Subject matter

In order to achieve a high common level of digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions, this Regulation lays down uniform requirements concerning the security of network and information systemssecurity of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555 supporting the business processes of financial entitiesas defined in Article 2, points (a) to (t) as follows:

1. requirements applicable to financial entitiesas defined in Article 2, points (a) to (t) in relation to:

   1. information and communication technology (ICT) risk management;

   2. reporting of major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity and notifying, on a voluntary basis, significant cyber threatsa cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident to the competent authoritiesas defined in Article 46;

   3. reporting of major operational or security payment-related incidentsa single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity to the competent authoritiesas defined in Article 46 by financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 2(1), points (a) to (d);

   4. digital operational resilience testingas defined in Article 24;

   5. information and intelligence sharing in relation to cyber threatsas defined in Article 2, point (8), of Regulation (EU) 2019/881 and vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;

   6. measures for the sound management of ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;

2. requirements in relation to the contractual arrangements concluded between ICT third-party service providersan undertaking providing ICT services and financial entitiesas defined in Article 2, points (a) to (t);

3. rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 when providing services to financial entitiesas defined in Article 2, points (a) to (t);

4. rules on cooperation among competent authoritiesas defined in Article 46, and rules on supervision and enforcement by competent authoritiesas defined in Article 46 in relation to all matters covered by this Regulation.

In relation to financial entitiesas defined in Article 2, points (a) to (t) identified as essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 4 of that Directive.

This Regulation is without prejudice to the responsibility of Member States’ regarding essential State functions concerning public security, defence and national security in accordance with Union law.