EP negotiators agreed with the Council on new uniform rules for ICT risk management, reporting major ICT-related incidents, resilience testing and sound monitoring of ICT third-party risk.
The
new rules primarily aim to harmonise and strengthen the digital
operational resilience requirements across the financial services
sector, such as the requirements to protect against, detect, contain,
recover from and repair information and communication technology
(ICT)-related incidents. These requirements would be paired with
reporting and digital testing capabilities.
The rules would apply to financial
entities regulated at EU level, such as banks, payment providers,
electronic money providers, investment firms, crypto-asset service
providers and to ICT third-party service providers.
Co-legislators have provisionally agreed
that the inclusion of statutory auditors and audit firms in the scope
of the Regulation will be subject to a review within three years.
Risk preparedness, reporting of major ICT -related incidents and testing
MEPs ensured that the ICT risk
management framework should take into account significant differences
between financial entities in terms of size, nature, complexity and risk
profile. Negotiators agreed that ICT risk management requirements
should not hamper financial entities from being innovative when they
have to deal with digital operational resilience issues.
Regarding financial entities’
cybersecurity preparedness, negotiators agreed that both internal and
external tests have a role to play in advanced testing, therefore one in
three tests should be done by an external provider.
In order to achieve a robust
ICT-related-incident reporting regime for financial entities with less
administrative burden and no reporting overlaps, negotiators agreed that
they should report to their competent authorities in a centralised and
harmonised manner. They allowed for flexible timelines on ICT-related
incidents reporting, provided that there is a justification for
deviating from the timeline.
MEPs also assured that establishing a
single EU Hub for the reporting of major ICT- related incidents will be
explored within two years.
Oversight of ICT third party risk
Financial entities may only enter into a
contract with ICT service providers that have appropriate, up-to-date
security standards. MEPs stressed that ICT third-party service providers
are crucial to the functioning of the financial sector and should
therefore be properly overseen at EU level. Negotiators agreed that
critical ICT third-party service providers established in a third
country should have a subsidiary in the EU and the European supervisory authorities (ESAs) should be informed of any change of its management structure.
MEPs insisted on a review of the
functioning and effectiveness of the Joint Oversight Network within five
years to ensure the Oversight by the Lead Overseers are consistent
(each of the ESAs could be designated as a Lead Overseer for a critical
ICT third-party service provider) and that the exchange of information
within the oversight framework is efficient.
Finally, negotiators agreed that the rules should apply 24 months after they enter into force.
Additionally, negotiators agreed to
carry on with technical work on amendments that bring legal clarity and
consistency to existing EU financial services rules and to ensure that
the rules in the regulation and the directive are aligned with each other.
ECON
© European Parliament
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article