Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 Dec... (32022R2554)
INHALT
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
- REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
- of 14 December 2022
- on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
- (Text with EEA relevance)
- CHAPTER I
- General provisions
- Article 1
- Subject matter
- Article 2
- Scope
- Article 3
- Definitions
- Article 4
- Proportionality principle
- CHAPTER II
- ICT risk management
- Section I
- Article 5
- Governance and organisation
- Section II
- Article 6
- ICT risk management framework
- Article 7
- ICT systems, protocols and tools
- Article 8
- Identification
- Article 9
- Protection and prevention
- Article 10
- Detection
- Article 11
- Response and recovery
- Article 12
- Backup policies and procedures, restoration and recovery procedures and methods
- Article 13
- Learning and evolving
- Article 14
- Communication
- Article 15
- Further harmonisation of ICT risk management tools, methods, processes and policies
- Article 16
- Simplified ICT risk management framework
- CHAPTER III
- ICT-related incident management, classification and reporting
- Article 17
- ICT-related incident management process
- Article 18
- Classification of ICT-related incidents and cyber threats
- Article 19
- Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
- Article 20
- Harmonisation of reporting content and templates
- Article 21
- Centralisation of reporting of major ICT-related incidents
- Article 22
- Supervisory feedback
- Article 23
- Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions
- CHAPTER IV
- Digital operational resilience testing
- Article 24
- General requirements for the performance of digital operational resilience testing
- Article 25
- Testing of ICT tools and systems
- Article 26
- Advanced testing of ICT tools, systems and processes based on TLPT
- Article 27
- Requirements for testers for the carrying out of TLPT
- CHAPTER V
- Managing of ICT third-party risk
- Section I
- Key principles for a sound management of ICT third-party risk
- Article 28
- General principles
- Article 29
- Preliminary assessment of ICT concentration risk at entity level
- Article 30
- Key contractual provisions
- Section II
- Oversight Framework of critical ICT third-party service providers
- Article 31
- Designation of critical ICT third-party service providers
- Article 32
- Structure of the Oversight Framework
- Article 33
- Tasks of the Lead Overseer
- Article 34
- Operational coordination between Lead Overseers
- Article 35
- Powers of the Lead Overseer
- Article 36
- Exercise of the powers of the Lead Overseer outside the Union
- Article 37
- Request for information
- Article 38
- General investigations
- Article 39
- Inspections
- Article 40
- Ongoing oversight
- Article 41
- Harmonisation of conditions enabling the conduct of the oversight activities
- Article 42
- Follow-up by competent authorities
- Article 43
- Oversight fees
- Article 44
- International cooperation
- CHAPTER VI
- Information-sharing arrangements
- Article 45
- Information-sharing arrangements on cyber threat information and intelligence
- CHAPTER VII
- Competent authorities
- Article 46
- Competent authorities
- Article 47
- Cooperation with structures and authorities established by Directive (EU) 2022/2555
- Article 48
- Cooperation between authorities
- Article 49
- Financial cross-sector exercises, communication and cooperation
- Article 50
- Administrative penalties and remedial measures
- Article 51
- Exercise of the power to impose administrative penalties and remedial measures
- Article 52
- Criminal penalties
- Article 53
- Notification duties
- Article 54
- Publication of administrative penalties
- Article 55
- Professional secrecy
- Article 56
- Data Protection
- CHAPTER VIII
- Delegated acts
- Article 57
- Exercise of the delegation
- CHAPTER IX
- Transitional and final provisions
- Section I
- Article 58
- Review clause
- Section II
- Amendments
- Article 59
- Amendments to Regulation (EC) No 1060/2009
- Article 60
- Amendments to Regulation (EU) No 648/2012
- Article 61
- Amendments to Regulation (EU) No 909/2014
- Article 62
- Amendments to Regulation (EU) No 600/2014
- Article 63
- Amendment to Regulation (EU) 2016/1011
- Article 64
- Entry into force and application
Feedback