Beta

Source: OJ L 333, 27.12.2022, p. 1–79

EN

Article 1 Subject matter

    1. In order to achieve a high common level of digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, this Regulation lays down uniform requirements concerning the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; supporting the business processes of financial entitiesas defined in Article 2, points (a) to (t) as follows:

      1. requirements applicable to financial entitiesas defined in Article 2, points (a) to (t) in relation to:

        1. information and communication technology (ICT) risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management;

        2. reporting of major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and notifying, on a voluntary basis, significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; to the competent authoritiesas defined in Article 46;

        3. reporting of major operational or security payment-related incidents means an operational or security payment-related incident that has a high adverse impact on the payment-related services provided; to the competent authoritiesas defined in Article 46 by financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 2(1), points (a) to (d);

        4. digital operational resilience testingas defined in Article 24;

        5. information and intelligence sharing in relation to cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;;

        6. measures for the sound management of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;;

      2. requirements in relation to the contractual arrangements concluded between ICT third-party service providers means an undertaking providing ICT services; and financial entitiesas defined in Article 2, points (a) to (t);

      3. rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; when providing services to financial entitiesas defined in Article 2, points (a) to (t);

      4. rules on cooperation among competent authoritiesas defined in Article 46, and rules on supervision and enforcement by competent authoritiesas defined in Article 46 in relation to all matters covered by this Regulation.

    1. In relation to financial entitiesas defined in Article 2, points (a) to (t) identified as essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 4 of that Directive.

    1. This Regulation is without prejudice to the responsibility of Member States’ regarding essential State functions concerning public security, defence and national security in accordance with Union law.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod