DECISION (EU) 2016/188 OF THE EUROPEAN CENTRAL BANK
of 11 December 2015
on the access and use of SSM electronic applications, systems, platforms and services by the European Central Bank and the national competent authorities of the Single Supervisory Mechanism (ECB/2015/47)
THE GOVERNING COUNCIL OF THE EUROPEAN CENTRAL BANK,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 127(6) and Article 132 thereof,
Having regard to the Statute of the European System of Central Banks and of the European Central Bank, and in particular Article 34 thereof,
Having regard to Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions(1), and in particular Article 6(1) in conjunction with Article 6(7) thereof,
Having regard to the proposal from the Supervisory Board and in consultation with the national competent authorities,
Whereas:
(1) For the performance of the specific tasks concerning policies relating to the prudential supervision of credit institutions, as conferred on the European Central Bank (ECB) by Regulation (EU) No 1024/2013, the ECB uses the European System of Central Banks (ESCB) and Eurosystem electronic applications, systems, platforms and services, as well as the new electronic applications, systems, platforms and services specific for carrying out the tasks entrusted to the ECB pursuant to Regulation (EU) No 1024/2013 on the basis of Article 127(6) of the Treaty and Article 25.2 of the Statute of the European System of Central Banks and of the European Central Bank.
(2) It is necessary for the smooth, effective and consistent functioning of the Single Supervisory Mechanism (SSM) that practical arrangements for the cooperation between the ECB and the national competent authorities (NCAs) within the SSM include arrangements for the use of such electronic applications, systems, platforms and services that are necessary for the fulfilment of their responsibilities under Regulation (EU) No 1024/2013.
(3) The public key infrastructure for the European System of Central Banks (hereinafter the ‘ESCB-PKI’) was established in Decision ECB/2013/1(2). Pursuant to Article 3(1) of Decision ECB/2013/1, ESCB and Eurosystem electronic applications, systems, platforms and services with medium or above medium criticality should only be accessed and used if a user has been authenticated by means of an electronic certificate issued and managed by a certification authority accepted by the ESCB in accordance with the ESCB/SSM certificate acceptance framework, or by the ESCB-PKI certification authority or by certification authorities accepted by the ESCB for TARGET2 and TARGET2 Securities for those two applications.
(4) The Governing Council has identified a need for advanced information security services, such as strong authentication, electronic signatures and encryption, through the use of electronic certificates for the electronic applications, systems, platforms and services that are necessary for the fulfilment of the ECB's and NCAs' responsibilities, as competent authorities within the SSM, under Regulation (EU) No 1024/2013. Hence, certificates issued by the ESCB-PKI may be used to access and use electronic applications, systems, platforms and services used for the functioning of the SSM.
(5) The ECB and the NCAs of the SSM may decide to use certificates and services provided by the ESCB-PKI to access and use SSM electronic applications, systems, platforms and services,
HAS ADOPTED THIS DECISION:
Article 1
Definitions
For the purposes of this Decision:
1.
‘national competent authority’ (NCA) means a national competent authority designated by a participating Member State in accordance with Article 2(2) of Regulation (EU) No 1024/2013. This meaning is without prejudice to arrangements under national law that assign certain supervisory tasks to a national central bank (NCB) that is not designated as an NCA. With regard to such arrangements, a reference to an NCA in this Decision shall also refer to the NCB in respect of the supervisory tasks assigned to it by national law;
2.
‘competent authority’ means either an NCA or the ECB;
3.
‘ESCB and Eurosystem electronic applications, systems, platforms and services’, ‘certificate’ or ‘electronic certificate’, ‘ESCB-PKI certification authority’, ‘registration authority’, ‘user’, ‘Eurosystem central bank’, and ‘relying party’ have the meanings defined in Article 1 of Decision ECB/2013/1;
4.
‘SSM electronic applications, systems, platforms and services’ means electronic applications, systems, platforms and services that are used for the fulfilment of the ECB's and NCAs' responsibilities under Regulation (EU) No 1024/2013;
5.
‘ESCB/SSM certificate acceptance framework’ means the criteria established by the ESCB Information Technology Committee to identify the certification authorities, both internal and external to the ESCB, which can be trusted in relation to ESCB and Eurosystem electronic applications, systems, platforms and services and in relation to SSM electronic applications, systems, platforms and services.
Article 2
Use of and access to SSM electronic applications, systems, platforms and services
1. SSM electronic applications, systems, platforms and services with medium or above medium criticality shall only be accessed and used if a user has been authenticated by means of an electronic certificate issued and managed by a certification authority accepted in accordance with the ESCB/SSM certificate acceptance framework, including by the ESCB-PKI certification authority.
2. The ESCB-PKI certification authority shall issue electronic certificates and provide other certification services to the competent authorities participating in the ESCB-PKI pursuant to Article 3 for their certificate subscribers and for the certificate subscribers of third parties working with them to enable them to securely access and use SSM electronic applications, systems, platforms and services.
3. A relying party may rely upon such certificates under the conditions laid down in Article 8 of Decision ECB/2013/1.
Article 3
Participation of the competent authorities in relation to the ESCB-PKI
1. A competent authority may decide to use ESCB-PKI services in order to access and use SSM electronic applications, systems, platforms and services and/or may act for that purpose as registration authority for its internal users as well as for third party users, under the same conditions as those applying to Eurosystem central banks.
2. The participating competent authority shall be subject to the obligations set out in Articles 6, 7 and 12 of Decision ECB/2013/1 and shall submit a declaration to the Governing Council by which it confirms its participation and compliance with the obligations laid down in the Level 2 — Level 3 Agreement referred to in Article 4(2) of that Decision.
Article 4
Entry into force
This Decision shall enter into force on the third day following that of its publication in the
Official Journal of the European Union
.
Done at Frankfurt am Main, 11 December 2015.
The President of the ECB
Mario DRAGHI
(1)
OJ L 287, 29.10.2013, p. 63
.
(2) Decision ECB/2013/1 of the European Central Bank of 11 January 2013 laying down the framework for a public key infrastructure for the European System of Central Banks (
OJ L 74, 16.3.2013, p. 30
).
Feedback