Article 62

Amendments to Regulation (EU) No 600/2014


TL;DR The Digital Operations Resilience Act from the European Union (EU) amends Regulation (EU) No 600/2014 by introducing changes to articles 27g, 27h and 27i. These amendments require APA, CTP and ARM to comply with security requirements for network and information systems as set out in Regulation (EU) 2022/2554. In addition, each article sets out concrete organisational requirements for compliance which each entity must adhere to.

Regulation (EU) No 600/2014 is amended as follows:

  1. Article 27g is amended as follows:

    1. paragraph 4 is replaced by the following:

      ‘4. An APA shall comply with the requirements concerning the security of network and information systemssecurity of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555 set out in Regulation (EU) 2022/2554 of the European Parliament and of the Council (4)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12)..
      _____________
      (4)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12). Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
      operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).’;

    2. in paragraph 8, point (c) is replaced by the following:

      ‘(c) the concrete organisational requirements laid down in paragraphs 3 and 5.’;

  2. Article 27h is amended as follows:

    1. paragraph 5 is replaced by the following:

      ‘5. A CTP shall comply with the requirements concerning the security of network and information systemssecurity of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555 set out in Regulation (EU) 2022/2554.’.

    2. in paragraph 8, point (e) is replaced by the following:

      ‘(e) the concrete organisational requirements laid down in paragraph 4.’;

  3. Article 27i is amended as follows:

    1. paragraph 3 is replaced by the following:

      ‘3. An ARM shall comply with the requirements concerning the security of network and information systemssecurity of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555 set out in Regulation (EU) 2022/2554.’;

    2. in paragraph 5, point (b) is replaced by the following:

      ‘(b) the concrete organisational requirements laid down in paragraphs 2 and 4.’.