing to, the provision of services to financial entities. They are crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the latter’s full cooperation during inspections. In the same vein, the competent authority of the financial entity should have those rights, based on notices, to inspect and audit the ICT third-party service provider, subject to confidentiality.
Amendment 210 #
Proposal for a regulation Recital 53 (53) Rights of access, inspection and audit by the financial entity or an appointed third party, in relation to the use of ICT services provided by the third-party service provider concerning critical or important functions, are crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the latter’s full cooperation during inspections. In the same vein, the competent authority of the financial entity should have those rights, based on notices, to inspect and audit the ICT third-party service provider, subject to
Amendment 211 #
Proposal for a regulation Recital 53 (53) Rights of access, inspection and audit by the financial entity or an appointed third party shall cover only critical and important functions and are crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the latter’s full cooperation during inspections. In the same vein, the competent authority of the financial entity should have those rights, based on notices, to inspect and audit the ICT third-party service provider, subject to confidentiality.
Amendment 212 #
Proposal for a regulation Recital 54 (54) Contractual arrangements should provide for clear termination rights as a solution of last resort and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the
Amendment 213 #
Proposal for a regulation Recital 54 (54) Contractual arrangements should provide for clear termination rights and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the relevant functions with a view to reduce the risk of disruptions at the level of the financial entity or allow the latter to effectively switch to other ICT third-party service providers, or alternatively resort to the use of on-premises solutions, consistent with the complexity of the provided service. Moreover, credit institutions should also ensure that the relevant ICT contracts are robust and fully enforceable in the event of resolution of the credit institution. In line with the resolution authorities’ expectations, credit institutions should ensure that the relevant contracts for ICT services are resolution-resilient. As long as critical and important ICT functions continue to be performed, those financial entities should ensure that the contracts foresee, among other requirements, non- termination, non-suspension and non- modification clauses on the grounds of restructuring or resolution.
Amendment 214 #
Proposal for a regulation Recital 54 (54) Contractual arrangements should provide for clear termination rights and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the relevant functions with a view to reduce the risk of disruptions at the level of the financial entity or allow the latter to effectively switch to other ICT third-party service providers, or alternatively resort to the use of on-premises solutions, consistent with the complexity of the provided service. In addition, credit institutions should also ensure that the relevant ICT contracts are robust and fully enforceable in the event of resolution of the credit institution. In that regard, credit institutions should include, in the relevant contracts for ICT services, resolution- resilient clauses, which ensure, among other requirements, non-termination, suspension or modification on the grounds of resolution as long as substantive obligations continue to be performed.
Amendment 215 #
Proposal for a regulation Recital 57 (57) Since only critical third-party service providers warrant a special treatment, a designation mechanism for the purposes of applying the Union Oversight Framework should be put in place to take into account the dimension and nature of the financial sector’s reliance on such ICT third-party service providers, which translates into a set of quantitative and qualitative criteria that would set the criticality parameters as a basis for inclusion into the Oversight. Critical ICT third-party service providers which are not automatically designated by virtue of the application of the above-mentioned criteria should have the possibility to voluntary opt-in to the Oversight Framework, while those ICT third-party providers already subject to oversight mechanisms frameworks established at Eurosystem level with the aim to supporting the tasks referred to in Article 127(2) of the Treaty on the Functioning of the European Union should consequently be exempted. Similarly, undertakings which are part of a financial group and which provide ICT services exclusively to financial entities within the same financial group should not be subject to the designation mechanism.
Amendment 216 #
Proposal for a regulation Recital 58 Amendment 217 #
Proposal for a regulation Recital 58 (58) The requirement
Amendment 218 #
Proposal for a regulation Recital 58 a (new) (58 a) Due to the significant impact that designation as critical may have on ICT third-party service providers, prior hearing rights should be established as an obligation imposed on the Lead Overseer to duly take into consideration any additional information provided by ICT third-party service providers in the course of the designation process.
Amendment 219 #
Proposal for a regulation Recital 60 (60) To leverage the current multi- layered institutional architecture in the financial services area, the Joint Committee of the ESAs should continue to ensure the overall cross-sectoral coordination in relation to all matters pertaining to ICT risk, in accordance with its tasks on cybersecurity,
Amendment 220 #
Proposal for a regulation Recital 61 (61) To ensure that ICT third-party service providers fulfilling a critical role to the functioning of the financial sector are commensurately overseen on a Union scale,
Amendment 221 #
Proposal for a regulation Recital 61 (61) To ensure that ICT third-party service providers fulfilling a critical role to the functioning of the financial sector are commensurately overseen on a Union scale,
Amendment 222 #
Proposal for a regulation Recital 62 – introductory part (62) The Lead Overseer
Amendment 223 #
Proposal for a regulation Recital 62 – introductory part (62)
Amendment 224 #
Proposal for a regulation Recital 62 – point 1 Entrusting the E
Amendment 225 #
Proposal for a regulation Recital 63 (63) In addition, the Lead Overseer
Amendment 226 #
Proposal for a regulation Recital 63 a (new) (63 a) In order to avoid duplication and contradictions with the technical and organisational measures that may apply to critical ICT third-party service providers, Lead Overseers should take due account of the framework established by Directive (EU) 2016/1148 in the exercise of their powers according to the Oversight Framework in this Regulation. Before exercising such powers, the Lead Overseer should consult the relevant competent authorities that have jurisdiction under Directive (EU) 2016/1148 and the Oversight Forum.
Amendment 227 #
Proposal for a regulation Recital 66 (66) To leverage technical expertise of competent authorities’ experts on operational and ICT risk management,
Amendment 228 #
Proposal for a regulation Recital 66 a (new) (66 a) In order to include the full range of practical experience and operational expertise, the Joint Oversight Executive Body should include independent directors from each ESA, in charge of digital operational resilience for the financial sector.
Amendment 229 #
Proposal for a regulation Recital 66 b (new) Amendment 230 #
Proposal for a regulation Recital 66 c (new) (66 c) In order to ensure transparency and democratic control, as well as to safeguard the rights of the Union institutions, the independent directors should be accountable to the European Parliament and to the Council for any decisions taken on the basis of this Regulation.
Amendment 231 #
Proposal for a regulation Recital 66 d (new) (66 d) The independent directors should act independently and objectively in the interests of the Union. They should ensure that appropriate account is taken of the proper functioning of the internal market as well as financial stability in each Member State and in the Union.
Amendment 232 #
Proposal for a regulation Recital 67 (67) Competent authorities should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant national competent authorities,
Amendment 233 #
Proposal for a regulation Recital 67 (67) Competent authorities, including the Joint Oversight Body, should possess all necessary supervisory, investigative and sanctioning powers to ensure the application of this Regulation. Administrative penalties should, in principle, be published. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different sectoral competent authorities, close cooperation between the relevant competent authorities, including ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/201339 , and consultation with the ESAs should be ensured by the mutual exchange of information and provision of assistance in the context of supervisory activities. The Single Resolution Board and national resolution authorities should be involved in the mechanisms for the mutual exchange of information for entities referred to in Article 7 of Regulation (EU) No 806/2014. National resolution authorities should provide a summary of the reported incidents for entities under their remit to the Single Resolution Board on a quarterly basis. _________________ 39 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
Amendment 234 #
Proposal for a regulation Recital 69 – point 1 Technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation without hindering innovation and equal treatment of different types of technology. As bodies with highly specialised expertise, the ESAs should be mandated to develop draft regulatory technical standards which do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk.
Amendment 235 #
Proposal for a regulation Recital 69 – point 1 Technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation. As bodies with highly specialised expertise, the ESAs should be mandated to develop draft regulatory technical standards which do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk. When developing draft regulatory technical standards, the ESAs should take due consideration of their mandate in relation to proportionality aspects, and seek advice from their respective Advisory Committees on Proportionality, in particular in relation to the application of the DORA framework to SMEs and mid-caps.
Amendment 236 #
Proposal for a regulation Recital 69 a (new) (69 a) Guidelines issued by the ESAs on the application of those regulations and directives should be reviewed and revised as part of the consolidation process so that the legal basis for ICT risk requirements in Union law exclusively derive from this Regulation, its implementing acts and/or decisions and recommendations taken in accordance therewith, concerning entities within its scope.
Amendment 237 #
Proposal for a regulation Recital 71 (71) To facilitate the comparability of major ICT-related incident reports and to ensure transparency on contractual arrangements for the use of ICT services provided by ICT third-party service providers, the ESAs should be mandated to
Amendment 238 #
Proposal for a regulation Recital 73 a (new) (73 a) Although protection against cyberattacks is an important tool against financial instability, it is of note that the most significant systemic risks are not the result of external threats but instead originate within the financial system itself, due to its internal mechanisms and incentives structure. In that regard, this Regulation should be understood as a necessary, though not sufficient, condition for the promotion of financial stability;
Amendment 239 #
Proposal for a regulation Article 1 – paragraph 1 – point a – indent 2 a (new) - reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in points (a) to (c) of Article 2 (1);
Amendment 240 #
Proposal for a regulation Article 1 – paragraph 1 – point a – indent 5 — measures for
Amendment 241 #
Proposal for a regulation Article 1 – paragraph 1 a (new) 1 a. This Regulation provides for the development of regulatory technical standards by the ESAs in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk. When developing those regulatory technical standards, the ESAs shall fully take into account and incorporate previous guidelines and any other regulatory requirements issued before the entry into force of this Regulation, aiming to provide regulatory continuity and stability, wherever possible, and in accordance with this Regulation.
Amendment 242 #
Proposal for a regulation Article 1 – paragraph 2 a (new) 2 a. This Regulation is without prejudice to the competences of Member States concerning the maintenance of public security, defence and national security in compliance with Union law.
Amendment 243 #
Proposal for a regulation Article 1 – paragraph 2 a (new) 2 a. The requirements of this Regulation shall be applied in a way that is proportionate to the size and risk of the entities subject to this Regulation.
Amendment 244 #
Proposal for a regulation Article 2 – paragraph 1 – point a (a) credit institutions, unless they are small and non-complex institutions as defined in Article 4 (145) of Regulation (EU)2019/876 (CRR2),
Amendment 245 #
Proposal for a regulation Article 2 – paragraph 1 – point e (e) crypto-asset service providers, issuers and offerors of crypto-assets, issuers of asset-
Amendment 246 #
Proposal for a regulation Article 2 – paragraph 1 – point f (f) central securities depositories, and operators of securities settlement systems,
Amendment 247 #
Proposal for a regulation Article 2 – paragraph 1 – point f (f) central securities depositories and operators of securities settlement systems,
Amendment 248 #
Proposal for a regulation Article 2 – paragraph 1 – point k (k) management companies and self- managed UCITS investment companies within the meaning of Directive 2009/65/EC and managers of alternative investment funds as defined in Article 4(1)(b) of Directive 2011/61/EU,
Amendment 249 #
Proposal for a regulation Article 2 – paragraph 1 – point n Amendment 250 #
Proposal for a regulation Article 2 – paragraph 1 – point n Amendment 251 #
Proposal for a regulation Article 2 – paragraph 1 – point n Amendment 252 #
Proposal for a regulation Article 2 – paragraph 1 – point n (n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, unless they are micro, small or medium-sized enterprises and do not rely exclusively on organised automated sales systems,
Amendment 253 #
Proposal for a regulation Article 2 – paragraph 1 – point n (n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, unless they are micro, small or medium-sized enterprises and do not rely exclusively on organised automated sales systems,
Amendment 254 #
Proposal for a regulation Article 2 – paragraph 1 – point n (n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, unless they are micro, small or medium-sized enterprises,
Amendment 255 #
Proposal for a regulation Article 2 – paragraph 1 – point n (n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, unless they are micro, small or medium-sized enterprises,
Amendment 256 #
Proposal for a regulation Article 2 – paragraph 1 – point n (n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, with the exception of microenterprises,
Amendment 257 #
Proposal for a regulation Article 2 – paragraph 1 – point o (o) institutions for occupational retirement p
Amendment 258 #
Proposal for a regulation Article 2 – paragraph 1 – point o (o) institutions for occupational retirement pensions, unless they are micro, small or medium-sized enterprises,
Amendment 259 #
Proposal for a regulation Article 2 – paragraph 1 – point q Amendment 260 #
Proposal for a regulation Article 2 – paragraph 1 – point q Amendment 261 #
Proposal for a regulation Article 2 – paragraph 1 – point q Amendment 262 #
Proposal for a regulation Article 2 – paragraph 1 – point u a (new) (u a) ICT intra-group service providers, when providing ICT services related to critical or important functions, with the exception of Section II of Chapter V of this Regulation that is not applicable to such providers,
Amendment 263 #
Proposal for a regulation Article 2 – paragraph 1 – point b a (new) (b a) payment systems
Amendment 264 #
Proposal for a regulation Article 2 – paragraph 1 – point u a (new) (u a) operators of payment schemes and payment systems.
Amendment 265 #
Proposal for a regulation Article 2 – paragraph 1 – point u a (new) (u a) payment cards' networks,
Amendment 266 #
Proposal for a regulation Article 2 – paragraph 1 – point u a (new) (u a) central banks, including the ECB.
Amendment 267 #
Proposal for a regulation Article 2 – paragraph 1 – point u b (new) (u b) mutatis mutandis, the ESAs, the competent authorities, the Commission’s directorate general responsible for financial policies;
Amendment 268 #
Proposal for a regulation Article 2 – paragraph 1 a (new) 1 a. Chapter III of this Regulation applies to all payment service providers as defined in Directive (EU) 2015/2366.
Amendment 269 #
Proposal for a regulation Article 2 – paragraph 2 2. For the purposes of this Regulation, entities referred to in paragraph (a) to (t) and central banks, including the ECB, shall collectively be referred to as ‘financial entities’.
Amendment 270 #
Proposal for a regulation Article 2 – paragraph 2 a (new) 2 a. This Regulation shall be considered to be a sector-specific Union legal act in relation to the Directive on measures for a high common level of cybersecurity across the Union [insert the full title and OJ publication reference when known] (NIS 2) with regard to financial entities. The provisions of this Regulation relating to ICT risk management measures, management of ICT-related incidents and notably incident reporting, as well as on digital operational resilience testing, information sharing arrangements and ICT third- party risk shall apply instead of those set up under the NIS 2 directive. Member States shall therefore not apply the provisions of NIS 2 on cybersecurity risk management and reporting obligations, information sharing and supervision and enforcement to any financial entities covered by this Regulation. At the same time, it is important to maintain a strong relationship and the exchange of information with the financial sector under the NIS 2 Directive. To that end, this Regulation allows all financial supervisors, the European Supervisory Authorities (ESAs) for the financial sector and the national competent authorities under this Regulation to participate in strategic policy discussions and the technical workings of the Cooperation Group, and to exchange information and cooperate with the single points of contact designated under the NIS 2 Directive and with the national CSIRTs. The competent authorities under this Regulation shall also transmit details of major ICT-related incidents to the single points of contact designated under the NIS 2 Directive. Moreover, Member States shall continue to include the financial sector in their cybersecurity strategies and national CSIRTs may cover the financial sector in their activities.
Amendment 271 #
Proposal for a regulation Article 2 – paragraph 2 a (new) 2 a. This Regulation shall not apply to: (a) statutory auditors and audit firms, which are micro, small and medium-sized enterprises as defined in Article 2 of the Annex to Recommendation 2003/361; (b) insurance and reinsurance undertakings excluded from the scope due to size in accordance with Article 4 of Directive 2009/138/EC; (c) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, which are microenterprises in accordance with Article 3 point (50).
Amendment 272 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its technological operational integrity
Amendment 273 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘
Amendment 274 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 (4) ‘ICT risk’ means any reasonably identifiable circumstance
Amendment 275 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 (4) ‘ICT risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems,
Amendment 276 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 (4) ‘
Amendment 277 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 (4) ‘ICT risk’ means any reasonably
Amendment 278 #
Proposal for a regulation Article 3 – paragraph 1 – point 5 (5) ‘information asset’ means a collection of information, either tangible or intangible, that
Amendment 279 #
Proposal for a regulation Article 3 – paragraph 1 – point 5 a (new) (5 a) ‘incident’ means any event having the potential to disrupt, or that in fact disrupts, the operations of a financial entity;
Amendment 280 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘ICT-related incident’ means an
Amendment 281 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘ICT-related incident’ means an
Amendment 282 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘
Amendment 283 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘ICT-related incident’ means an unforeseen identified occurrence or a series of linked occurrences in the network and information systems
Amendment 284 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘ICT-related incident’ means an unforeseen identified
Amendment 285 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘ICT-related incident’ means an
Amendment 286 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 a (new) (6 a) ‘operational or security payment- related incident’, means an event or a series of linked occurrences unforeseen by financial entities referred to in points (a) to (c) of Article 2(1) which has or is likely to have an adverse impact on the integrity, availability, confidentiality, authenticity or continuity of payment- related services;
Amendment 287 #
Proposal for a regulation Article 3 – paragraph 1 – point 7 (7) ‘major ICT-related incident’ means an ICT-related incident with a
Amendment 288 #
Proposal for a regulation Article 3 – paragraph 1 – point 7 (7) ‘major ICT-related incident’ means an ICT-related incident w
Amendment 289 #
Proposal for a regulation Article 3 – paragraph 1 – point 7 (7) ‘major ICT-related incident’ means an ICT-related incident with a
Amendment 290 #
Proposal for a regulation Article 3 – paragraph 1 – point 7 (7) ‘major
Amendment 291 #
Proposal for a regulation Article 3 – paragraph 1 – point 7 a (new) (7 a) ‘major operational or security payment-related incident’ means an operational or security payment-related incident which meets the criteria set out in Article 16(2)(a);
Amendment 292 #
Proposal for a regulation Article 3 – paragraph 1 – point 8 a (new) (8 a) ‘significant cyber threat’ means a cyber threat whose characteristics clearly indicate that it is likely to result in a major ICT-related incident or a major operational or security payment-related incident;
Amendment 293 #
Proposal for a regulation Article 3 – paragraph 1 – point 12 (12) ‘vulnerability’ means a weakness, susceptibility or flaw of an asset, system,
Amendment 294 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 (15) ‘ICT third-party service provider’ means an undertaking providing
Amendment 295 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 (15) ‘ICT third-party service provider’
Amendment 296 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 (15) ‘ICT third-party service provider’ means an undertaking providing
Amendment 297 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 (15) ‘ICT third-party service provider’ means an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centres, including an economic unit providing ICT services that forms part of an undertaking which provides a wider range of products or services, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council43 ; _________________ 43Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)(OJ L 321, 17.12.2018, p. 36).
Amendment 298 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 a (new) (15 a) ‘Intra-group ICT service provider’ means an ICT service provider that is part of a group of institutions permanently affiliated to a central body as referred to in Article 10 or 113(6) of Regulation (EU) No 575/2013 or within the same institutional protection scheme as referred to in Article 113(7) of Regulation (EU) No 575/2013 or where credit institutions are associated in a network in accordance with legal or statutory provisions as referred to in Article 400(2)(d) of that Regulation;
Amendment 299 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 a (new) (15 a) 'ICT intra-group third-party service provider' means an undertaking that is part of a financial group and provides ICT services exclusively to financial entities within the same group, including to their parent undertakings, subsidiaries and branches or other entities that are under common ownership or control;
Amendment 300 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 a (new) (15 a) 'intra-group ICT third-party service provider' means an ICT third- party service provider that is in a consolidated situation with a financial entity, or that is within the same group as a financial entity, as defined in Regulation (EU) No 575/2013.
Amendment 301 #
Proposal for a regulation Article 3 – paragraph 1 – point 15 a (new) (15 a) ‘ICT intra-group service provider’ means an undertaking that provides ICT services exclusively to financial entities within the same group;
Amendment 302 #
Proposal for a regulation Article 3 – paragraph 1 – point 16 (16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external
Amendment 303 #
Proposal for a regulation Article 3 – paragraph 1 – point 16 (16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external users
Amendment 304 #
Proposal for a regulation Article 3 – paragraph 1 – point 16 (16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support
Amendment 305 #
Proposal for a regulation Article 3 – paragraph 1 – point 17 (17) ‘critical or important function’ means a function
Amendment 306 #
Proposal for a regulation Article 3 – paragraph 1 – point 17 (17) ‘critical or important function’ means an ICT function whose discontinued, defective or failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation, or its financial performance or
Amendment 307 #
Proposal for a regulation Article 3 – paragraph 1 – point 18 (18) ‘critical ICT third-party service provider’ means an ICT third-party service provider designated in accordance with Article 29 and subject to the Oversight Framework referred to in Articles 30 to 37, unless the ICT third-party service provider is part of the same group or same institutional protection scheme;
Amendment 308 #
Proposal for a regulation Article 3 – paragraph 1 – point 18 (18) ‘critical ICT third-party service provider’ means an ICT third-party service provider designated in accordance with Article 2
Amendment 309 #
Proposal for a regulation Article 3 – paragraph 1 – point 19 (19) ‘ICT third-party service provider established in a third country’ means an ICT third-party service provider that is a legal person established in a third-country, has not set up
Amendment 310 #
Proposal for a regulation Article 3 – paragraph 1 – point 20 (20) ‘ICT sub-contractor established in a third country’ means an ICT sub-contractor that is a legal person established in a third- country, has not set up
Amendment 311 #
Proposal for a regulation Article 3 – paragraph 1 – point 21 (21) ‘ICT concentration risk’ means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the
Amendment 312 #
Proposal for a regulation Article 3 – paragraph 1 – point 23 (23) ‘credit institution’ means a credit institution as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council46
Amendment 313 #
Proposal for a regulation Article 3 – paragraph 1 – point 23 a (new) (23 a) ‘credit institution exempted by Directive 2013/36/EU’ means a credit institution benefiting from an exemption pursuant to points (4) to (23) of Article 2(5) of Directive2013/36/EU;
Amendment 314 #
Proposal for a regulation Article 3 – paragraph 1 – point 24 a (new) (24 a) ‘small and non-interconnected investment firm’ means an investment firm that meets the conditions laid out in Article 12 (1) of Regulation (EU) 2019/2033;
Amendment 315 #
Proposal for a regulation Article 3 – paragraph 1 – point 25 a (new) (25 a) 'payment system' means a payment system as defined in Article 4(7) of Directive (EU) 2015/2366, with the exception of payment systems subject to ECB Regulation (EU) 795/2014.
Amendment 316 #
Proposal for a regulation Article 3 – paragraph 1 – point 25 a (new) (25 a) ‘payment institution exempted by Directive (EU)2015/2366’ means a payment institution benefitting from an exemption pursuant to Article 32 (1) of Directive (EU) 2015/2366;
Amendment 317 #
Proposal for a regulation Article 3 – paragraph 1 – point 26 a (new) (26 a) ‘electronic money institution exempted by Directive 2009/110/EC’ means an electronic money institution benefitting from a waiver under Article 9 of Directive 2009/110/EC;
Amendment 318 #
Proposal for a regulation Article 3 – paragraph 1 – point 36 (36) ‘insurance intermediary’ means an insurance intermediary as defined in point (3) of paragraph 1 of Article 2 of Directive (EU) 2016/97
Amendment 319 #
Proposal for a regulation Article 3 – paragraph 1 – point 37 (37) ‘ancillary insurance intermediary’ means an ancillary insurance intermediary as defined in point (4) of Article 2 of Directive (EU) 2016/97, which is not a microenterprise as defined in this Article;
Amendment 320 #
Proposal for a regulation Article 3 – paragraph 1 – point 38 (38) ‘reinsurance intermediary’ means a reinsurance intermediary as defined in point (5) of paragraph 1 of Article 2 of Directive (EU) 2016/97, which is not a microenterprise as defined in point (50) of this Article;
Amendment 321 #
Proposal for a regulation Article 3 – paragraph 1 – point 41 Amendment 322 #
Proposal for a regulation Article 3 – paragraph 1 – point 42 Amendment 323 #
Proposal for a regulation Article 3 – paragraph 1 – point 44 a (new) (44 a) ‘offeror of crypto-assets’ means offeror of ‘crypto-assets’ as defined in point [(h) of Article 3 (1)] of [OJ: insert reference to MICA Regulation];
Amendment 324 #
Proposal for a regulation Article 3 – paragraph 1 – point 45 a (new) (45 a) ‘offeror of asset-referenced tokens’ means an offeror of asset- referenced payment tokens as defined in point [(i) of Article 3 (1]) of [OJ: insert reference to MICA Regulation];
Amendment 325 #
Proposal for a regulation Article 3 – paragraph 1 – point 46 a (new) (46 a) ‘offeror of significant asset- referenced tokens’ means an offeror of significant asset-referenced payment tokens as defined in point ([j) of Article 3 (1)] of [OJ: insert reference to MICA Regulation];
Amendment 326 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 (50)
Amendment 327 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 (50) ‘micro, small and medium-sized enterprise’ means a financial entity as defined in Article 2
Amendment 328 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 (50) ‘microenterprise’ means a financial entity as defined in Article 2(
Amendment 329 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 a (new) (50 a) 'small and medium sized enterprises' means companies below the thresholds set out in the definition of medium-sized undertakings in Article 3(3) of Directive 2013/34/EU;
Amendment 330 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 a (new) (50 a) ‘small enterprise’ means a financial entity as defined in Article 2(2) of the Annex to Recommendation 2003/361/EC.
Amendment 331 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 a (new) (50 a) 'competent authorities' means national competent authorities in accordance with Article 41 or, for credit institutions considered to be significant, the ECB pursuant to Regulation (EU) No 1024/2013.
Amendment 332 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 a (new) (50 a) 'Lead Overseer' means the European Banking Authority.
Amendment 333 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 b (new) (50 b) 'service' means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services, and where: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present; (ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means; and (iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.
Amendment 334 #
Proposal for a regulation Article 3 – paragraph 1 – point 50 c (new) (50 c) 'function' means the identification, protection and prevention, detection, response and recovery, learning and evolution and communication in the use and management of ICT systems.
Amendment 335 #
Proposal for a regulation Article 3 a (new) Article 3 a Proportionality principle Financial entities other than those referred to in Article 14a shall implement the rules on ICT risk management foreseen in this Chapter in accordance with the principle of proportionality, by taking into account the size of their undertaking, the nature, scale and complexity of their services, activities and operations, and their overall risk profile.
Amendment 336 #
Proposal for a regulation Article 4 – paragraph 1 1. Financial entities shall have in place an effective internal governance and control framework
Amendment 337 #
Proposal for a regulation Article 4 – paragraph 1 1. Financial entities shall have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks. Those frameworks shall be proportionate to the financial entity's size, nature, scale, complexity and overall risk profile.
Amendment 338 #
Proposal for a regulation Article 4 – paragraph 2 – subparagraph 1 – point a (a) bear the
Amendment 339 #
Proposal for a regulation Article 4 – paragraph 2 – subparagraph 1 – point a a (new) Amendment 340 #
Proposal for a regulation Article 4 – paragraph 2 – subparagraph 1 – point d (d) approve, oversee and periodically review the implementation of the financial entity's ICT Business Continuity Policy and ICT Disaster Recovery Plan
Amendment 341 #
Proposal for a regulation Article 4 – paragraph 2 – subparagraph 1 – point f (f) allocate and periodically review appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant training on ICT risks and skills for all
Amendment 342 #
Proposal for a regulation Article 4 – paragraph 2 – subparagraph 1 – point i (i) be
Amendment 343 #
Proposal for a regulation Article 4 – paragraph 2 – subparagraph 1 – point i (i) be duly informed about major ICT- related incidents and their impact and about response, recovery and corrective measures.
Amendment 344 #
Proposal for a regulation Article 4 – paragraph 3 3. Financial entities other than
Amendment 345 #
Proposal for a regulation Article 4 – paragraph 3 3. Financial entities other than microenterprises shall establish a role to monitor the arrangements within the entity especially those concluded with ICT third- party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
Amendment 346 #
Proposal for a regulation Article 4 – paragraph 4 4. Members of the management body shall, on a regular basis, follow specific training to gain and keep up to date
Amendment 347 #
Proposal for a regulation Article 4 a (new) Article 4 a Proportionality principle Financial entities shall implement the rules on ICT risk management foreseen in this Chapter in accordance with the principle of proportionality, by taking into account the size of their undertaking, the nature, scale and complexity of their activities and their overall risk profile.
Amendment 348 #
Proposal for a regulation Article 5 – paragraph 1 1. Financial entities shall have a sound, comprehensive and well- documented ICT risk management framework, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience that matches their business needs, size
Amendment 349 #
Proposal for a regulation Article 5 – paragraph 1 1. Financial entities shall have a sound, comprehensive and well- documented ICT risk management framework, which enables them to address and manage ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience that
Amendment 350 #
Proposal for a regulation Article 5 – paragraph 3 3. Financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, protocols and tools as determined in the ICT risk management framework. They shall provide complete and updated information on their ICT risk
Amendment 351 #
Proposal for a regulation Article 5 – paragraph 4 4. As part of the ICT risk management framework referred to in paragraph 1, financial entities other than
Amendment 352 #
Proposal for a regulation Article 5 – paragraph 4 4. As part of the ICT risk management framework referred to in paragraph 1, financial entities other than microenterprises shall implement an information security management system based on recognized international standards and where already available in accordance with supervisory guidance as laid out in guidelines established for that purpose by the ESAs and shall regularly review it.
Amendment 353 #
Proposal for a regulation Article 5 – paragraph 5 5. Financial entities other than
Amendment 354 #
Proposal for a regulation Article 5 – paragraph 5 5. Financial entities other than microenterprises shall ensure appropriate
Amendment 355 #
Proposal for a regulation Article 5 – paragraph 5 5. Financial entities other than microenterprises shall assign the responsibility for managing and overseeing ICT-related risks to a control function and ensure the independence and objectivity of that control function to avoid conflicts of interest. They shall ensure appropriate segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.
Amendment 356 #
Proposal for a regulation Article 5 – paragraph 5 5. Financial entities other than microenterprises shall ensure appropriate segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model, in coherence and conformity with the guidelines established prior to the entry into force of this Regulation and subsequently further developed and, where applicable, amended, by their respective ESAs in accordance with this Regulation.
Amendment 357 #
Proposal for a regulation Article 5 – paragraph 7 Amendment 358 #
Proposal for a regulation Article 5 – paragraph 7 7.
Amendment 359 #
Proposal for a regulation Article 5 – paragraph 9 – introductory part 9. The ICT risk management framework referred to in paragraph 1 shall include a
Amendment 360 #
Proposal for a regulation Article 5 – paragraph 9 – point b (b) establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact
Amendment 361 #
Proposal for a regulation Article 5 – paragraph 9 – point d (d) explaining the ICT
Amendment 362 #
Proposal for a regulation Article 5 – paragraph 9 – point d (d) explaining the ICT
Amendment 363 #
Proposal for a regulation Article 5 – paragraph 9 – point g Amendment 364 #
Proposal for a regulation Article 5 – paragraph 9 – point g Amendment 365 #
Proposal for a regulation Article 5 – paragraph 9 – point g (g) assessing the need for a multi- vendor strategy and, if applicable, and depending on the risk profile of the financial institution, defining a holistic ICT multi-
Amendment 366 #
Proposal for a regulation Article 5 – paragraph 9 – point g (g)
Amendment 367 #
Proposal for a regulation Article 5 – paragraph 9 – point h (h) implementing digital operational resilience testing, in accordance with Chapter IV of this Regulation;
Amendment 368 #
Proposal for a regulation Article 5 – paragraph 9 – point i (i) outlining a communication strategy in case of ICT-related incidents for the purpose of the requirements set out in Article 13.
Amendment 369 #
Proposal for a regulation Article 5 – paragraph 9 – point i a (new) (i a) reflecting on other available technology tools and solutions that could enhance the continuity and resilience of the financial entity's critical operations.
Amendment 370 #
Proposal for a regulation Article 5 – paragraph 10 10. Upon notification to, and approval of, competent authorities, financial entities may
Amendment 371 #
Proposal for a regulation Article 5 – paragraph 10 10. Upon approval of competent authorities, financial entities may delegate the tasks of verifying compliance with the ICT risk management requirements to intra-group or external undertakings. Where such outsourcing occurs, the financial entity shall remain fully accountable for the verification of compliance with ICT risk management requirements.
Amendment 372 #
Proposal for a regulation Article 5 – paragraph 10 10. Upon approval of competent authorities, financial entities may delegate the tasks of verifying compliance with the ICT risk management requirements to
Amendment 373 #
Proposal for a regulation Article 5 – paragraph 10 10. Upon
Amendment 374 #
Proposal for a regulation Article 5 – paragraph 10 a (new) 10 a. Any processing of personal data that takes place by financial entities and ICT service providers operating on their behalf under Chapters II and III of this Regulation shall be necessary for compliance with a legal obligation in accordance with Article 6(1)(c) of Regulation (EU)2016/679.
Amendment 375 #
Proposal for a regulation Article 6 – paragraph 1 – introductory part 1.
Amendment 376 #
Proposal for a regulation Article 6 – paragraph 1 – point a (a) the systems and tools are appropriate to the nature, variety, complexity, risk profile and magnitude of operations supporting the conduct of their activities;
Amendment 377 #
Proposal for a regulation Article 7 – paragraph 1 1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all ICT-related business functions that could pose ICT risks, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems.
Amendment 378 #
Proposal for a regulation Article 7 – paragraph 1 1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all
Amendment 379 #
Proposal for a regulation Article 7 – paragraph 1 1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all critical ICT- related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections
Amendment 380 #
Proposal for a regulation Article 7 – paragraph 2 2. Financial entities shall on a
Amendment 381 #
Proposal for a regulation Article 7 – paragraph 2 2. Financial entities shall on a continuous basis identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their
Amendment 382 #
Proposal for a regulation Article 7 – paragraph 2 2. Financial entities shall on a
Amendment 383 #
Proposal for a regulation Article 7 – paragraph 3 3. Financial entities other than
Amendment 384 #
Proposal for a regulation Article 7 – paragraph 3 3. Financial entities other than microenterprises shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their functions, supporting processes or information assets. Subject to supervisory assessment, it shall be for the financial entity in each case to determine whether a major change for the purposes of this paragraph has occurred.
Amendment 385 #
Proposal for a regulation Article 7 – paragraph 4 4. Financial entities shall identify all ICT systems accounts, including those on remote sites, the network resources and hardware equipment, and shall map physical equipment considered critical. They shall map the configuration of the
Amendment 386 #
Proposal for a regulation Article 7 – paragraph 5 5. Financial entities shall identify and document all critical processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that support critical or important functions.
Amendment 387 #
Proposal for a regulation Article 7 – paragraph 7 7. Financial entities other than microenterprises shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment
Amendment 388 #
Proposal for a regulation Article 7 – paragraph 7 7. Financial entities other than
Amendment 389 #
Proposal for a regulation Article 7 – paragraph 7 7. Following a risk-based approach, financial entities other than microenterprises shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on
Amendment 390 #
Proposal for a regulation Article 8 – paragraph 2 2. Financial entities shall design, procure and implement ICT security
Amendment 391 #
Proposal for a regulation Article 8 – paragraph 3 – introductory part 3. To achieve the objectives referred to in paragraph 2, financial entities shall use
Amendment 392 #
Proposal for a regulation Article 8 – paragraph 3 – introductory part 3. To achieve the objectives referred to in paragraph 2, financial entities shall use
Amendment 393 #
3. To achieve the objectives referred to in paragraph 2, financial entities shall use
Amendment 394 #
Proposal for a regulation Article 8 – paragraph 3 – introductory part 3. To achieve the objectives referred to in paragraph 2, financial entities shall use state-of-the-art ICT technology and processes that are proportionate to the risks identified and the size and client base of the relevant financial entity, which:
Amendment 395 #
Proposal for a regulation Article 8 – paragraph 3 – point a (a)
Amendment 396 #
Proposal for a regulation Article 8 – paragraph 3 – point a (a)
Amendment 397 #
Proposal for a regulation Article 8 – paragraph 3 – point a (a)
Amendment 398 #
Proposal for a regulation Article 8 – paragraph 3 – point c (c) prevent
Amendment 399 #
Proposal for a regulation Article 8 – paragraph 4 – introductory part 4.
Amendment 400 #
Proposal for a regulation Article 8 – paragraph 4 – point a (a) develop and document an information security policy defining rules to protect the confidentiality, integrity and availability of their
Amendment 401 #
Proposal for a regulation Article 8 – paragraph 4 – point b (b) following a risk-based approach, establish a sound network and infrastructure management
Amendment 402 #
Proposal for a regulation Article 8 – paragraph 4 – point b (b)
Amendment 403 #
Proposal for a regulation Article 8 – paragraph 4 – point c (c) implement policies, procedures and controls that limit the physical and virtual access to ICT system resources and data to what is required only for legitimate and approved functions and activities
Amendment 404 #
Proposal for a regulation Article 8 – paragraph 4 – point d (d) implement policies and protocols for strong authentication mechanisms, and protection of cryptographic keys, based on relevant standards and dedicated controls system
Amendment 405 #
Proposal for a regulation Article 8 – paragraph 4 – subparagraph 1 For the purposes of point (b), financial entities shall design the network connection infrastructure in a way that allows it to be
Amendment 406 #
Proposal for a regulation Article 8 – paragraph 4 – subparagraph 1 For the purposes of point (b), financial entities shall design the network connection infrastructure in a way that allows it to be
Amendment 407 #
Proposal for a regulation Article 9 – paragraph 1 – introductory part 1. Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 15, including ICT network performance issues and ICT-related incidents, and to identify a
Amendment 408 #
Proposal for a regulation Article 9 – paragraph 1 – introductory part 1. Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 15, including ICT network performance issues and ICT-related incidents, and if technologically available, to identify all potential
Amendment 409 #
Proposal for a regulation Article 9 – paragraph 2 2. The detection mechanisms referred to in paragraph 1 shall
Amendment 410 #
Proposal for a regulation Article 9 – paragraph 3 3. Financial entities shall devote sufficient resources and capabilities,
Amendment 411 #
Proposal for a regulation Article 9 – paragraph 3 3. Financial entities shall devote sufficient resources and capabilities, with due consideration to their size, complexity, business and overall risk profiles, to monitor user activity, occurrence of ICT anomalies and ICT-
Amendment 412 #
Proposal for a regulation Article 10 – paragraph 1 1.
Amendment 413 #
Proposal for a regulation Article 10 – paragraph 2 – introductory part 2.
Amendment 414 #
Proposal for a regulation Article 10 – paragraph 2 – point a Amendment 415 #
Proposal for a regulation Article 10 – paragraph 2 – point b Amendment 416 #
Proposal for a regulation Article 10 – paragraph 2 – point c Amendment 417 #
Proposal for a regulation Article 10 – paragraph 2 – point d Amendment 418 #
Proposal for a regulation Article 10 – paragraph 2 – point e Amendment 419 #
Proposal for a regulation Article 10 – paragraph 2 – point f Amendment 420 #
Proposal for a regulation Article 10 – paragraph 3 Amendment 421 #
Proposal for a regulation Article 10 – paragraph 3 3. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall implement an associated ICT Disaster Recovery Plan, which, in the case of financial entities other than
Amendment 422 #
Proposal for a regulation Article 10 – paragraph 4 4. Financial entities shall put in place, maintain and periodically test appropriate ICT
Amendment 423 #
Proposal for a regulation Article 10 – paragraph 4 4. Financial entities shall put in place, maintain and periodically test appropriate
Amendment 424 #
Proposal for a regulation Article 10 – paragraph 5 – point a (a) test the ICT Business Continuity Policy and the ICT Disaster Recovery Plan at least every three year
Amendment 425 #
Proposal for a regulation Article 10 – paragraph 5 – point a (a) test the
Amendment 426 #
Proposal for a regulation Article 10 – paragraph 5 – point a (a) test the ICT
Amendment 427 #
Proposal for a regulation Article 10 – paragraph 5 – subparagraph 1 For the purposes of point (a), financial entities other than
Amendment 428 #
Proposal for a regulation Article 10 – paragraph 6 6. Financial entities other than
Amendment 429 #
Proposal for a regulation Article 10 – paragraph 6 6. Financial entities other than microenterprises shall have a crisis management function, which may be nested under functions responsible for incident response and management or be a dedicated function and which, in case of activation of their ICT Business Continuity Policy or ICT Disaster Recovery Plan, shall set out clear procedures to manage internal and external crisis communications in accordance with Article 13.
Amendment 430 #
Proposal for a regulation Article 10 – paragraph 7 7. Financial entities shall keep records of relevant activities
Amendment 431 #
Proposal for a regulation Article 10 – paragraph 9 Amendment 432 #
Proposal for a regulation Article 10 – paragraph 9 9. Financial entities other than
Amendment 433 #
Proposal for a regulation Article 10 – paragraph 9 9. Financial entities other than microenterprises shall report to competent authorities a
Amendment 434 #
Proposal for a regulation Article 10 – paragraph 9 9. Financial entities other than microenterprises shall report to competent authorities all estimated financial costs and losses caused by ICT disruptions and ICT-related incidents.
Amendment 435 #
Proposal for a regulation Article 11 – paragraph 1 – introductory part 1. For the purpose of ensuring the restoration of ICT systems with minimum downtime and limited disruption, as part of their
Amendment 436 #
Proposal for a regulation Article 11 – paragraph 2 2.
Amendment 437 #
Proposal for a regulation Article 11 – paragraph 2 2.
Amendment 438 #
Proposal for a regulation Article 11 – paragraph 4 4. Financial entities shall maintain redundant ICT capacities equipped with resources capabilities and functionalities that are sufficient and adequate to ensure
Amendment 439 #
Proposal for a regulation Article 11 – paragraph 4 4. Financial entities
Amendment 440 #
Proposal for a regulation Article 11 – paragraph 5 – introductory part 5. Financial entities referred to in point (f) of Article 2(1) shall maintain
Amendment 441 #
Proposal for a regulation Article 11 – paragraph 5 – introductory part 5. Financial entities referred to in point (f) of Article 2(1) shall maintain
Amendment 442 #
Proposal for a regulation Article 11 – paragraph 5 – subparagraph 1 – point a (a) located
Amendment 443 #
Proposal for a regulation Article 11 – paragraph 5 – subparagraph 1 – point a (a) located
Amendment 444 #
Proposal for a regulation Article 11 – paragraph 6 6. In determining the recovery time and point objectives for each function, financial entities shall take into account the potential overall impact on
Amendment 445 #
Proposal for a regulation Article 11 – paragraph 6 6. In determining the recovery time and point objectives for each function, financial entities shall take into account the
Amendment 446 #
Proposal for a regulation Article 11 – paragraph 7 7. When recovering from an ICT- related incident,
Amendment 447 #
Proposal for a regulation Article 12 – paragraph 1 1. Financial entities shall have in place capabilities and staff,
Amendment 448 #
Proposal for a regulation Article 12 – paragraph 1 1. Financial entities shall have in place capabilities and staff, suited to their size, complexity, business and overall risk profiles, to gather information on vulnerabilities and cyber threats, ICT- related incidents, in particular cyber- attacks, and analyse their likely impacts on their digital operational resilience.
Amendment 449 #
Proposal for a regulation Article 12 – paragraph 2 – introductory part 2. Financial entities shall put in place post major ICT-related incident reviews after significant ICT disruptions of their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the
Amendment 450 #
Amendment 451 #
Proposal for a regulation Article 12 – paragraph 2 – subparagraph 1 When implementing changes to their ICT operations, financial entities other than microenterprises shall communicate
Amendment 452 #
Proposal for a regulation Article 12 – paragraph 2 – subparagraph 1 When implementing changes related to addressing ICT-risk, financial entities other than microenterprises shall communicate those changes to the competent authorities.
Amendment 453 #
Proposal for a regulation Article 12 – paragraph 2 – subparagraph 2 – introductory part The post ICT-related incident reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective,
Amendment 454 #
Proposal for a regulation Article 12 – paragraph 6 – introductory part 6. Financial entities shall develop ICT security awareness programs and digital operational resilience trainings as compulsory modules in their staff training schemes. These shall be applicable to all employees operating critical ICT systems and to senior management staff.
Amendment 455 #
Proposal for a regulation Article 12 – paragraph 6 – subparagraph 1 Financial entities, other than microenterprises, shall monitor relevant
Amendment 456 #
Proposal for a regulation Article 13 – paragraph 1 1. As part of the ICT risk management framework referred to in
Amendment 457 #
Proposal for a regulation Article 13 – paragraph 1 1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall have in place communication plans enabling a responsible disclosure of major ICT- related incidents
Amendment 458 #
Proposal for a regulation Article 13 – paragraph 1 1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall have in place communication plans enabling a responsible disclosure of major ICT- related incidents or major vulnerabilities to clients and counterparts as well as to the public, as appropriate.
Amendment 459 #
Proposal for a regulation Article 13 – paragraph 3 3. At least one person in the entity shall be tasked with implementing the communication strategy for major ICT- related incidents and fulfil the role of public and media spokesperson for that purpose.
Amendment 460 #
Proposal for a regulation Article 14 – paragraph 1 – point a (a) specify
Amendment 461 #
Proposal for a regulation Article 14 – paragraph 1 – point b Amendment 462 #
Proposal for a regulation Article 14 – paragraph 1 – point b a (new) (b a) incorporate security controls into systems from inception (security by design)
Amendment 463 #
Proposal for a regulation Article 14 – paragraph 1 – point c Amendment 464 #
Proposal for a regulation Article 14 – paragraph 1 a (new) When developing those draft regulatory technical standards, the ESAs shall take into account the size, nature, scale, complexity and overall risk profile of the financial entities.
Amendment 465 #
Proposal for a regulation Article 14 a (new) Article 14 a Proportionate ICT risk management framework 1. Articles 4 to 14 of this Regulation shall not apply to small and non-interconnected investment firms or payment institutions exempted by Directive (EU) 2015/2366, to credit institutions exempted by Directive 2013/36/EU, to electronic money institutions exempted by Directive 2009/110/EC or to small institutions for occupational retirement pensions. 2. Small and non-interconnected investment firms, payment institutions exempted by Directive (EU) 2015/2366, credit institutions exempted by Directive 2013/36/EU, electronic money institutions exempted by Directive 2009/110/EC and small institutions for occupational retirement pensions shall implement an ICT risk management framework in accordance with the principle of proportionality, by taking into account the size of their undertaking, the nature, scale, complexity of their services, activities and operations and their overall risk profile and shall: (a) put in place and maintain a sound and documented ICT risk management framework which details the mechanisms and measures aimed at a quick, efficient and comprehensive management of all ICT risks, including for the protection of relevant physical components and infrastructures. (b) continuously monitor the security and functioning of all ICT systems; (c) minimise the impact of ICT risks through the use of sound, resilient and updated ICT systems, protocols and tools which are appropriate for supporting the performance of their activities and the provision of services; (d) adequately protect confidentiality, integrity and availability of data network and information systems; (e) allow sources of risk and anomalies in the network and information systems to be promptly identified and detected and ICT incidents to be swiftly handled.
Amendment 466 #
Proposal for a regulation Article 15 – paragraph 2 2. Financial entities shall establish appropriate processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to make sure that root causes are identified and
Amendment 467 #
Proposal for a regulation Article 15 – paragraph 2 2.
Amendment 468 #
Proposal for a regulation Article 15 – paragraph 3 – point d (d) ensure that at least major ICT- related incidents are reported to relevant senior management and inform the management body on major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of major ICT-related incidents;
Amendment 469 #
Proposal for a regulation Article 15 – paragraph 3 – point d (d) ensure that major ICT-related incidents are reported to relevant senior management and inform the management body on major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of major ICT-related incidents;
Amendment 470 #
Proposal for a regulation Article 15 – paragraph 3 a (new) 3 a. The requirements laid down in the paragraphs 1, 2 and 3 shall apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 471 #
Proposal for a regulation Article 15 a (new) Article 15 a Operational or security payment-related incidents concerning financial entities referred to in points (a), (b) and (c) of Article 2(1) The requirements laid down in Chapter III of this Regulation shall apply to operational or security payment-related incidents and to major operational or security payment-related incidents where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 472 #
Proposal for a regulation Article 16 – paragraph 1 – point a (a) the number of users or financial counterparts affected by the disruption caused by the ICT-related incident
Amendment 473 #
Proposal for a regulation Article 16 – paragraph 1 – point c (c) the geographical spread in the Union with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
Amendment 474 #
Proposal for a regulation Article 16 – paragraph 1 a (new) 1 a. The classification requirements laid down in paragraph 1 shall apply to operational or security payment-related incidents and major operational or security payment-related incidents in cases where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 475 #
Proposal for a regulation Article 16 – paragraph 1 b (new) 1 b. 1b. Financial entities shall classify significant cyber threats based on the following criteria: (a) the number or relevance of clients or financial counterparts targeted and, where applicable, the amount or number of transactions targeted by the significant cyber threat; (b) the duration or the frequency of the significant cyber threat; (c) the geographical spread with regard to the areas targeted by the significant cyber threat, particularly if it affects more than two Member States; (d) the criticality of the services targeted, including the financial entity’s transactions and operations;
Amendment 476 #
Proposal for a regulation Article 16 – paragraph 2 – introductory part 2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and after consultation with the European Central Bank (ECB)
Amendment 477 #
Proposal for a regulation Article 16 – paragraph 2 – introductory part 2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and
Amendment 478 #
Proposal for a regulation Article 16 – paragraph 2 – point a (a) the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidents or, as applicable, major operational or security payment-related incidents which are subject to the reporting obligation laid down in Article 17(1);
Amendment 479 #
Proposal for a regulation Article 16 – paragraph 2 – point b (b) the criteria to be applied by
Amendment 480 #
Proposal for a regulation Article 16 – paragraph 2 – point b (b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT- related incidents to other Member States’ jurisdictions, and the details of major ICT- related incidents reports to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.
Amendment 481 #
Proposal for a regulation Article 16 – paragraph 2 – point b (b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT- related incidents to other Member States’ jurisdictions, and the details of major ICT- related
Amendment 482 #
Proposal for a regulation Article 16 – paragraph 2 – point b a (new) (b a) the criteria set out in paragraph 1b, including high materiality thresholds for determining significant cyber threats which are subject to the reporting obligation laid down in Article 17 (1a);
Amendment 483 #
Proposal for a regulation Article 16 – paragraph 3 – introductory part 3. When developing the common draft regulatory technical standards referred to in paragraph 2, the ESAs shall take into account
Amendment 484 #
Proposal for a regulation Article 16 – paragraph 3 – introductory part 3. When developing the common draft regulatory technical standards referred to in paragraph 2, the ESAs shall take into account international standards, as well as specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. The ESAs shall also take into consideration the nature, size and complexity of the financial entities concerned.
Amendment 485 #
Proposal for a regulation Article 16 – paragraph 3 – subparagraph 1 The ESAs shall submit those common draft regulatory technical standards to the Commission by [PO: insert date
Amendment 486 #
Proposal for a regulation Article 16 – paragraph 3 – subparagraph 1 The ESAs shall submit those common draft regulatory technical standards to the Commission by [PO: insert date 1
Amendment 487 #
Proposal for a regulation Article 17 – title 17 Reporting of major ICT-related incidents and significant cyber threats
Amendment 488 #
Proposal for a regulation Article 17 – paragraph 1 – introductory part 1. Financial entities shall report major
Amendment 489 #
Proposal for a regulation Article 17 – paragraph 1 – introductory part 1. Financial entities shall report major ICT-related incidents to the
Amendment 490 #
Proposal for a regulation Article 17 – paragraph 1 – subparagraph 1 For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, an incident report using the template referred to in Article 18 and submit it to the
Amendment 491 #
Proposal for a regulation Article 17 – paragraph 1 – subparagraph 1 For the purpose of the first subparagraph, financial entities shall produce, after
Amendment 492 #
Proposal for a regulation Article 17 – paragraph 1 a (new) 1 a. Financial entities shall notify significant cyber threats without undue delay to the relevant competent authority as referred to in Article 41.
Amendment 493 #
Proposal for a regulation Article 17 – paragraph 2 2. Where a major ICT-related incident has or may have a
Amendment 494 #
Proposal for a regulation Article 17 – paragraph 2 2. Where a major ICT-related incident occurs and has
Amendment 495 #
Proposal for a regulation Article 17 – paragraph 2 2. Where a major ICT-related incident has
Amendment 496 #
2. Where a major ICT-related incident has or may have an impact on the financial interests of service users and clients, financial entities shall, without undue delay, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of all measures which have been taken to mitigate the adverse effects of such incident. Where no harm to service users and clients materialises due to the countermeasures takes by the financial entity, the requirement to inform service users and clients shall not apply.
Amendment 497 #
Proposal for a regulation Article 17 – paragraph 2 2. Where a major ICT-related incident has or may have an impact on the financial interests of service users and clients, financial entities shall, without undue delay, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of all measures which have been taken to mitigate the adverse effects of such incident. Where such incident materialises, the financial entities shall release a public statement, in addition to individually informing their service users and clients.
Amendment 498 #
Proposal for a regulation Article 17 – paragraph 2 a (new) 2 a. Where a significant cyber threat could adversely impact the financial interests of clients, financial entities shall inform their clients, without undue delay, of the significant cyber threat and of the measures which the financial entity intends to take to mitigate the adverse effects of such threat. Where appropriate, the financial entity shall also advise its clients on the measures they can take to mitigate the adverse effects of the threat.
Amendment 499 #
Proposal for a regulation Article 17 – paragraph 2 a (new) 2 a. Where the risk of a major ICT- related incident emerges but does not materialise due to the counter measures adopted, financial entities may release a public statement instead of individually informing their service users and clients.
Amendment 500 #
Proposal for a regulation Article 17 – paragraph 2 b (new) 2 b. Where a major operational incident causes financial losses to their service users and clients, financial entities shall be liable for the compensation of the proven losses incurred by those service users and clients.
Amendment 501 #
Proposal for a regulation Article 17 – paragraph 3 – introductory part 3. Financial entities shall submit to the
Amendment 502 #
Proposal for a regulation Article 17 – paragraph 3 – introductory part 3. Financial entities shall submit to the
Amendment 503 #
Proposal for a regulation Article 17 – paragraph 3 – point a (a) an initial notification, without delay, but no later than
Amendment 504 #
Proposal for a regulation Article 17 – paragraph 3 – point a (a) an initial notification, without undue delay, but no later than the end
Amendment 505 #
Proposal for a regulation Article 17 – paragraph 3 – point a (a) an initial notification, without delay
Amendment 506 #
Proposal for a regulation Article 17 – paragraph 3 – point a (a)
Amendment 507 #
Proposal for a regulation Article 17 – paragraph 3 – point a (a) an initial notification, without delay, but no later than
Amendment 508 #
Proposal for a regulation Article 17 – paragraph 3 – point a (a) an initial notification, without delay,
Amendment 509 #
Proposal for a regulation Article 17 – paragraph 3 – point a (a) an initial notification, without undue delay, but no later than the end of the business day after the ICT-related incident is classified as major by the financial entity, or, in case of a major ICT- related incident that took place later than 2 hours before the end of the business day, not later than 4 hours from the beginning of the next business day after the ICT- related incident is classified as major by the financial entity, or, where reporting channels are not available, as soon as they become available;
Amendment 510 #
Proposal for a regulation Article 17 – paragraph 3 – point b (b) an in
Amendment 511 #
Proposal for a regulation Article 17 – paragraph 3 – point b (b) an intermediate report,
Amendment 512 #
Proposal for a regulation Article 17 – paragraph 3 – point c (c) a final report, when the root cause analysis has been completed, regardless of whether or not mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates, but not later than one month from the
Amendment 513 #
Proposal for a regulation Article 17 – paragraph 3 – point c (c) a final report, when the root cause analysis has been completed, regardless of whether or not mitigation measures have already been implemented, and when the
Amendment 514 #
Proposal for a regulation Article 17 – paragraph 3 – subparagraph 1 (new) The relevant competent authority as referred to in Article 41 shall provide that, in duly justified cases, a financial entity is permitted to deviate from the deadlines set out in points (a), (b) and (c) of this paragraph.
Amendment 515 #
Proposal for a regulation Article 17 – paragraph 3 a (new) 3 a. Due consideration shall be given to the ability of financial entities to provide accurate and meaningful information in relation to major ICT- related incidents within the timeframes set out in points (a) and (b) of paragraph 3.
Amendment 516 #
Proposal for a regulation Article 17 – paragraph 4 Amendment 517 #
Proposal for a regulation Article 17 – paragraph 4 4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider after agreeing a contractual provision with the ICT third-party service provider concerned, upon approval of the delegation by the relevant competent authority referred to in Article 41.
Amendment 518 #
Proposal for a regulation Article 17 – paragraph 4 4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider upon approval of the delegation by the relevant
Amendment 519 #
Proposal for a regulation Article 17 – paragraph 4 4. Financial entities may only delegate the reporting obligations under this Article to a third-party service provider upon approval of the delegation by the relevant competent authority referred to in Article 41. In cases of such delegation, the financial entity shall remain fully accountable for the fulfilment of the incident reporting requirements.
Amendment 520 #
Proposal for a regulation Article 17 – paragraph 5 Amendment 521 #
Proposal for a regulation Article 17 – paragraph 5 Amendment 522 #
Proposal for a regulation Article 17 – paragraph 5 – introductory part 5. Upon receipt of the report referred to in paragraph 1, the competent authority
Amendment 523 #
Proposal for a regulation Article 17 – paragraph 5 – introductory part 5. Upon receipt of the report referred to in paragraph 1 or the notification referred to in paragraph 1a, the competent authority shall, without undue delay, provide details of the
Amendment 524 #
Proposal for a regulation Article 17 – paragraph 5 – point c a (new) (c a) the Single Resolution Board for entities referred to in Article 7(2) of Regulation EU 806/2014, and national resolution authorities in relation to entitites referred to in Article 7(3) of Regulation EU 806/2014. National resolution authorities should provide to the SRB, on a six monthly basis, a summary of the report received under this Article.
Amendment 525 #
Proposal for a regulation Article 17 – paragraph 6 6. EBA, ESMA or EIOPA and the ECB, in cooperation with ENISA, shall assess the relevance of the major ICT- related incident to other relevant public authorities and notify them accordingly as soon as possible. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system. Based on that notification, the competent authorities shall, where appropriate, take all of the necessary measures to protect the immediate stability of the financial system.
Amendment 526 #
Proposal for a regulation Article 18 – paragraph 1 – introductory part 1. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB and national supervisory authorities, shall develop:
Amendment 527 #
Proposal for a regulation Article 18 – paragraph 1 – introductory part 1. The ESAs, through the Joint Committee and ENISA after consultation with
Amendment 528 #
Proposal for a regulation Article 18 – paragraph 1 – point a – point 1 a (new) (1 a) establish the content of the notification for significant cyber threats;
Amendment 529 #
Proposal for a regulation Article 18 – paragraph 1 – point b (b) common draft implementing technical standards in order to establish the standard forms, templates and procedures for financial entities to report a major ICT- related incident and notify a significant cyber threat.
Amendment 530 #
Proposal for a regulation Article 18 – paragraph 1 – subparagraph 1 The ESAs shall submit the common draft regulatory technical standards referred to in point (a) of paragraph 1 and the common draft implementing technical standards referred to in point (b) of the paragraph 1 to the Commission by xx 202x [PO: insert date
Amendment 531 #
Proposal for a regulation Article 19 – paragraph 1 1.
Amendment 532 #
Proposal for a regulation Article 19 – paragraph 1 1. The ESAs
Amendment 533 #
Proposal for a regulation Article 19 – paragraph 1 1. The ESAs, through the Joint Committee and in co
Amendment 534 #
Proposal for a regulation Article 19 – paragraph 1 1. The ESAs, through the Joint Committee and in consultation with ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting that would replace all pre-existing reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.
Amendment 535 #
Proposal for a regulation Article 19 – paragraph 1 1. The ESAs, through the Joint Committee and in consultation with ECB
Amendment 536 #
Proposal for a regulation Article 19 – paragraph 2 Amendment 537 #
Proposal for a regulation Article 19 – paragraph 2 Amendment 538 #
Proposal for a regulation Article 19 – paragraph 2 – introductory part 2. The
Amendment 539 #
Proposal for a regulation Article 19 – paragraph 2 – point b a (new) (b a) capability to establish the interoperability and assess its added value with regard to other relevant reporting schemes, such as in Directive (EU) 2016/1148.
Amendment 540 #
Proposal for a regulation Article 19 – paragraph 2 a (new) 2 a. The EU Hub shall collect and maintain incident data and shall ensure that the entities referred to in paragraph 3 have direct and immediate access to the relevant information.
Amendment 541 #
Proposal for a regulation Article 19 – paragraph 3 3. The E
Amendment 542 #
Proposal for a regulation Article 19 – paragraph 3 3. The E
Amendment 543 #
Proposal for a regulation Article 19 – paragraph 3 a (new) 3 a. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB, shall develop common draft regulatory technical standards specifying the following: (a) modalities and operational standards for the collection and aggregation of incident reporting information and for the entities referred to in paragraph 3 to access that information; (b) the terms and conditions, the arrangements and the required documentation under which access to the EU Hub is granted to the entities referred to in paragraph 3; (c) the conditions for membership of financial entities.
Amendment 544 #
3 a. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB, shall develop common draft regulatory technical standards specifying the following: (a) modalities and operational standards for the entities referred to in paragraph 3 to access the EU Hub; (b) the terms and conditions, the arrangements and the required documentation under which access to the EU Hub is granted to the entities referred to in paragraph 3; (c) the conditions for membership of financial entities.
Amendment 545 #
Proposal for a regulation Article 20 – paragraph 1 1. Upon receipt of a report as referred to in Article 17(1) and (1a), the competent authority shall acknowledge receipt of notification and shall as quickly as possible provide all necessary feedback or guidance to the financial entity, in particular to discuss remedies at the level of the entity or ways to minimise adverse impact across sectors and also provide appropriately anonymised feedback, insight and intelligence to all relevant financial entities where it could be beneficial, based on any major incident reports they receive.
Amendment 546 #
Proposal for a regulation Article 20 – paragraph 2 – introductory part 2. The ESAs shall, through the Joint Committee, report
Amendment 547 #
Proposal for a regulation Article 20 – paragraph 2 – introductory part 2. The ESAs shall, through the Joint Committee, report yearly on an anonymised and aggregated basis on the major ICT-related incident notifications received from competent authorities, setting out at least the number of ICT- related major incidents, their nature, impact on the operations of financial entities or customers, estimated costs and remedial actions taken.
Amendment 548 #
Proposal for a regulation Article 21 – paragraph 1 1. For the purpose of assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities, other than microenterprises, shall establish, maintain and review,
Amendment 549 #
Proposal for a regulation Article 21 – paragraph 1 1. For the purpose of assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities, that are not small and medium-sized enterprises, shall establish, maintain and review, with due consideration to their
Amendment 550 #
Proposal for a regulation Article 21 – paragraph 2 2. The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with the provisions of Articles 22 and 23. Where Union legislation requires financial entities to carry out any digital operational or resilience testing and monitoring, the financial entities may pool such programmes and activities, provided they meet the requirements of any applicable legislation.
Amendment 551 #
Proposal for a regulation Article 21 – paragraph 3 3. Financial entities shall follow a risk-based approach when conducting the digital operational resilience testing programme
Amendment 552 #
Proposal for a regulation Article 21 – paragraph 4 4. Financial entities shall ensure that tests, including threat led penetration testing, are undertaken by independent parties, whether internal or external. In the case of an internal tester, an adequate analysis and identification of the proper resources to be allocated in the design and execution phases of the tests shall be performed, in order to avoid any conflicts of interest and other potential managerial issues.
Amendment 553 #
Proposal for a regulation Article 21 – paragraph 5 5. Financial entities shall establish procedures and policies to prioritise, classify and
Amendment 554 #
Proposal for a regulation Article 21 – paragraph 6 6. F
Amendment 555 #
Proposal for a regulation Article 22 – paragraph 1 1. The digital operational resilience testing programme referred to in Article 21 shall provide for the execution of a full range of appropriate tests,
Amendment 556 #
1. The digital operational resilience testing programme referred to in Article 21 shall provide for the execution of a full range of appropriate tests, according to a risk-based approach, which may includ
Amendment 557 #
Proposal for a regulation Article 23 – paragraph 2 – introductory part 2. Threat led penetration testing shall cover at least the critical or important functions and services of a financial entity, and shall be performed on live production systems supporting such functions. The precise scope of threat led penetration testing, based on the assessment of critical functions and services, shall be determined by financial entities and shall be validated by the competent authorities. Numerous tests may be required to cover all of the critical functions and services of financial entities.
Amendment 558 #
Proposal for a regulation Article 23 – paragraph 2 – introductory part 2. Threat led penetration testing shall cover
Amendment 559 #
Proposal for a regulation Article 23 – paragraph 2 – subparagraph 2 Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Where the involvement of an ICT third- party service provider in the threat led penetration testing could have an impact on the quality, confidentiality or security of the provision of the ICT third-party service provider's services to other customers that do not fall within the scope of this Regulation or on the overall integrity of the ICT third-party service provider's operations, the financial entity and the ICT third-party service provider may contractually agree that the ICT third party service provider is permitted to directly enter into contractual arrangements with an external tester to conduct pooled testing for its financial entity customers.
Amendment 560 #
Proposal for a regulation Article 23 – paragraph 2 – subparagraph 2 Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Participation means that ICT third-party service providers shall conduct separate TLPT or join with the financial entity in the financial entity's TLPT. Those ICT third-party service providers shall not be required to communicate information or provide any details in relation to items which are not relevant to the risk management controls of the relevant critical or important services of the relevant financial entities.
Amendment 561 #
Proposal for a regulation Article 23 – paragraph 2 – subparagraph 2 Where ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers. Such testing shall not adversely impact other users of the ICT third-party service providers.
Amendment 562 #
Proposal for a regulation Article 23 – paragraph 2 – subparagraph 2 Where critical ICT third-party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers
Amendment 563 #
Proposal for a regulation Article 23 – paragraph 2 – subparagraph 3 Financial entities shall apply effective risk management controls to
Amendment 564 #
At the end of the test,
Amendment 565 #
Proposal for a regulation Article 23 – paragraph 2 – subparagraph 4 At the end of the test, after reports and remediation plans have been agreed, the financial entity
Amendment 566 #
Proposal for a regulation Article 23 – paragraph 2 – subparagraph 4 a (new) Competent authorities shall issue an attestation confirming, based on the documentation referred to in the fifth subparagraph, that the test was performed in accordance with the requirements in order to allow - where applicable - for mutual recognition of threat led penetration tests between competent authorities. Without prejudice to such attestation, financial entities shall remain at all times fully responsible for the impacts of the tests referred to in this paragraph.
Amendment 567 #
Proposal for a regulation Article 23 – paragraph 3 – introductory part 3. Financial entities shall either contract testers in accordance with Article 24 or use internal testing teams, provided they operate at arms' length and are independent from the rest of the financial entity, for the purposes of undertaking threat led penetration testing.
Amendment 568 #
Proposal for a regulation Article 23 – paragraph 3 – introductory part 3. Financial entities shall contract external testers in accordance with Article 24 for the purposes of undertaking threat led penetration testing.
Amendment 569 #
Proposal for a regulation Article 23 – paragraph 3 – subparagraph 1 – introductory part Amendment 570 #
Proposal for a regulation Article 23 – paragraph 3 – subparagraph 1 – introductory part Competent authorities shall identify financial entities to perform threat led penetration testing in a manner that is proportionate to the nature, size, scale, activity and overall risk profile of the financial entity, based on the assessment of the following:
Amendment 571 #
Proposal for a regulation Article 23 – paragraph 4 – introductory part 4.
Amendment 572 #
Proposal for a regulation Article 23 – paragraph 4 – introductory part 4.
Amendment 573 #
Proposal for a regulation Article 23 – paragraph 4 – introductory part 4. EBA, ESMA and EIOPA shall, after consulting the ECB and taking into account relevant frameworks in the Union which apply to
Amendment 574 #
Proposal for a regulation Article 23 – paragraph 4 – introductory part 4. EBA, ESMA and EIOPA shall, after consulting the ECB and taking into account relevant frameworks in the Union which apply to
Amendment 575 #
Proposal for a regulation Article 23 – paragraph 4 – introductory part 4. EBA, ESMA and EIOPA shall, in co-operation with ENISA and after consulting the ECB and taking into account relevant frameworks in the Union which apply to intelligence-based penetration tests, by taking into account guidelines issued before the entry into force of this Regulation, develop draft regulatory technical standards to specify further:
Amendment 576 #
Proposal for a regulation Article 23 – paragraph 4 – point c (c) the type of supervisory cooperation needed for the implementation and to facilitate full mutual recognition of threat led penetration testing in the context of financial entities which operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub- sectors or local financial markets.
Amendment 577 #
Proposal for a regulation Article 23 – paragraph 4 – subparagraph 1 The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date
Amendment 578 #
Proposal for a regulation Article 23 – paragraph 4 – subparagraph 1 a (new) Until the entry into force of this Regulation, and the development and adoption of regulatory technical standards specified in Article 23 (4), financial entities shall follow those relevant guidelines and frameworks in the Union which apply to intelligence-based penetration tests, as these will continue to apply when this Regulation comes into force.
Amendment 579 #
Proposal for a regulation Article 23 – paragraph 4 a (new) 4 a. Results of threat led penetration testing, including those performed under the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), shall be mutually recognized within the Union among competent authorities.
Amendment 581 #
Proposal for a regulation Article 24 – paragraph 1 – point c (c) are certified by an accreditation body in a Member State or are certified by a well-established accreditation body in a third country or adhere to formal codes of conduct or ethical frameworks;
Amendment 582 #
Proposal for a regulation Article 24 – paragraph 1 – point d (d)
Amendment 583 #
Proposal for a regulation Article 24 – paragraph 1 – point e (e)
Amendment 584 #
Proposal for a regulation Article 25 – paragraph 1 – point 2 – point a (a) the nature, scale, complexity and importance of ICT-related dependencies,
Amendment 585 #
Proposal for a regulation Article 25 – paragraph 1 – point 2 – point b a (new) (b a) whether a provider of ICT services is an ICT intra-group service provider.
Amendment 586 #
Proposal for a regulation Article 25 – paragraph 1 – point 3 3. As part of their ICT risk management framework, financial entities, other than microenterprises, shall adopt and regularly review a strategy on ICT third-party risk
Amendment 587 #
Proposal for a regulation Article 25 – paragraph 1 – point 3 3. As part of their ICT risk management framework, financial entities shall adopt and regularly review a strategy on ICT third-party risk
Amendment 588 #
Proposal for a regulation Article 25 – paragraph 1 – point 3 3. As part of their ICT risk management framework, financial entities shall adopt and regularly review a strategy on ICT third-party risk
Amendment 589 #
Proposal for a regulation Article 25 – paragraph 1 – point 4 – introductory part 4. As part of their ICT risk management framework, financial entities shall maintain and update at entity level and, at sub-consolidated and consolidated levels, a Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third- party service providers. Where available, financial entities shall follow the guidelines and other measures issued by the ESAs and competent authorities until the entry into force of the implementing technical standards referred in Article 25(10). Where relevant, the register of information may be constituted by records pursuant to Article 30 of Regulation (EU) 2016/79.
Amendment 590 #
Proposal for a regulation Article 25 – paragraph 1 – point 6 6. Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with high
Amendment 591 #
7. In exercising access, inspection and audit rights over the ICT third-party service provider in relation to critical or important functions, financial entities shall on a risk-based approach pre-determine the frequency of audits and inspections and the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.
Amendment 592 #
Proposal for a regulation Article 25 – paragraph 1 – point 7 – paragraph 1 For contractual arrangements that entail a
Amendment 593 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – introductory part 8. Financial entities shall
Amendment 594 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – introductory part 8. Financial entities shall
Amendment 595 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – introductory part 8. Financial entities shall ensure that contractual arrangements on the use of ICT services a
Amendment 596 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – introductory part 8. Financial entities shall ensure that contractual arrangements on the use of ICT services
Amendment 597 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – introductory part 8. Financial entities shall ensure that contractual arrangements on the use of ICT services
Amendment 598 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – introductory part 8. Financial entities shall ensure that contractual arrangements on the use of ICT services are
Amendment 599 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – point a (a) significant breach by the ICT third- party service provider of applicable laws, regulations or contractual terms;
Amendment 600 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – point a (a) significant breach by the ICT third- party service provider of applicable laws, regulations or contractual terms;
Amendment 601 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – point c (c) ICT third-party service provider’s evidenced weaknesses
Amendment 602 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – point d (d) verifiable circumstances where the competent authority demonstrably can no longer effectively supervise the financial entity as a result of the respective contractual arrangement.
Amendment 603 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 – point d a (new) (d a) ICT third-party service provider becomes or is suspected of becoming at least partially owned or controlled by foreign governments or foreign militaries;
Amendment 604 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 a (new) 8 a. With a view to reducing the risk of disruptions at the level of the financial entity, in duly justified circumstances and in agreement with their competent authorities, financial entities may not terminate the contractual arrangement with the ICT third-party service provider until they are able to switch to another ICT third-party service provider or change to on-premises solutions consistent with the complexity of the service provided, in accordance with the exit strategy referred to in paragraph 9.
Amendment 605 #
Proposal for a regulation Article 25 – paragraph 1 – point 8 a (new) 8 a. Financial entities shall not bear the cost of transferring out data from an ICT third-party service provider in cases where a contract is terminated under any of the circumstances listed in points (a) to (d) of point 8.
Amendment 606 #
Proposal for a regulation Article 25 – paragraph 1 – point 9 – introductory part 9. For ICT services related to critical or important functions, financial entities shall put in place exit strategies in order to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function.
Amendment 607 #
Proposal for a regulation Article 25 – paragraph 1 – point 9 – introductory part 9. For critical and important functions, financial entities shall put in place exit strategies in order to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function.
Amendment 608 #
Proposal for a regulation Article 25 – paragraph 1 – point 9 – introductory part 9. Financial entities shall put in place exit strategies, to be reviewed periodically, in order to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function.
Amendment 609 #
Proposal for a regulation Article 25 – paragraph 1 – point 11 – paragraph 1 The ESAs shall submit those draft regulatory technical standards to the Commission by [PO: insert date 1
Amendment 610 #
Proposal for a regulation Article 25 – paragraph 1 – point 11 a (new) Amendment 611 #
Proposal for a regulation Article 26 – title Preliminary assessment of ICT concentration risk and further sub-
Amendment 612 #
Proposal for a regulation Article 26 – paragraph 1 – introductory part 1. When performing the identification and assessment of ICT concentration risk referred to in point (c) of Article 25(5), financial entities shall take into account whether the conclusion of a contractual arrangement in relation to the ICT services concerning critical or important functions would lead to any of the following:
Amendment 613 #
Proposal for a regulation Article 26 – paragraph 1 – point b (b) having in place multiple contractual arrangements in relation to the provision of ICT services concerning critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.
Amendment 614 #
Proposal for a regulation Article 26 – paragraph 1 – point b (b) having in place multiple contractual arrangements in relation to the provision of
Amendment 615 #
Proposal for a regulation Article 26 – paragraph 2 – introductory part 2. Where the contractual arrangement on the use of ICT services concerning critical or important functions includes the possibility that an ICT third-party service provider further sub-contracts a critical or
Amendment 616 #
Proposal for a regulation Article 26 – paragraph 2 – introductory part 2. Where the contractual arrangement on the use of ICT services concerning critical or important functions includes the possibility that an ICT third-party service provider further sub-contracts a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such possible sub-
Amendment 617 #
Proposal for a regulation Article 26 – paragraph 2 – subparagraph 1 – introductory part Where contractual arrangements on the use of ICT services concerning critical or important functions are concluded with an ICT third-party service provider established in a third-country, financial entities shall consider relevant, at least the following
Amendment 618 #
Proposal for a regulation Article 26 – paragraph 2 – subparagraph 1 a (new) With regard to the respect of data protection referred to point (a), financial entities shall comply with the requirement of Chater V of Regulation (EU) 2016/679, as interpreted in the case-law of the Court of Justice of the European Union.
Amendment 619 #
Proposal for a regulation Article 27 – paragraph 1 1. The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in a writing. The full contract, which includes the services level agreements, shall be documented in
Amendment 620 #
Proposal for a regulation Article 27 – paragraph 2 – introductory part 2.
Amendment 621 #
Proposal for a regulation Article 27 – paragraph 2 – introductory part 2. The contractual arrangements on the use of ICT services concerning critical or important functions shall include at least the following:
Amendment 622 #
2. The contractual arrangements on the use of ICT services concerning critical and important functions shall include at least the following:
Amendment 623 #
Proposal for a regulation Article 27 – paragraph 2 – point b Amendment 624 #
Proposal for a regulation Article 27 – paragraph 2 – point b (b) the location
Amendment 625 #
Proposal for a regulation Article 27 – paragraph 2 – point b (b) the country locations where the contracted or sub-contracted functions and services are to be provided and where data is to be processed, including the storage country location, and the requirement for the ICT third-party service provider to notify the financial entity if it envisages changing such locations;
Amendment 626 #
Proposal for a regulation Article 27 – paragraph 2 – point c (c) provisions on accessibility, availability, integrity,
Amendment 627 #
Proposal for a regulation Article 27 – paragraph 2 – point d (d) full service level descriptions, if considered to be necessary by the financial entity, including updates and revisions thereof, and precise quantitative and qualitative performance targets within the agreed service levels to allow an effective monitoring by the financial entity and enable without undue delay appropriate corrective actions when agreed service levels are not met;
Amendment 628 #
Proposal for a regulation Article 27 – paragraph 2 – point e (e) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development, including major ICT-related incidents, which may have a material impact on the ICT third- party service provider’s ability to effectively carry out critical or important functions in line with agreed service levels;
Amendment 629 #
Proposal for a regulation Article 27 – paragraph 2 – point g (g) requirements for the ICT third- party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies which
Amendment 630 #
Proposal for a regulation Article 27 – paragraph 2 – point h – point i i) rights of access, inspection and audit by the financial entity or by an appointed third-party,
Amendment 631 #
Proposal for a regulation Article 27 – paragraph 2 – point h – point i i) rights of access, inspection and
Amendment 632 #
Proposal for a regulation Article 27 – paragraph 2 – point h – point i i) unrestricted rights of access, inspection and audit by the competent authority, the financial entity or by an appointed third-party, and the right to take copies of relevant documentation, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
Amendment 633 #
Proposal for a regulation Article 27 – paragraph 2 – point h – point i a (new) i a) the obligation to allow competent authorities to have access to all contractual arrangements;
Amendment 634 #
Proposal for a regulation Article 27 – paragraph 2 – point h – point iii iii) the commitment to fully cooperate during the onsite inspections and audits performed by the
Amendment 635 #
Proposal for a regulation Article 27 – paragraph 2 – point j (j) termination rights and related minimum notices period for the termination of the contract, in accordance with competent authorities’ expectations; where that consideration impacts an ICT intra-group third-party service provider within the same group, it shall be analysed following a risk-based approach;
Amendment 636 #
Proposal for a regulation Article 27 – paragraph 2 – point j (j) termination rights and related minimum notices period for the termination of the contract, in accordance with competent authorities’ and resolution authorities' expectations;
Amendment 637 #
Proposal for a regulation Article 27 – paragraph 2 – point j (j) termination rights and related minimum notices period for the termination of the contract, in accordance with competent and resolution authorities’ expectations;
Amendment 638 #
Proposal for a regulation Article 27 – paragraph 2 – point k – introductory part (k) exit strategies, in particular the establishment of a mandatory adequate transition period - where that consideration impacts an ICT intra-group third-party service provider within the same group, it shall be analysed following a risk-based approach:
Amendment 639 #
Proposal for a regulation Article 27 – paragraph 2 – point k – point i (i) during which the ICT third-party service provider will continue providing the respective functions or services with a view to reduce the risk of disruptions at the financial entity or to ensure its effective resolution and restructuring;
Amendment 640 #
Proposal for a regulation Article 27 – paragraph 2 – point k – point i (i) during which the ICT third-party service provider will continue providing the respective functions or services with a view to reduce the risk of disruptions at the financial entity or to ensure its effective resolution and restructuring;
Amendment 641 #
Proposal for a regulation Article 27 – paragraph 2 – point k a (new) (k a) the processing of personal data by the ICT-third party service provider is in conformity with Regulation (EU) 2016/679;
Amendment 642 #
Proposal for a regulation Article 27 – paragraph 2 a (new) 2 a. The contractual arrangements for the provision of ICT services by an ICT third-party service provider established in a third country and designated as critical pursuant to Article 28(9), shall, in addition to the provisions set out in paragraphs 2 and 2a of this Article: (a) be concluded with a legal entity in the Union of that ICT third-party service provider; and (b) guarantee that the Joint Oversight Executive Body can carry out its duties specified in Article 30 on the basis of its competences set out in Article 31. The services for which the contractual arrangements are concluded shall not be required to be performed by the legal entity located in the Union.
Amendment 643 #
Proposal for a regulation Article 27 – paragraph 2 a (new) 2 a. Competent authorities shall be able to access the contractual arrangements.
Amendment 644 #
Proposal for a regulation Article 27 – paragraph 3 3. When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed for specific services and refrain from supplementing them in the areas set out in this Regulation or further detailed by the ESAs referred to in paragraph 4.
Amendment 645 #
Proposal for a regulation Article 27 – paragraph 4 – introductory part 4. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the elements which a financial entity needs to determine and assess when sub-contracting critical or important functions to properly give effect to the provisions of point (a) of paragraph 2.
Amendment 646 #
Proposal for a regulation Article 27 – paragraph 4 – introductory part 4. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the elements which a financial entity needs to determine and assess when sub-contracting critical or important functions to properly give effect to the provisions of point (a) of paragraph 2. When devising those standards, the ESAs shall take into consideration the nature, size and complexity of the financial entities concerned.
Amendment 647 #
Proposal for a regulation Article 27 – paragraph 4 – subparagraph 1 The ESAs shall submit those draft regulatory technical standards to the Commission by [OJ: insert date 1
Amendment 648 #
Proposal for a regulation Article 28 – paragraph 1 – introductory part 1. The
Amendment 649 #
Proposal for a regulation Article 28 – paragraph 1 – point a a (new) (a a) be responsible for the supervision and oversight of critical ICT third-party service providers in relation to the services they provide to financial entities.
Amendment 650 #
Proposal for a regulation Article 28 – paragraph 1 – point b Amendment 651 #
Proposal for a regulation Article 28 – paragraph 1 – point b (b) a
Amendment 652 #
Proposal for a regulation Article 28 – paragraph 1 – point b (b) appoint either EBA, ESMA or EIOPA
Amendment 653 #
Proposal for a regulation Article 28 – paragraph 2 – introductory part 2. The designation referred to in point (a) of paragraph 1 shall be based on all of the following criteria: -a) on the basis of a structured risk-based approach which takes into account both the provider and the nature of the service it provides;
Amendment 654 #
Proposal for a regulation Article 28 – paragraph 2 – point a a (new) (a a) the services provided constitute a function within the meaning of Article 3(17) of this Regulation.
Amendment 655 #
Proposal for a regulation Article 28 – paragraph 2 – point b – introductory part (b) the systemic character or importance of the financial entities that rely on the relevant ICT third-party provider, assessed in accordance with the
Amendment 656 #
Proposal for a regulation Article 28 – paragraph 2 – point e Amendment 657 #
Proposal for a regulation Article 28 – paragraph 2 – point f Amendment 658 #
Proposal for a regulation Article 28 – paragraph 2 – point f a (new) (f a) the materiality and importance of the relevant service provided by the ICT third-party service provider.
Amendment 659 #
Proposal for a regulation Article 28 – paragraph 2 a (new) 2 a. The designation mechanism referred to in points (a) and (b) of paragraph 1 shall not apply in relation to ICT intra-group third-party service providers.
Amendment 660 #
Proposal for a regulation Article 28 – paragraph 2 a (new) 2 a. The designation shall not apply in relation to intragroup ICT third-party service providers.
Amendment 661 #
Proposal for a regulation Article 28 – paragraph 2 b (new) 2 b. The ICT third-party service provider may, within 90 calendar days of receipt of the notification referred to in paragraph 2a, provide additional information to the Lead Overseer that is considered to be relevant to the designation referred to in point (a) of paragraph 1 and to its outcome.
Amendment 662 #
Proposal for a regulation Article 28 – paragraph 2 a (new) 2 a. The Lead Overseer shall notify the ICT third-party service provider before initiating its assessment for the purposes of the designation referred to in point (a) of paragraph 1.
Amendment 663 #
Proposal for a regulation Article 28 – paragraph 2 c (new) 2 c. The Lead Overseer shall make public the reason for the designation referred to in point (a) of paragraph 1 unless to do so could have a harmful impact on the designated ICT third-party service provider or on another entity subject to this Regulation.
Amendment 664 #
Proposal for a regulation Article 28 – paragraph 2 d (new) 2 d. Upon receipt of the draft recommendation, the ICT third-party service provider shall have a period of six weeks within which to review and comment on it, and shall communicate if an additional period of time is needed in order to make necessary adjustments as set out in this Article.
Amendment 665 #
Proposal for a regulation Article 28 – paragraph 2 e (new) 2 e. The ESAs shall notify the ICT third-party service provider of its designation as critical. The ICT third party service provider shall have at least three months to make any necessary adjustments to allow the Joint Oversight Executive Body to carry out its duties pursuant to Article 29, as well as to notify its financial entity customers. The Joint Oversight Executive Body may allow the adjustment period to be extended for a minimum period of three months, if requested by the designated ICT third- party service provider and duly justified.
Amendment 666 #
Proposal for a regulation Article 28 – paragraph 3 3. The Commission is empowered to adopt a delegated act
Amendment 667 #
Proposal for a regulation Article 28 – paragraph 3 3. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement the criteria referred to in paragraph 2. The Commission shall adopt such a delegated act within 12 months from the date of entry into force of this Regulation.
Amendment 668 #
Proposal for a regulation Article 28 – paragraph 5 a (new) Amendment 669 #
Proposal for a regulation Article 28 – paragraph 6 6. The
Amendment 670 #
Proposal for a regulation Article 28 – paragraph 8 – subparagraph 1 For the purpose of the first subparagraph, the ICT third-party service provider shall submit a reasoned application to
Amendment 671 #
Proposal for a regulation Article 28 – paragraph 9 Amendment 672 #
Proposal for a regulation Article 28 – paragraph 9 9. Financial entities shall not make use, for critical or important functions, of an ICT third-party service provider established in a third country
Amendment 673 #
Proposal for a regulation Article 28 – paragraph 9 9. Financial entities shall not make use of an ICT third-party service provider established in a third country that would be designated as critical pursuant to point (a) of paragraph 1 if
Amendment 674 #
Proposal for a regulation Article 28 – paragraph 9 9. Financial entities shall not make use of an ICT third-party service provider established in a third country that
Amendment 675 #
Proposal for a regulation Article 28 – paragraph 9 9. Financial entities shall
Amendment 676 #
Proposal for a regulation Article 28 – paragraph 9 a (new) 9 a. Financial entities shall not make use of an ICT third-party established in a third country if that third party has, or is suspected of having, ties with foreign governments or foreign militaries.
Amendment 677 #
Proposal for a regulation Article 28 – paragraph 9 a (new) 9 a. ICT service providers that are part of the same group of financial entities shall not be classified as critical ICT third-party service providers.
Amendment 678 #
Proposal for a regulation Article 28 a (new) Amendment 679 #
Proposal for a regulation Article 29 – paragraph 1 – introductory part 1. The Joint
Amendment 680 #
Proposal for a regulation Article 29 – paragraph 1 – introductory part 1. The Joint Committee, in accordance with Article 57 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, shall establish the Oversight Forum as a sub-committee for the purposes of supporting the work of the Joint Committee and the Lead Overseer
Amendment 681 #
Proposal for a regulation Article 29 – paragraph 4 Amendment 682 #
Proposal for a regulation Article 29 – paragraph 4 4. The Joint Oversight
Amendment 683 #
Proposal for a regulation Article 29 – paragraph 4 4. The Oversight Forum shall be composed of the Chairpersons of the ESAs, and at least one high-level representative from the current staff of the relevant competent authority from each Member State. The Executive Directors of each ESA and one representative from the European Commission, from the ESRB, from ECB and from ENISA shall participate in the Oversight Forum as observers.
Amendment 684 #
Proposal for a regulation Article 29 – paragraph 4 a (new) Amendment 685 #
Proposal for a regulation Article 29 – paragraph 5 5.
Amendment 686 #
Proposal for a regulation Article 29 – paragraph 5 5. In accordance with Article 16 of Regulation (EU) No 1093/2010, (EU) No
Amendment 687 #
Proposal for a regulation Article 29 – paragraph 5 5. In accordance with Article 16 of Regulation (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAs shall issue guidelines on the cooperation between the ESAs and the national competent authorities for the purposes of this Section on the detailed procedures and conditions relating to the execution of tasks between national competent authorities and the ESAs and details on exchanges of information needed by national competent authorities to ensure the follow-up of recommendations addressed by Lead Overseers pursuant to point (d) of Article 31(1) to critical ICT third-party providers.
Amendment 688 #
Proposal for a regulation Article 29 – paragraph 7 7. The
Amendment 689 #
Proposal for a regulation Article 30 – title Tasks of the
Amendment 690 #
Proposal for a regulation Article 30 – paragraph 1 1. The
Amendment 691 #
Proposal for a regulation Article 30 – paragraph 2 – point e (e) the identification, monitoring and prompt reporting of major ICT-related incidents to the financial entities, the management and resolution of those incidents, in particular cyber-attacks;
Amendment 692 #
Proposal for a regulation Article 30 – paragraph 3 3. Based on the assessment referred to in paragraph 1, the Lead Overseer shall adopt a clear, detailed and reasoned individual Oversight plan for each critical ICT third-party service provider. Before publication of the Oversight plan, the Lead Overseer shall engage in dialogue with the ICT third-party service provider, specifically for the purpose of exchanging information relevant to the final Oversight plan, including the possibility for the ICT third-party service provider to challenge individual recommendations. That plan shall be communicated each year to the critical ICT third-party service provider.
Amendment 693 #
Proposal for a regulation Article 30 – paragraph 3 a (new) 3 a. When preparing the Oversight plan, the Joint Oversight Executive body shall consult all relevant competent authorities and single points of contact referred to in Article 8 of Directive (EU) 2016/1148 to ensure that there are no inconsistencies or duplications with the critical ICT third-party service provider's obligations under Directive (EU) 2016/1148.
Amendment 694 #
Proposal for a regulation Article 30 – paragraph 3 a (new) 3 a. Prior to the finalisation of the oversight plan referred to in paragraph 2, the Lead Overseer shall consult the relevant competent authorities that have jurisdiction under Directive (EU) 2016/1148 to assess if compliance with Directive (EU) 2016/1148 satisfies one or more of the requirements set out in the oversight framework in this section.
Amendment 695 #
Proposal for a regulation Article 31 – title Powers and responsibilities of the
Amendment 696 #
Proposal for a regulation Article 31 – paragraph 1 – introductory part 1. For the purposes of carrying out the duties laid down in this Section, the
Amendment 697 #
Proposal for a regulation Article 31 – paragraph 1 – introductory part 1. For the purposes of carrying out the duties laid down in this Section, the Lead Overseer shall have the following powers related to ICT risks concerning the ICT services provided by critical ICT third- party service providers to financial entities:
Amendment 698 #
Proposal for a regulation Article 31 – paragraph 1 – point d – introductory part (d) to
Amendment 699 #
Proposal for a regulation Article 31 – paragraph 1 – point d – point iv a (new) (iv a) refraining from entering into a further subcontracting arrangement, when the envisaged sub-contractor is an ICT third-party service provider or an ICT sub-contractor established in a third country, if this third-party has or is suspected of having ties to foreign governments or foreign militaries;
Amendment 700 #
Proposal for a regulation Article 31 – paragraph 1 – subparagraph 1 (new) The powers referred to in the first subparagraph shall primarily be used in respect of the critical or important services provided by the critical ICT third- party service provider to financial entities, but may also be used in respect of other services provided to financial entities when necessary.
Amendment 701 #
Proposal for a regulation Article 31 – paragraph 1 a (new) 1 a. When exercising the powers referred to in paragraph 1, the Lead Overseer shall take due account of the framework established by Directive (EU) 2016/1148, in order to avoid unnecessary duplication of technical and organisational measures that might apply to critical ICT third-party service providers pursuant to that Directive.
Amendment 702 #
Proposal for a regulation Article 31 – paragraph 1 a (new) 1 a. When exercising the powers referred to in paragraph 1, the Joint Oversight Body shall coordinate with the relevant national competent authority established by Directive (EU) 2016/1148 to avoid inconsistencies or duplication with rules established under Directive (EU) 2016/1148.
Amendment 703 #
Proposal for a regulation Article 31 – paragraph 2 Amendment 704 #
Proposal for a regulation Article 31 – paragraph 2 a (new) 2 a. When preparing the recommendations, the Joint Oversight Executive body shall consult all relevant competent authorities and single points of contact referred to in Article 8 of Directive (EU) 2016/1148 to ensure there are no inconsistencies or duplications with the critical ICT third-party service provider's obligations under Directive (EU) 2016/1148
Amendment 705 #
Proposal for a regulation Article 31 – paragraph 3 a (new) 3 a. For the purposes of paragraph 1(d), prior to issuing a recommendation, the Lead Overseer shall inform the critical ICT third-party service provider of its intention to issue a recommendation and shall provide an opportunity for the critical ICT third-party service provider to provide information which it reasonably believes should be taken into account before the recommendation is finalised and issued.
Amendment 706 #
Proposal for a regulation Article 31 – paragraph 4 4. The Lead Overseer
Amendment 707 #
Proposal for a regulation Article 31 – paragraph 4 4. The Lead Overseer may, in the case of whole or partial non-compliance with the appropriate measures that would need to be taken in accordance with points (a),(b) or (c) of paragraph 1, within 60 calendar days, decide to impose a periodic penalty payment to compel the
Amendment 708 #
Proposal for a regulation Article 31 – paragraph 6 6. The amount of the periodic penalty payment, calculated from the date stipulated in the decision imposing the periodic penalty payment, shall be 1% of the average daily worldwide turnover related to services provided to financial entities covered in this regulation of the critical ICT third-party service provider in the preceding business year.
Amendment 709 #
Proposal for a regulation Article 31 – paragraph 7 7. Penalty payments shall be of an administrative nature and shall be enforceable. Enforcement shall be governed by the rules of civil procedure in force in the Member State on the territory of which inspections and access shall be carried out. Courts of the Member State
Amendment 710 #
Proposal for a regulation Article 31 – paragraph 8 8. The
Amendment 711 #
Proposal for a regulation Article 32 – paragraph 1 1. The Lead Overseer may by simple request or by decision require the critical ICT third-party providers to provide all information concerning ICT services delivered to a financial entity that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business
Amendment 712 #
Proposal for a regulation Article 32 – paragraph 1 1. The Lead Overseer may by simple request or by decision require the critical ICT third-party providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party provider has outsourced operational functions or activities. ICT third-party service providers shall only be required to provide that information in respect of financial entities subject to this Regulation who use the services for critical or important functions and shall give notice to the relevant financial entity of requests specific to that financial entity.
Amendment 713 #
Proposal for a regulation Article 32 – paragraph 1 1. The Lead Overseer may by simple request or by decision require the critical ICT third-party providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party provider has outsourced operational functions or activities. Any contractual clauses between the financial entity and the critical ICT third-party service provider restricting access to information by the Lead Overseer shall be declared null and void.
Amendment 714 #
Proposal for a regulation Article 32 – paragraph 2 – point d (d) set a reasonable time limit within which the information is to be provided;
Amendment 715 #
Proposal for a regulation Article 32 – paragraph 3 – point e (e) indicate the periodic penalty payments provided for in Article 31(4) where the production of the required information is incomplete or when such information is not provided within the time limit established in point (d);
Amendment 716 #
Proposal for a regulation Article 32 – paragraph 5 5. The Lead Overseer shall, without delay, send a copy of the decision to supply information to the competent authorities of the financial entities using the critical ICT third-party providers’ services. That critical ICT third-party service provider shall notify its clients about the Lead Overseer's recommendations.
Amendment 717 #
Proposal for a regulation Article 33 – paragraph 2 – point b (b)
Amendment 718 #
Proposal for a regulation Article 33 – paragraph 2 – point b (b) take or obtain certified copies of or review them on-site where they are deemed to be critical to the operations of the ICT third-party service provider, or extracts from, such records, data, procedures and other material;
Amendment 719 #
Proposal for a regulation Article 33 – paragraph 2 – point e Amendment 720 #
Proposal for a regulation Article 33 – paragraph 2 – point e (e) request records of telephone and data traffic, in accordance with the principle of proportionality.
Amendment 721 #
Proposal for a regulation Article 34 – paragraph 1 1. In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the examination teams referred to in Article 35(1), may enter and conduct all necessary on-site inspections on any business premises, land or property of the ICT third-party providers, which are relevant to the ongoing investigation and financial entity in question, such as head offices, operation centres, secondary premises, as well as to conduct off-line inspections.
Amendment 722 #
Proposal for a regulation Article 34 – paragraph 2 – introductory part 2. The officials and other persons authorised by the Lead Overseer to conduct an on-site inspection, may enter any such business premises, land or property and shall have all the powers to seal any business premises, unless it does not interrupt operations of other ICT third- party service provider customers and books or records for the period of, and to the extent necessary for, the inspection.
Amendment 723 #
Proposal for a regulation Article 34 – paragraph 2 – introductory part 2. The officials and other persons authorised by the Lead Overseer to conduct an on-site inspection, may enter any such business premises, land or property and shall have all the powers to seal any business premises and books or records for the period of, and to the extent necessary for, the inspection, in a way which does not compromise the security of the provider and its customers.
Amendment 724 #
Proposal for a regulation Article 34 – paragraph 4 4. Inspections shall cover the full range of relevant ICT systems, networks, devices, information and data that the Lead Overseer deems appropriate and technologically relevant, either
Amendment 725 #
Proposal for a regulation Article 34 – paragraph 5 5. Before any planned on-site visit, Lead Overseers shall give a reasonable notice to the critical ICT third-party service providers, unless such notice is not possible due to an emergency or crisis situation, or if it would lead to a situation where the inspection or audit would no longer be effective. On the occasion of an on-site visit, both the Lead Overseer and the ICT third-party service provider shall avoid and mitigate any disruption in services to clients of the ICT third-party service provider other than financial entities within the scope of this Regulation.
Amendment 726 #
Proposal for a regulation Article 37 – paragraph 1 1. Within 30 calendar days after the receipt of the
Amendment 727 #
Proposal for a regulation Article 37 – paragraph 1 1. Within 30 calendar days after the receipt of the recommendations issued by
Amendment 728 #
Proposal for a regulation Article 37 – paragraph 1 1. Within 30 calendar days after the receipt of the recommendations issued by Lead Overseers pursuant to point (d) of Article 31(1), which shall be simultaneously copied to the financial entities serviced by the latter critical ICT third-party service providers shall notify the Lead Overseer whether they intend to follow those critical recommendations. For non-critical recommendations, the time period may be extended by up to 45 days. Lead Overseers shall immediately transmit this information to competent authorities.
Amendment 729 #
Proposal for a regulation Article 37 – paragraph 2 2. Competent authorities shall monitor whether financial entities take into account the risks identified in the
Amendment 730 #
Proposal for a regulation Article 37 – paragraph 3 3.
Amendment 731 #
Proposal for a regulation Article 37 – paragraph 3 3.
Amendment 732 #
Proposal for a regulation Article 37 – paragraph 3 3.
Amendment 733 #
Proposal for a regulation Article 37 – paragraph 3 3. Competent authorities may, as a measure of last resort and following consultation with the Oversight Forum, in accordance with Article 44, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, and as a measure of last resort, they may require financial entities to terminate, in part or completely,
Amendment 734 #
Proposal for a regulation Article 37 – paragraph 3 3. Competent authorities may, in accordance with Article 44, as a measure of last resort, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third- party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers, after considering risks and mitigating measures and following the defined exit strategies put in place by the financial entity. Following the request for termination, the competent authorities shall allow sufficient time for financial entities to adjust their contractual arrangements with ICT third-party service providers in such a way as to not jeopardise digital operational resilience.
Amendment 735 #
Proposal for a regulation Article 37 – paragraph 3 3. Competent authorities may, in accordance with Article 44, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers. Competent authorities shall only require financial entities to perform any of the above actions as a matter of last resort and taking into account the involved risk and the feasibility of exiting the service in question.
Amendment 736 #
Proposal for a regulation Article 37 – paragraph 3 a (new) Amendment 737 #
Proposal for a regulation Article 37 – paragraph 4 – introductory part 4. When
Amendment 738 #
Proposal for a regulation Article 37 – paragraph 4 – introductory part 4. When taking the decisions referred to in paragraph 3,
Amendment 739 #
Proposal for a regulation Article 37 – paragraph 4 – point d a (new) (d a) whether the suspension or termination introduces a discontinuity risk for the business operations of the customer of the critical ICT third-party provider.
Amendment 740 #
Proposal for a regulation Article 37 – paragraph 4 – point d a (new) (d a) whether the suspension or termination means a risk for the business operations of the customer of the critical ICT third-party service provider.
Amendment 741 #
Proposal for a regulation Article 40 – paragraph 1 – introductory part 1. Financial entities
Amendment 742 #
Proposal for a regulation Article 40 – paragraph 1 – point a (a) aims at enhancing the digital operational resilience of financial entities and ICT third-party service providers, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting
Amendment 743 #
Proposal for a regulation Article 40 – paragraph 1 – point b (b) takes places within trusted communities of financial entities and ICT third-party service providers;
Amendment 744 #
Proposal for a regulation Article 40 – paragraph 2 2. For the purpose of paragraph 1, a database for storing information at Union level shall be created. For the purpose of point (c) of paragraph 1, the information sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which the latter may be associated to the information-sharing arrangements, as well as on operational elements, including the use of dedicated IT platforms.
Amendment 745 #
Proposal for a regulation Article 40 – paragraph 3 Amendment 746 #
Proposal for a regulation Article 40 – paragraph 3 a (new) 3 a. Processing of personal data for the purposes of this Article is in accordance with point (f) of Article 6(1) of Regulation (EU) 2016/679.
Amendment 747 #
Proposal for a regulation Article 41 – paragraph 1 – point p Amendment 748 #
Proposal for a regulation Article 42 – paragraph 1 1. To foster cooperation and enable supervisory exchanges between the competent authorities designated under this Regulation and the Cooperation Group established by Article 11 of Directive (EU) 2016/1148, the ESAs and the competent authorities,
Amendment 749 #
Proposal for a regulation Article 42 – paragraph 1 1. To foster cooperation and enable supervisory exchanges between the competent authorities designated under this Regulation and the Cooperation Group established by Article 11 of Directive (EU) 2016/1148, the ESAs and the competent authorities,
Amendment 750 #
Proposal for a regulation Article 42 – paragraph 2 a (new) 2 a. The Joint Oversight Executive Body shall inform and cooperate with the relevant competent authorities designated under Directive (EU) 2016/1148 before conducting general investigations and inspections in accordance with Article 31(1)(b), and Articles 33 and 34 of this Regulation.
Amendment 751 #
Proposal for a regulation Article 43 – paragraph 2 2. Competent authorities, EBA, ESMA or EIOPA, national resolution authorities, the SRB and the ECB shall cooperate closely with each other and exchange information to carry out their duties pursuant to Articles 42 to 48. They shall closely coordinate their supervision in order to identify and remedy breaches of this Regulation, develop and promote best practices, facilitate collaboration, foster consistency of interpretation and provide cross-jurisdictional assessments in the event of any disagreements.
Amendment 752 #
Proposal for a regulation Article 43 a (new) Amendment 753 #
Proposal for a regulation Article 44 – paragraph 1 1.
Amendment 754 #
Proposal for a regulation Article 44 – paragraph 4 – point e a (new) (e a) provide an automatic compensation to their service users and clients where an operational incident hampered the use of financial services for a period of more than 48 hours;
Amendment 755 #
Proposal for a regulation Article 48 – paragraph 2 2. The publication referred to in paragraph 1 shall include information on the type and nature of the breach, exceptionally the identity of the persons responsible and the penalties imposed, taking into account the need to avoid jeopardising the stability of financial markets or the pursuit of an ongoing criminal investigation. It may defer its publication until all reasons for non-publication cease to exist.
Amendment 756 #
Proposal for a regulation Article 48 – paragraph 3 – introductory part 3. Where the competent authority, following a case-by-case assessment, considers that the publication of the identity, in the case of legal persons, or of the identity and personal data, in the case
Amendment 757 #
Proposal for a regulation Article 48 – paragraph 3 – point c (c) refrain from publishing it, where the options set out in points (a) and (b) are deemed either insufficient to guarantee a lack of any danger for the stability of financial markets
Amendment 758 #
Proposal for a regulation Article 48 – paragraph 6 6. Competent authorities shall ensure that any publication referred to in paragraphs 1
Amendment 759 #
Proposal for a regulation Article 50 – paragraph 2 2. The power to adopt delegated acts referred to in Articles 28(3) and 38(2) shall be conferred on the Commission for a period of
Amendment 760 #
Proposal for a regulation Article 51 – paragraph 1 a (new) Amendment 761 #
Proposal for a regulation Article 56 – paragraph 2 It shall apply from [PO: insert date -
Amendment 762 #
Proposal for a regulation Article 56 – paragraph 2 It shall apply from [PO: insert date -
Amendment 763 #
Proposal for a regulation Article 56 – paragraph 2 It shall apply from [PO: insert date -
Amendment 764 #
Proposal for a regulation Article 56 – paragraph 2 It shall apply from [PO: insert date -
Amendment 765 #
Proposal for a regulation Article 56 – paragraph 2 It shall apply from [PO: insert date -
source: 693.603
|
History
(these mark the time of scraping, not the official date of the change)
2023-08-03Show (5) Changes | Timetravel
| docs/9 |
|
| events/9 |
|
| events/12 |
|
| events/13 |
|
| events/13/summary |
|
2023-01-05Show (3) Changes | Timetravel
| events/12 |
|
| procedure/final |
|
| procedure/stage_reached |
Old
Procedure completed, awaiting publication in Official JournalNew
Procedure completed |
2022-12-22Show (20) Changes | Timetravel
| docs/0 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-03-09T00:00:00New
2021-03-08T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2021-05-10T00:00:00New
2021-05-09T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2020-12-16T00:00:00New
2020-12-15T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-02-22T00:00:00New
2021-02-21T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-10-27T00:00:00New
2021-10-26T00:00:00 |
| docs/14 |
|
| events/0 |
|
| events/6 |
|
| events/7 |
|
| events/7/date |
Old
2022-07-13T00:00:00New
2022-07-12T00:00:00 |
2022-12-18Show (20) Changes | Timetravel
| docs/0 |
|
| docs/9 |
|
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2021-03-08T00:00:00New
2021-03-09T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2021-05-09T00:00:00New
2021-05-10T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2020-12-15T00:00:00New
2020-12-16T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-02-21T00:00:00New
2021-02-22T00:00:00 |
| docs/14 |
|
| docs/14/date |
Old
2021-10-26T00:00:00New
2021-10-27T00:00:00 |
| events/0 |
|
| events/6 |
|
| events/6/date |
Old
2022-07-12T00:00:00New
2022-07-13T00:00:00 |
| events/7 |
|
2022-12-16Show (22) Changes | Timetravel
| docs/0 |
|
| docs/7 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-03-09T00:00:00New
2021-03-08T00:00:00 |
| docs/10 |
|
| docs/10/date |
Old
2021-05-10T00:00:00New
2021-05-09T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2020-12-16T00:00:00New
2020-12-15T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-02-22T00:00:00New
2021-02-21T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-10-27T00:00:00New
2021-10-26T00:00:00 |
| docs/14 |
|
| docs/15 |
|
| events/0 |
|
| events/4 |
|
| events/5 |
|
| events/7 |
|
| events/11 |
|
2022-12-15Show (22) Changes | Timetravel
| docs/0 |
|
| docs/7 |
|
| docs/9 |
|
| docs/10 |
|
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2021-03-08T00:00:00New
2021-03-09T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-05-09T00:00:00New
2021-05-10T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2020-12-15T00:00:00New
2020-12-16T00:00:00 |
| docs/14 |
|
| docs/14/date |
Old
2021-02-21T00:00:00New
2021-02-22T00:00:00 |
| docs/15 |
|
| docs/15/date |
Old
2021-10-26T00:00:00New
2021-10-27T00:00:00 |
| events/0 |
|
| events/4 |
|
| events/5 |
|
| events/7 |
|
| procedure/stage_reached |
Old
Awaiting signature of actNew
Procedure completed, awaiting publication in Official Journal |
2022-12-12Show (20) Changes | Timetravel
| docs/0 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-03-09T00:00:00New
2021-03-08T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2021-05-10T00:00:00New
2021-05-09T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2020-12-16T00:00:00New
2020-12-15T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-02-22T00:00:00New
2021-02-21T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-10-27T00:00:00New
2021-10-26T00:00:00 |
| docs/14 |
|
| events/0 |
|
| events/6 |
|
| events/7 |
|
| events/7/date |
Old
2022-07-13T00:00:00New
2022-07-12T00:00:00 |
2022-12-10Show (20) Changes | Timetravel
| docs/0 |
|
| docs/9 |
|
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2021-03-08T00:00:00New
2021-03-09T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2021-05-09T00:00:00New
2021-05-10T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2020-12-15T00:00:00New
2020-12-16T00:00:00 |
| docs/13 |
|
| docs/13 |
|
| docs/13/date |
Old
2021-02-21T00:00:00New
2021-02-22T00:00:00 |
| docs/14 |
|
| docs/14/date |
Old
2021-10-26T00:00:00New
2021-10-27T00:00:00 |
| events/0 |
|
| events/6 |
|
| events/6/date |
Old
2022-07-12T00:00:00New
2022-07-13T00:00:00 |
| events/7 |
|
2022-12-06Show (1) Changes | Timetravel
| docs/8 |
|
2022-12-05Show (2) Changes | Timetravel
| events/10 |
|
| procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
2022-11-25Show (2) Changes | Timetravel
| docs/8 |
|
| events/9/summary |
|
2022-11-18Show (1) Changes | Timetravel
| events/8/docs |
|
2022-11-12Show (5) Changes | Timetravel
| docs/8 |
|
| events/8 |
|
| events/9 |
|
| forecasts |
|
| procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
2022-10-23Show (1) Changes | Timetravel
| forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
2022-09-16Show (20) Changes | Timetravel
| docs/0 |
|
| docs/8 |
|
| docs/8/date |
Old
2021-03-09T00:00:00New
2021-03-08T00:00:00 |
| docs/9 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-05-10T00:00:00New
2021-05-09T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2020-12-16T00:00:00New
2020-12-15T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2021-02-22T00:00:00New
2021-02-21T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-10-27T00:00:00New
2021-10-26T00:00:00 |
| docs/13 |
|
| events/0 |
|
| events/6 |
|
| events/7 |
|
| events/7/date |
Old
2022-07-13T00:00:00New
2022-07-12T00:00:00 |
2022-09-15Show (20) Changes | Timetravel
| docs/0 |
|
| docs/8 |
|
| docs/9 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-03-08T00:00:00New
2021-03-09T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2021-05-09T00:00:00New
2021-05-10T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2020-12-15T00:00:00New
2020-12-16T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-02-21T00:00:00New
2021-02-22T00:00:00 |
| docs/13 |
|
| docs/13/date |
Old
2021-10-26T00:00:00New
2021-10-27T00:00:00 |
| events/0 |
|
| events/6 |
|
| events/6/date |
Old
2022-07-12T00:00:00New
2022-07-13T00:00:00 |
| events/7 |
|
2022-08-29Show (20) Changes | Timetravel
| docs/0 |
|
| docs/8 |
|
| docs/8/date |
Old
2021-03-09T00:00:00New
2021-03-08T00:00:00 |
| docs/9 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-05-10T00:00:00New
2021-05-09T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2020-12-16T00:00:00New
2020-12-15T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2021-02-22T00:00:00New
2021-02-21T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-10-27T00:00:00New
2021-10-26T00:00:00 |
| docs/13 |
|
| events/0 |
|
| events/6 |
|
| events/7 |
|
| events/7/date |
Old
2022-07-13T00:00:00New
2022-07-12T00:00:00 |
2022-08-28Show (20) Changes | Timetravel
| docs/0 |
|
| docs/8 |
|
| docs/9 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-03-08T00:00:00New
2021-03-09T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2021-05-09T00:00:00New
2021-05-10T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2020-12-15T00:00:00New
2020-12-16T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-02-21T00:00:00New
2021-02-22T00:00:00 |
| docs/13 |
|
| docs/13/date |
Old
2021-10-26T00:00:00New
2021-10-27T00:00:00 |
| events/0 |
|
| events/6 |
|
| events/6/date |
Old
2022-07-12T00:00:00New
2022-07-13T00:00:00 |
| events/7 |
|
2022-07-28Show (1) Changes | Timetravel
| events/7 |
|
2022-07-14Show (17) Changes | Timetravel
| docs/0 |
|
| docs/8 |
|
| docs/8/date |
Old
2021-03-09T00:00:00New
2021-03-08T00:00:00 |
| docs/9 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-05-10T00:00:00New
2021-05-09T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2020-12-16T00:00:00New
2020-12-15T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2021-02-22T00:00:00New
2021-02-21T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-10-27T00:00:00New
2021-10-26T00:00:00 |
| docs/13 |
|
| events/0 |
|
2022-07-13Show (18) Changes | Timetravel
| docs/0 |
|
| docs/8 |
|
| docs/9 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-03-08T00:00:00New
2021-03-09T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2021-05-09T00:00:00New
2021-05-10T00:00:00 |
| docs/11 |
|
| docs/11 |
|
| docs/11/date |
Old
2020-12-15T00:00:00New
2020-12-16T00:00:00 |
| docs/12 |
|
| docs/12 |
|
| docs/12/date |
Old
2021-02-21T00:00:00New
2021-02-22T00:00:00 |
| docs/13 |
|
| docs/13/date |
Old
2021-10-26T00:00:00New
2021-10-27T00:00:00 |
| events/0 |
|
| forecasts/0/date |
Old
2022-10-17T00:00:00New
2022-11-09T00:00:00 |
2022-07-08Show (3) Changes | Timetravel
| docs/6 |
|
| docs/7 |
|
| procedure/Legislative priorities/0 |
|
2022-06-28Show (1) Changes | Timetravel
| forecasts |
|
2022-06-24Show (5) Changes | Timetravel
| docs/6/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0595New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0595 |
| docs/7/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0595New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0595 |
| docs/8/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0595New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0595 |
| docs/9/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0595New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0595 |
| docs/10/docs/0/url |
Old
http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2020)0595New
https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2020)0595 |
2022-06-18Show (17) Changes | Timetravel
| docs/0 |
|
| docs/6 |
|
| docs/6/date |
Old
2021-03-09T00:00:00New
2021-03-08T00:00:00 |
| docs/7 |
|
| docs/7 |
|
| docs/7/date |
Old
2021-05-10T00:00:00New
2021-05-09T00:00:00 |
| docs/8 |
|
| docs/8 |
|
| docs/8/date |
Old
2020-12-16T00:00:00New
2020-12-15T00:00:00 |
| docs/9 |
|
| docs/9 |
|
| docs/9/date |
Old
2021-02-22T00:00:00New
2021-02-21T00:00:00 |
| docs/10 |
|
| docs/10 |
|
| docs/10/date |
Old
2021-10-27T00:00:00New
2021-10-26T00:00:00 |
| docs/11 |
|
| events/0 |
|
2021-12-22Show (2) Changes | Timetravel
| docs/7 |
|
| events/3/summary |
|
2021-12-17Show (1) Changes | Timetravel
| events/5 |
|
2021-12-15Show (1) Changes | Timetravel
| events/4 |
|
2021-12-09Show (2) Changes | Timetravel
| docs/7/docs/0/url |
https://www.europarl.europa.eu/doceo/document/A-9-2021-0341_EN.html
|
| events/3/docs/0/url |
https://www.europarl.europa.eu/doceo/document/A-9-2021-0341_EN.html
|
2021-12-08Show (3) Changes | Timetravel
| docs/7 |
|
| events/3 |
|
| procedure/stage_reached |
Old
Awaiting committee decisionNew
Awaiting Parliament's position in 1st reading |
2021-12-03Show (4) Changes | Timetravel
| events/1 |
|
| events/2 |
|
| forecasts |
|
| procedure/Other legal basis |
Rules of Procedure EP 159
|
2021-11-27Show (1) Changes | Timetravel
| docs/11 |
|
2021-09-17Show (1) Changes | Timetravel
| forecasts |
|
2021-06-15Show (3) Changes | Timetravel
| docs/0 |
|
| docs/5 |
|
| events/0 |
|
2021-06-01Show (2) Changes | Timetravel
| docs/4/docs/0/url |
https://www.europarl.europa.eu/doceo/document/ECON-AM-693603_EN.html
|
| docs/6 |
|
2021-05-28Show (1) Changes | Timetravel
| docs/4/date |
Old
2021-05-26T00:00:00New
2021-05-27T00:00:00 |
2021-05-26Show (1) Changes | Timetravel
| docs/4 |
|
2021-05-03Show (1) Changes | Timetravel
| events/1/body |
EP
|
2021-05-01Show (4) Changes | Timetravel
| docs/0 |
|
| docs/4 |
|
| events/0 |
|
| procedure/title |
Old
Digital operational resilience for the financial sectorNew
Digital finance: Digital Operational Resilience Act (DORA) |
2021-04-13Show (9) Changes | Timetravel
| committees/0 |
|
| committees/0 |
|
| docs/0 |
|
| docs/3 |
|
| docs/4 |
|
| docs/4/docs/0/url |
Old
https://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE689.801New
https://www.europarl.europa.eu/doceo/document/ECON-PR-689801_EN.html |
| events/0 |
|
| events/0 |
|
| events/1 |
|
2021-03-27Show (3) Changes | Timetravel
| committees/0 |
|
| committees/0 |
|
| docs/3 |
|
2021-03-08Show (2) Changes | Timetravel
| committees/0/shadows/5 |
|
| docs/4 |
|
2021-03-03Show (2) Changes | Timetravel
| committees/0 |
|
| committees/0 |
|
2021-02-24Show (2) Changes | Timetravel
| committees/0 |
|
| committees/0 |
|
2021-02-17Show (2) Changes | Timetravel
| committees/0 |
|
| committees/0 |
|
2021-02-16Show (7) Changes | Timetravel
| committees/0 |
|
| committees/0 |
|
| docs/3 |
|
| events/1 |
|
| procedure/Legislative priorities |
|
| procedure/dossier_of_the_committee |
|
| procedure/stage_reached |
Old
Preparatory phase in ParliamentNew
Awaiting committee decision |
2020-12-09Show (3) Changes | Timetravel
| commission |
|
| committees/0 |
|
| committees/0 |
|
2020-11-20Show (2) Changes | Timetravel
| otherinst |
|
| procedure/other_consulted_institutions |
European Economic and Social Committee
|
2020-11-17Show (2) Changes | Timetravel
| committees/0 |
|
| committees/0 |
|
2020-11-12Show (2) Changes | Timetravel
| committees/0/shadows/2 |
|
| committees/2/opinion |
False
|
2020-11-10Show (1) Changes | Timetravel
| committees/0/rapporteur |
|
2020-10-24Show (1) Changes | Timetravel
| committees/0/shadows/0 |
|
2020-10-23Show (1) Changes | Timetravel
| committees/1/opinion |
False
|
2020-10-19Show (1) Changes | Timetravel
| committees/0/shadows |
|
2020-10-13Show (5) Changes | Timetravel
| docs/0 |
|
| docs/0 |
|
| docs/0/docs/0 |
|
| docs/1 |
|
| events/0/summary |
|
2020-10-06Show (2) Changes
| docs/0/docs/1 |
|
| events/0/docs/1 |
|