Simplified ICT risk management for small financial entities
Under sector-specific Union law, some financial entitiesas defined in Article 2, points (a) to (t) are subject to lighter requirements or exemptions for reasons associated with their size or the services they provide. That category of financial entitiesas defined in Article 2, points (a) to (t) includes small and non-interconnected investment firmsan investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033 of the European Parliament and of the Council, small institutions for occupational retirement provisionan institution for occupational retirement provision which operates pension schemes which together have less than 100 members in total which may be excluded from the scope of Directive (EU) 2016/2341 under the conditions laid down in Article 5 of that Directive by the Member State concerned and operate pension schemes which together do not have more than 100 members in total, as well as institutions exempted pursuant to Directive 2013/36/EUan entity as referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU. Therefore, in accordance with the principle of proportionality and to preserve the spirit of sector-specific Union law, it is also appropriate to subject those financial entitiesas defined in Article 2, points (a) to (t) to a simplified ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework under this Regulation. The proportionate character of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework covering those financial entitiesas defined in Article 2, points (a) to (t) should not be altered by the regulatory technical standards that are to be developed by the ESAsEuropean Supervisory Authority. Moreover, in accordance with the principle of proportionality, it is appropriate to also subject payment institutionsa payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366 referred to in Article 32(1) of Directive (EU) 2015/2366 and electronic money institutionsan electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council referred to in Article 9 of Directive 2009/110/EC exempted in accordance with national law transposing those Union legal acts to a simplified ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework under this Regulation, while payment institutionsa payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366 and electronic money institutionsan electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council which have not been exempted in accordance with their respective national law transposing sectoral Union law should comply with the general framework laid down by this Regulation.