exemption
Chapter II - ICT risk management
Article 5 - Governance and organisation
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall establish a role in order to monitor the arrangements concluded with ICT third-party service providersmeans an undertaking providing ICT services; on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
Chapter II - ICT risk management
Article 6 - ICT risk management framework
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall assign the responsibility for managing and overseeing ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Financial entitiesas defined in Article 2, points (a) to (t) shall ensure appropriate segregation and independence of ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.
The ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, as well as upon the occurrence of major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, and following supervisory instructions or conclusions derived from relevant digital operational resilience testingas defined in Article 24 or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework shall be submitted to the competent authorityas defined in Article 46 upon its request.
The ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework of financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, as well as appropriate independence. The frequency and focus of ICT audits shall be commensurate to the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; of the financial entity.
Chapter II - ICT risk management
Article 8 - Identification
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall perform a risk assessment upon each major change in the network and information systemmeans a network and information system as defined in Article 6, point 1, of Directive (EU) 2022/2555; infrastructure, in the processes or procedures affecting their ICT supported business functions, information assetsmeans a collection of information, either tangible or intangible, that is worth protecting; or ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;.
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall on a regular basis, and at least yearly, conduct a specific ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment on all legacy ICT systemsmeans an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity; and, in any case before and after connecting technologies, applications or systems.
Chapter II - ICT risk management
Article 10 - Detection
Data reporting service providersmeans a data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereof; shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports.
Chapter II - ICT risk management
Article 11 - Response and recovery
As part of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework referred to in Article 6(1), financial entitiesas defined in Article 2, points (a) to (t) shall implement associated ICT response and recovery plans which, in the case of financial entitiesas defined in Article 2, points (a) to (t) other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall be subject to independent internal audit reviews.
As part of their comprehensive ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, financial entitiesas defined in Article 2, points (a) to (t) shall:
For the purposes of the first subparagraph, point (a), financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall include in the testing plans scenarios of cyber-attacksmeans a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset; and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 12.
Financial entitiesas defined in Article 2, points (a) to (t) shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews.
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall have a crisis management function, which, in the event of activation of their ICT business continuity plans or ICT response and recovery plans, shall, inter alia, set out clear procedures to manage internal and external crisis communications in accordance with Article 14.
Central securities depositoriesmeans a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014; shall provide the competent authoritiesas defined in Article 46 with copies of the results of the ICT business continuity tests, or of similar exercises.
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall report to the competent authoritiesas defined in Article 46, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.
Chapter II - ICT risk management
Article 12 - Backup policies and procedures, restoration and recovery procedures and methods
When restoring backup data using own systems, financial entitiesas defined in Article 2, points (a) to (t) shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorised access or ICT corruption and allow for the timely restoration of services making use of data and system backups as necessary.
For central counterpartiesmeans a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;, the recovery plans shall enable the recovery of all transactions at the time of disruption to allow the central counterpartymeans a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012; to continue to operate with certainty and to complete settlement on the scheduled date.
Data reporting service providersmeans a data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereof; shall additionally maintain adequate resources and have back-up and restoration facilities in place in order to offer and maintain their services at all times.
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs. Microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; shall assess the need to maintain such redundant ICT capacities based on their risk profile.
Central securities depositoriesmeans a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014; shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs.
The secondary processing site shall be:
Chapter II - ICT risk management
Article 13 - Learning and evolving
Financial entitiesas defined in Article 2, points (a) to (t) shall put in place post ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reviews after a major ICT-related incidentmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in Article 11.
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall, upon request, communicate to the competent authoritiesas defined in Article 46, the changes that were implemented following post ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reviews as referred to in the first subparagraph.
The post ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, including in relation to the following:
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;. They shall keep up-to-date with the latest ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management processes, in order to effectively combat current or new forms of cyber-attacksmeans a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset;.
Chapter II - ICT risk management
Article 16 - Simplified ICT risk management framework
Articles 5 to 15 of this Regulation shall not apply to small and non-interconnected investment firmsmeans an investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033 of the European Parliament and of the Council (33);, payment institutions exempted pursuant to Directive (EU) 2015/2366means a payment institution exempted pursuant to Article 32(1) of Directive (EU) 2015/2366;; institutions exempted pursuant to Directive 2013/36/EUmeans an entity as referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU; in respect of which Member States have decided not to apply the option referred to in Article 2(4) of this Regulation; electronic money institutions exempted pursuant to Directive 2009/110/ECmeans an electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC;; and small institutions for occupational retirement provisionmeans an institution for occupational retirement provision which operates pension schemes which together have less than 100 members in total;.
Without prejudice to the first subparagraph, the entities listed in the first subparagraph shall:
Chapter III - ICT-related incident management, classification and reporting
Article 19 - Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Financial entitiesas defined in Article 2, points (a) to (t) shall report major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; to the relevant competent authorityas defined in Article 46 as referred to in Article 46 in accordance with paragraph 4 of this Article.
Where a financial entity is subject to supervision by more than one national competent authorityas defined in Article 46 referred to in Article 46, Member States shall designate a single competent authorityas defined in Article 46 as the relevant competent authorityas defined in Article 46 responsible for carrying out the functions and duties provided for in this Article.
Credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (32); classified as significant, in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall report major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; to the relevant national competent authorityas defined in Article 46 designated in accordance with Article 4 of Directive 2013/36/EU, which shall immediately transmit that report to the ECB.
For the purpose of the first subparagraph, financial entitiesas defined in Article 2, points (a) to (t) shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authorityas defined in Article 46. In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entitiesas defined in Article 2, points (a) to (t) shall notify the competent authorityas defined in Article 46 about it via alternative means.
The initial notification and reports referred to in paragraph 4 shall include all information necessary for the competent authorityas defined in Article 46 to determine the significance of the major ICT-related incidentmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and assess possible cross-border impacts.
Without prejudice to the reporting pursuant to the first subparagraph by the financial entity to the relevant competent authorityas defined in Article 46, Member States may additionally determine that some or all financial entitiesas defined in Article 2, points (a) to (t) shall also provide the initial notification and each report referred to in paragraph 4 of this Article using the templates referred to in Article 20 to the competent authoritiesas defined in Article 46 or the computer security incident response teams (CSIRTscomputer security incident response teams) designated or established in accordance with Directive (EU) 2022/2555.
Financial entitiesas defined in Article 2, points (a) to (t) may, on a voluntary basis, notify significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; to the relevant competent authorityas defined in Article 46 when they deem the threat to be of relevance to the financial system, service users or clients. The relevant competent authorityas defined in Article 46 may provide such information to other relevant authorities referred to in paragraph 6.
Credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (32); classified as significant, in accordance with Article 6(4) of Regulation (EU) No 1024/2013, may, on a voluntary basis, notify significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; to relevant national competent authorityas defined in Article 46, designated in accordance with Article 4 of Directive 2013/36/EU, which shall immediately transmit the notification to the ECB.
Member States may determine that those financial entitiesas defined in Article 2, points (a) to (t) that on a voluntary basis notify in accordance with the first subparagraph may also transmit that notification to the CSIRTscomputer security incident response teams designated or established in accordance with Directive (EU) 2022/2555.
Chapter IV - Digital operational resilience testing
Article 24 - General requirements for the performance of digital operational resilience testing
For the purpose of assessing preparedness for handling ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, of identifying weaknesses, deficiencies and gaps in digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, and of promptly implementing corrective measures, financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testingas defined in Article 24 programme as an integral part of the ICT risk-management framework referred to in Article 6.
When conducting the digital operational resilience testingas defined in Article 24 programme referred to in paragraph 1 of this Article, financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall follow a risk-based approach taking into account the criteria set out in Article 4(2) duly considering the evolving landscape of ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assetsmeans a collection of information, either tangible or intangible, that is worth protecting; and of services provided, as well as any other factor the financial entity deems appropriate.
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall ensure that tests are undertaken by independent parties, whether internal or external. Where tests are undertaken by an internal tester, financial entitiesas defined in Article 2, points (a) to (t) shall dedicate sufficient resources and ensure that conflicts of interest are avoided throughout the design and execution phases of the test.
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;.
Chapter IV - Digital operational resilience testing
Article 25 - Testing of ICT tools and systems
Central securities depositoriesmeans a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014; and central counterpartiesmeans a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012; shall perform vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entity.
Microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; shall perform the tests referred to in paragraph 1 by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing provided for in this Article, on the one hand, and the urgency, type of risk, criticality of information assetsmeans a collection of information, either tangible or intangible, that is worth protecting; and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks, on the other hand.
Chapter IV - Digital operational resilience testing
Article 26 - Advanced testing of ICT tools, systems and processes based on TLPT
Financial entitiesas defined in Article 2, points (a) to (t), other than entities referred to in Article 16(1), first subparagraph, and other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, which are identified in accordance with paragraph 8, third subparagraph, of this Article, shall carry out at least every 3 years advanced testing by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. Based on the risk profile of the financial entity and taking into account operational circumstances, the competent authorityas defined in Article 46 may, where necessary, request the financial entity to reduce or increase this frequency.
Financial entitiesas defined in Article 2, points (a) to (t) shall contract testers for the purposes of undertaking TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems in accordance with Article 27. When financial entitiesas defined in Article 2, points (a) to (t) use internal testers for the purposes of undertaking TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, they shall contract external testers every three tests.
Credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (32); that are classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall only use external testers in accordance with Article 27(1), points (a) to (e).
Competent authoritiesas defined in Article 46 shall identify financial entitiesas defined in Article 2, points (a) to (t) that are required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems taking into account the criteria set out in Article 4(2), based on an assessment of the following:
Chapter V - Managing of ICT third-party risk
Article 28 - General principles
As part of their ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework, financial entitiesas defined in Article 2, points (a) to (t), other than entities referred to in Article 16(1), first subparagraph, and other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall adopt, and regularly review, a strategy on ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; shall include a policy on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; provided by ICT third-party service providersmeans an undertaking providing ICT services; and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management bodymeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;.
Chapter V - Managing of ICT third-party risk
Article 30 - Key contractual provisions
The contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; shall include, in addition to the elements referred to in paragraph 2, at least the following:
By way of derogation from point (e), the ICT third-party service providermeans an undertaking providing ICT services; and the financial entity that is a microenterprisemeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service providermeans an undertaking providing ICT services;, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time.