Art. 6 Amendments to Directive 2014/65/EU | DORA directive |

Directive 2014/65/EU is amended as follows:

Article 16 is amended as follows:
1. paragraph 4 is replaced by the following:
  
  An investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU; shall take reasonable steps to ensure continuity and regularity in the performance of investment services and activities. To that end, the investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU; shall employ appropriate and proportionate systems, including information and communication technology (“ICT”) systems that are set up and managed in accordance with Article 7 of Regulation (EU) 2022/2554 of the European Parliament and of the Council (²⁰)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;, as well as appropriate and proportionate resources and procedures.
2. in paragraph 5, the second and third subparagraphs are replaced by the following:
  ‘An investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU; shall have sound administrative and accounting procedures, internal control mechanisms and effective procedures for risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment.
  Without prejudice to the ability of competent authoritiesas defined in Article 46 to require access to communications in accordance with this Directive and Regulation (EU) No 600/2014, an investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU; shall have sound security mechanisms in place to ensure, in accordance with the requirements laid down in Regulation (EU) 2022/2554, the security and authentication of the means of transfer of information, to minimise the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of data corruption and unauthorised access and to prevent information leakage, thereby maintaining the confidentiality of the data at all times.’;
Article 17 is amended as follows:
1. paragraph 1 is replaced by the following:
  
  An investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU; that engages in algorithmic trading shall have in place effective systems and risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; controls suitable to the business it operates to ensure that its trading systems are resilient and have sufficient capacity in accordance with the requirements laid down in Chapter II of Regulation (EU) 2022/2554, are subject to appropriate trading thresholds and limits and prevent the sending of erroneous orders or the systems otherwise functioning in a way that may create or contribute to a disorderly market.
  
  Such a firm shall also have in place effective systems and risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; controls to ensure the trading systems cannot be used for any purpose that is contrary to Regulation (EU) No 596/2014 or to the rules of a trading venue means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; to which it is connected.
  
  The investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU; shall have in place effective business continuity arrangements to deal with any failure of its trading systems, including ICT business continuity policy and plans and ICT response and recovery plans established in accordance with Article 11 of Regulation (EU) 2022/2554, and shall ensure its systems are fully tested and properly monitored to ensure that they meet the general requirements laid down in this paragraph and any specific requirements laid down in Chapters II and IV of Regulation (EU) 2022/2554.’;
2. in paragraph 7, point (a) is replaced by the following:
  
  the details of organisational requirements laid down in paragraphs 1 to 6, other than those related to ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, which are to be imposed on investment firms means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU; providing different investment services, investment activities, ancillary services or combinations thereof, whereby the specifications in relation to the organisational requirements laid down in paragraph 5 shall set out specific requirements for direct market access and for sponsored access in such a way as to ensure that the controls applied to sponsored access are at least equivalent to those applied to direct market access;’;
in Article 47, paragraph 1 is amended as follows:
1. point (b) is replaced by the following:
  
  to be adequately equipped to manage the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to which it is exposed, including to manage ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; in accordance with Chapter II of Regulation (EU) 2022/2554, to implement appropriate arrangements and systems for identifying significant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to its operation, and to put in place effective measures to mitigate those risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;;’;
2. point (c) is deleted;
Article 48 is amended as follows:
1. paragraph 1 is replaced by the following:
  
  Member States shall require a regulated market to establish and maintain its operational resilience in accordance with the requirements laid down in Chapter II of Regulation (EU) 2022/2554 to ensure its trading systems are resilient, have sufficient capacity to deal with peak order and message volumes, are able to ensure orderly trading under conditions of severe market stress, are fully tested to ensure such conditions are met and are subject to effective business continuity arrangements, including ICT business continuity policy and plans and ICT response and recovery plans established in accordance with Article 11 of Regulation (EU) 2022/2554, to ensure continuity of its services if there is any failure of its trading systems.’;
2. paragraph 6 is replaced by the following:
  
  Member States shall require a regulated market to have in place effective systems, procedures and arrangements, including requiring members or participants to carry out appropriate testing of algorithms and providing environments to facilitate such testing in accordance with the requirements laid down in Chapters II and IV of Regulation (EU) 2022/2554, to ensure that algorithmic trading systems cannot create or contribute to disorderly trading conditions on the market and to manage any disorderly trading conditions which do arise from such algorithmic trading systems, including systems to limit the ratio of unexecuted orders to transactions that may be entered into the system by a member or participant, to be able to slow down the flow of orders if there is a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of its system capacity being reached and to limit and enforce the minimum tick size that may be executed on the market.’;
3. paragraph 12 is amended as follows:
  
  point (a) is replaced by the following:
  
  the requirements to ensure trading systems of regulated markets are resilient and have adequate capacity, except the requirements related to digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;;’;
  
  point (g) is replaced by the following:
  
  the requirements to ensure appropriate testing of algorithms, other than digital operational resilience testingas defined in Article 24, so as to ensure that algorithmic trading systems including high-frequency algorithmic trading systems cannot create or contribute to disorderly trading conditions on the market.’.