Source: OJ L, 2024/1620, 19.6.2024Current language: EN
- Anti-money laundering
Basic legislative acts
- Anti-money laundering authority regulation (AMLAR)
Article 83 IT security
Summary What does Article 83 of the Anti-money laundering authority regulation (AMLAR) say?
This article sets out the IT governance and cybersecurity requirements for the Authority itself.
It establishes that IT governance sits at the level of the Executive Director, who is responsible for managing the IT budget and reporting to the Executive Board on compliance with IT security rules.
The article also mandates a transparent allocation of IT expenditure to direct security and requires the establishment of an IT security monitoring and response service, with a specific reporting obligation to CERT-EU and the Commission in the event of major incidents.
Important points:
- The Authority must establish internal IT governance at the Executive Director level, including budget management and regular compliance reporting to the Executive Board.
- A sufficient and transparent share of IT expenditure must be allocated to direct IT security, with contributions to CERT-EU counting toward that share.
- Major IT security incidents must be reported to both CERT-EU and the Commission within 24 hours of detection.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The Authority shall establish an internal IT governance at the level of the Executive Director which establishes and manages the IT budget and ensures regular reporting to the Executive Board on compliance with applicable IT security rules and standards.
The Authority shall ensure that a sufficient share of its IT expenditure is transparently allocated to direct IT security. The contribution to the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU) may be counted in that share.
An adequate IT security monitoring, detection and response service shall be established, using the services of CERT-EU. Major incidents shall be reported to CERT-EU and to the Commission within 24 hours of detection.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.