Source: OJ L 333, 27.12.2022, p. 1–79
ENRecital 38 Complex governance arrangements for non-micro financial entities
As larger financial entitiesas defined in Article 2, points (a) to (t) might enjoy wider resources and can swiftly deploy funds to develop governance structures and set up various corporate strategies, only financial entitiesas defined in Article 2, points (a) to (t) that are not microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; in the sense of this Regulation should be required to establish more complex governance arrangements. Such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are better equipped in particular to set up dedicated management functions for supervising arrangements with ICT third-party service providers means an undertaking providing ICT services; or for dealing with crisis management, to organise their ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management according to the three lines of defence model, or to set up an internal risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management and control model, and to submit their ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework to internal audits.