Art. 7 Amendments to Directive (EU) 2015/2366 | DORA directive |

Directive (EU) 2015/2366 is amended as follows:

in Article 3, point (j) is replaced by the following:
services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; authentication, information and communication technology (ICT) and communication network provision, provision and maintenance of terminals and devices used for payment services, with the exclusion of payment initiation services and account information services;’;
Article 5(1) is amended as follows:
1. the first subparagraph is amended as follows:
  
  point (e) is replaced by the following:
  
  a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management and accounting procedures as well as arrangements for the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (²¹)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;, which demonstrates that those governance arrangements and internal control mechanisms are proportionate, appropriate, sound and adequate;
  
  point (f) is replaced by the following:
  
  a description of the procedure in place to monitor, handle and follow up a security incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and security related customer complaints, including an incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; reporting mechanism which takes account of the notification obligations of the payment institution means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; laid down in Chapter III of Regulation (EU) 2022/2554;’;
  
  point (h) is replaced by the following:
  
  a description of business continuity arrangements including a clear identification of the critical operations, effective ICT business continuity policy and plans and ICT response and recovery plans and a procedure to regularly test and review the adequacy and efficiency of such plans in accordance with Regulation (EU) 2022/2554;’;
2. the third subparagraph is replaced by the following:
  ‘The security control and mitigation measures referred to in point (j) of the first subparagraph shall indicate how they ensure a high level of digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; in accordance with Chapter II of Regulation (EU) 2022/2554, in particular in relation to technical security and data protection, including for the software and ICT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures shall also include the security measures laid down in Article 95(1) of this Directive. Those measures shall take into account EBA’s guidelines on security measures as referred to in Article 95(3) of this Directive, when in place.’;
in Article 19(6), the second subparagraph is replaced by the following:
‘Outsourcing of important operational functions, including ICT systems, shall not be undertaken in such way as to impair materially the quality of the payment institution means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;’s internal control and the ability of the competent authoritiesas defined in Article 46 to monitor and retrace the payment institution means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;’s compliance with all of the obligations laid down in this Directive.’;
in Article 95(1), the following subparagraph is added:
‘The first subparagraph is without prejudice to the application of Chapter II of Regulation (EU) 2022/2554 to:

payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive;

account information service providers means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366; referred to in Article 33(1) of this Directive;

payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; exempted pursuant to Article 32(1) of this Directive; and

electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC.’;
in Article 96, the following paragraph is added:
Members States shall ensure that paragraphs 1 to 5 of this Article do not apply to:

payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive;

account information service providers means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366; referred to in Article 33(1) of this Directive;

payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; exempted pursuant to Article 32(1) of this Directive; and

electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC.’;
in Article 98, paragraph 5 is replaced by the following:
In accordance with Article 10 of Regulation (EU) No 1093/2010, EBA shall review and, if appropriate, update the regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). on a regular basis in order, inter alia, to take account of innovation and technological developments, and of the provisions of Chapter II of Regulation (EU) 2022/2554.’.