Article 1
Subject matter
TL;DR
This Regulation provides uniform requirements for security of network and information systems which support the business processes of financial entities. These requirements are applicable to things such as information and communication technology management, reporting of major incidents, digital operational resilience testing and information sharing in relation to threats and vulnerabilities. It also creates a framework for rules on cooperation and supervision of financial entities by competent authorities. This Regulation applies to essential and important entities transposing Article 3 of Directive (EU) 2022/2555. It does not affect Member States' responsibility regarding essential State functions concerning public security, defence and national security.-
In order to achieve a high common level of digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions, this Regulation lays down uniform requirements concerning the security of network and information systemssecurity of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555 supporting the business processes of financial entitiesas defined in Article 2, points (a) to (t) as follows:
-
requirements applicable to financial entitiesas defined in Article 2, points (a) to (t) in relation to:
-
reporting of major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity and notifying, on a voluntary basis, significant cyber threatsa cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident to the competent authoritiesas defined in Article 46;
-
reporting of major operational or security payment-related incidentsa single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity to the competent authoritiesas defined in Article 46 by financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 2(1), points (a) to (d);
-
-
In relation to financial entitiesas defined in Article 2, points (a) to (t) identified as essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 4 of that Directive.