Beta

Source: OJ L 333, 27.12.2022, p. 153–163

EN

Article 5 Amendments to Directive 2014/59/EU

Directive 2014/59/EU is amended as follows:

  1. Article 10 is amended as follows:

    1. in paragraph 7, point (c) is replaced by the following:

      1. a demonstration of how critical functions and core business lines could be legally and economically separated, to the extent necessary, from other functions so as to ensure continuity and digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; upon the failure of the institution;’;

    2. in paragraph 7, point (q) is replaced by the following:

      1. a description of essential operations and systems for maintaining the continuous functioning of the institution’s operational processes, including network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; as referred to in Regulation (EU) 2022/2554 of the European Parliament and of the Council (19)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;;

    3. in paragraph 9, the following subparagraph is added:

      ‘In accordance with Article 10 of Regulation (EU) No 1093/2010, EBA shall review and, if appropriate, update the regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). in order to, inter alia, take account of the provisions of Chapter II of Regulation (EU) 2022/2554.’;

  2. the Annex is amended as follows:

    1. in Section A, point (16) is replaced by the following:

      1. arrangements and measures necessary to maintain the continuous functioning of the institution’s operational processes, including network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; that are set up and managed in accordance with Regulation (EU) 2022/2554;’;

    2. Section B is amended as follows:

      1. point (14) is replaced by the following:

        1. an identification of the owners of the systems identified in point (13), service level agreements related thereto, and any software and systems or licenses, including a mapping to their legal entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, critical operations and core business lines, as well as an identification of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; as defined in Article 3, point (23), of Regulation (EU) 2022/2554;’;

      2. the following point is inserted:

        1. the results of institutions’ digital operational resilience testingas defined in Article 24 under Regulation (EU) 2022/2554;’;

    3. Section C is amended as follows:

      1. point (4) is replaced by the following:

        1. the extent to which the service agreements, including contractual arrangements on the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, that the institution maintains are robust and fully enforceable in the event of resolution of the institution;’;

      2. the following point is inserted:

        1. the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; of the network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; supporting critical functions and core business lines of the institution, taking into account major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; reports and the results of digital operational resilience testingas defined in Article 24 under Regulation (EU) 2022/2554;’.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod