Beta

Source: OJ L 333, 27.12.2022, p. 80–152

EN

Recital 28 DORA lex specialis and forwarding of incident reports

Regulation (EU) 2022/2554 of the European Parliament and of the Council(10)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (see page 1 of this Official Journal). should be considered to be a sector-specific Union legal act in relation to this Directive with regard to financial entitiesas defined in Article 2, points (a) to (t). The provisions of Regulation (EU) 2022/2554 relating to information and communication technology (ICT) risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management, management of ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and, in particular, major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; reporting, as well as on digital operational resilience testingas defined in Article 24, information-sharing arrangements and ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; should apply instead of those provided for in this Directive. Member States should therefore not apply the provisions of this Directive on cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management and reporting obligations, and supervision and enforcement, to financial entitiesas defined in Article 2, points (a) to (t) covered by Regulation (EU) 2022/2554. At the same time, it is important to maintain a strong relationship and the exchange of information with the financial sector under this Directive. To that end, Regulation (EU) 2022/2554 allows the European Supervisory Authorities (ESAsEuropean Supervisory Authority) and the competent authoritiesas defined in Article 46 under that Regulation to participate in the activities of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and to exchange information and cooperate with the single points of contact, as well as with the CSIRTscomputer security incident response teams and the competent authoritiesas defined in Article 46 under this Directive. The competent authoritiesas defined in Article 46 under Regulation (EU) 2022/2554 should also transmit details of major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and, where relevant, significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; to the CSIRTscomputer security incident response teams, the competent authoritiesas defined in Article 46 or the single points of contact under this Directive. This is achievable by providing immediate access to incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notifications and forwarding them either directly or through a single entry point. Moreover, Member States should continue to include the financial sector in their cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategies and CSIRTscomputer security incident response teams can cover the financial sector in their activities.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod