Recital 21

Baseline requirements with proportional application and supervision


In order to maintain full control over ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, financial entitiesas defined in Article 2, points (a) to (t) need to have comprehensive capabilities to enable a strong and effective ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management, as well as specific mechanisms and policies for handling all ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and for reporting major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity. Likewise, financial entitiesas defined in Article 2, points (a) to (t) should have policies in place for the testing of ICT systems, controls and processes, as well as for managing ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements. The digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions baseline for financial entitiesas defined in Article 2, points (a) to (t) should be increased while also allowing for a proportionate application of requirements for certain financial entitiesas defined in Article 2, points (a) to (t), particularly microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, as well as financial entitiesas defined in Article 2, points (a) to (t) subject to a simplified ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework. To facilitate an efficient supervision of institutions for occupational retirement provisionan institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341 that is proportionate and addresses the need to reduce administrative burdens on the competent authoritiesas defined in Article 46, the relevant national supervisory arrangements in respect of such financial entitiesas defined in Article 2, points (a) to (t) should take into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations even when the relevant thresholds established in Article 5 of Directive (EU) 2016/2341 of the European Parliament and of the Council (10)Directive (EU) 2016/2341 of the European Parliament and of the Council of 14 December 2016 on the activities and supervision of institutions for occupational retirement provision (IORPs) (OJ L 354, 23.12.2016, p. 37). are exceeded. In particular, supervisory activities should focus primarily on the need to address serious risks associated with the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management of a particular entity.
Competent authoritiesas defined in Article 46 should also maintain a vigilant but proportionate approach in relation to the supervision of institutions for occupational retirement provisionan institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341 which, in accordance with Article 31 of Directive (EU) 2016/2341, outsource a significant part of their core business, such as asset management, actuarial calculations, accounting and data management, to service providers.