Recital 38

Complex governance arrangements for non-micro financial entities


As larger financial entitiesas defined in Article 2, points (a) to (t) might enjoy wider resources and can swiftly deploy funds to develop governance structures and set up various corporate strategies, only financial entitiesas defined in Article 2, points (a) to (t) that are not microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million in the sense of this Regulation should be required to establish more complex governance arrangements. Such entities are better equipped in particular to set up dedicated management functions for supervising arrangements with ICT third-party service providersan undertaking providing ICT services or for dealing with crisis management, to organise their ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management according to the three lines of defence model, or to set up an internal risk management and control model, and to submit their ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework to internal audits.