DORA regulation

In recent years, ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; has attracted the attention of international, Union and national policy makers, regulators and standard-setting bodies in an attempt to enhance digital resilience, set standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). and coordinate regulatory or supervisory work. At international level, the Basel Committee on Banking Supervision, the Committee on Payments and Market Infrastructures, the Financial Stability Board, the Financial Stability Institute, as well as the G7 and G20 aim to provide competent authoritiesas defined in Article 46 and market operators across various jurisdictions with tools to bolster the resilience of their financial systems. That work has also been driven by the need to duly consider ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; in the context of a highly interconnected global financial system and to seek more consistency of relevant best practices.

Despite Union and national targeted policy and legislative initiatives, ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; continues to pose a challenge to the operational resilience, performance and stability of the Union financial system. The reforms that followed the 2008 financial crisis primarily strengthened the financial resilience of the Union financial sector and aimed to safeguard the competitiveness and stability of the Union from economic, prudential and market conduct perspectives. Although ICT security and digital resilience are part of operational risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, they have been less in the focus of the post-financial crisis regulatory agenda and have developed in only some areas of the Union’s financial services policy and regulatory landscape, or in only a few Member States.

In its Communication of 8 March 2018 entitled ‘FinTech Action plan: For a more competitive and innovative European financial sector’, the Commission highlighted the paramount importance of making the Union financial sector more resilient, including from an operational perspective to ensure its technological safety and good functioning, its quick recovery from ICT breaches and incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, ultimately enabling the effective and smooth provision of financial services across the whole Union, including under situations of stress, while also preserving consumer means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; and market trust and confidence.

In April 2019, the European Supervisory Authority (European Banking Authority), (EBA) established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council(⁴)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12)., the European Supervisory Authority (European Insurance and Occupational Pensions Authority), (‘EIOPA’) established by Regulation (EU) No 1094/2010 of the European Parliament and of the Council(⁵)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48). and the European Supervisory Authority (European Securities and Markets Authority), (‘ESMA’) established by Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁶)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84). (known collectively as ‘European Supervisory Authorities’ or ‘ESAsEuropean Supervisory Authority’) jointly issued technical advice calling for a coherent approach to ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; in finance and recommending to strengthen, in a proportionate way, the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; of the financial services industry through a sector-specific initiative of the Union.

The Union financial sector is regulated by a Single Rulebook and governed by a European system of financial supervision. Nonetheless, provisions tackling digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; and ICT security are not yet fully or consistently harmonised, despite digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; being vital for ensuring financial stability and market integrity in the digital age, and no less important than, for example, common prudential or market conduct standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. The Single Rulebook and system of supervision should therefore be developed to also cover digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, by strengthening the mandates of competent authoritiesas defined in Article 46 to enable them to supervise the management of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; in the financial sector in order to protect the integrity and efficiency of the internal market, and to facilitate its orderly functioning.

Legislative disparities and uneven national regulatory or supervisory approaches with regard to ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; trigger obstacles to the functioning of the internal market in financial services, impeding the smooth exercise of the freedom of establishment and the provision of services for financial entitiesas defined in Article 2, points (a) to (t) operating on a cross-border basis. Competition between the same type of financial entitiesas defined in Article 2, points (a) to (t) operating in different Member States could also be distorted. This is the case, in particular, for areas where Union harmonisation has been very limited, such as digital operational resilience testingas defined in Article 24, or absent, such as the monitoring of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;. Disparities stemming from developments envisaged at national level could generate further obstacles to the functioning of the internal market to the detriment of market participants and financial stability.

To date, due to the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; related provisions being only partially addressed at Union level, there are gaps or overlaps in important areas, such as ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting and digital operational resilience testingas defined in Article 24, and inconsistencies as a result of emerging divergent national rules or cost-ineffective application of overlapping rules. This is particularly detrimental for an ICT-intensive user such as the financial sector since technology risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; have no borders and the financial sector deploys its services on a wide cross-border basis within and outside the Union. Individual financial entitiesas defined in Article 2, points (a) to (t) operating on a cross-border basis or holding several authorisations (e.g. one financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; can have a banking, an investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU;, and a payment institution means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; licence, each issued by a different competent authorityas defined in Article 46 in one or several Member States) face operational challenges in addressing ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and mitigating adverse impacts of ICT incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; on their own and in a coherent cost-effective way.

As the Single Rulebook has not been accompanied by a comprehensive ICT or operational risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; framework, further harmonisation of key digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; requirements for all financial entitiesas defined in Article 2, points (a) to (t) is required. The development of ICT capabilities and overall resilience by financial entitiesas defined in Article 2, points (a) to (t), based on those key requirements, with a view to withstanding operational outages, would help preserve the stability and integrity of the Union financial markets and thus contribute to ensuring a high level of protection of investors and consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; in the Union. Since this Regulation aims to contribute to the smooth functioning of the internal market, it should be based on the provisions of Article 114 of the Treaty on the Functioning of the European Union (TFEU) as interpreted in accordance with the consistent case law of the Court of Justice of the European Union (Court of Justice).

This Regulation aims to consolidate and upgrade ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; requirements as part of the operational risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; requirements that have, up to this point, been addressed separately in various Union legal acts. While those acts covered the main categories of financial risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; (e.g. credit risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, market risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, counterparty credit risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and liquidity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, market conduct risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;), they did not comprehensively tackle, at the time of their adoption, all components means software or hardware intended for integration into an electronic information system; of operational resilience. The operational risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; rules, when further developed in those Union legal acts, often favoured a traditional quantitative approach to addressing risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; (namely setting a capital requirement to cover ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;) rather than targeted qualitative rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, or for reporting and digital testing capabilities. Those acts were primarily meant to cover and update essential rules on prudential supervision, market integrity or conduct. By consolidating and upgrading the different rules on ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, all provisions addressing digital risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in the financial sector should for the first time be brought together in a consistent manner in one single legislative act. Therefore, this Regulation fills in the gaps or remedies inconsistencies in some of the prior legal acts, including in relation to the terminology used therein, and explicitly refers to ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; via targeted rules on ICT risk-management capabilities, incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting, operational resilience testing and ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; monitoring. This Regulation should thus also raise awareness of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and acknowledge that ICT incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and a lack of operational resilience have the possibility to jeopardise the soundness of financial entitiesas defined in Article 2, points (a) to (t).

Financial entitiesas defined in Article 2, points (a) to (t) should follow the same approach and the same principle-based rules when addressing ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; taking into account their size and overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile, and the nature, scale and complexity of their services, activities and operations. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of high reliance on ICT systems, platforms and infrastructures, which entails increased digital risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Observing basic cyber hygiene should also avoid imposing heavy costs on the economy by minimising the impact and costs of ICT disruptions.

A Regulation helps reduce regulatory complexity, fosters supervisory convergence and increases legal certainty, and also contributes to limiting compliance costs, especially for financial entitiesas defined in Article 2, points (a) to (t) operating across borders, and to reducing competitive distortions. Therefore, the choice of a Regulation for the establishment of a common framework for the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; of financial entitiesas defined in Article 2, points (a) to (t) is the most appropriate way to guarantee a homogenous and coherent application of all components means software or hardware intended for integration into an electronic information system; of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management by the Union financial sector.

Directive (EU) 2016/1148 of the European Parliament and of the Council(⁷)Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1). was the first horizontal cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; framework enacted at Union level, applying also to three types of financial entitiesas defined in Article 2, points (a) to (t), namely credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; and central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;. However, since Directive (EU) 2016/1148 set out a mechanism of identification at national level of operators of essential services, only certain credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; and central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012; that were identified by the Member States, have been brought into its scope in practice, and hence required to comply with the ICT security and incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification requirements laid down in it. Directive (EU) 2022/2555 of the European Parliament and of the Council(⁸)Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (see page 80 of this Official Journal). sets a uniform criterion to determine the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling within its scope of application (size-cap rule) while also keeping the three types of financial entitiesas defined in Article 2, points (a) to (t) in its scope.

However, as this Regulation increases the level of harmonisation of the various digital resilience components means software or hardware intended for integration into an electronic information system;, by introducing requirements on ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management and ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting that are more stringent in comparison to those laid down in the current Union financial services law, this higher level constitutes an increased harmonisation also in comparison with the requirements laid down in Directive (EU) 2022/2555. Consequently, this Regulation constitutes lex specialis with regard to Directive (EU) 2022/2555. At the same time, it is crucial to maintain a strong relationship between the financial sector and the Union horizontal cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; framework as currently laid out in Directive (EU) 2022/2555 to ensure consistency with the cyber security strategies adopted by Member States and to allow financial supervisors to be made aware of cyber incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; affecting other sectors covered by that Directive.

In accordance with Article 4(2) of the Treaty on European Union and without prejudice to the judicial review by the Court of Justice, this Regulation should not affect the responsibility of Member States with regard to essential State functions concerning public security, defence and the safeguarding of national security, for example concerning the supply of information which would be contrary to the safeguarding of national security.

To enable cross-sector learning and to effectively draw on experiences of other sectors in dealing with cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, the financial entitiesas defined in Article 2, points (a) to (t) referred to in Directive (EU) 2022/2555 should remain part of the ‘ecosystem’ of that Directive (for example, Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and computer security incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; response teams (CSIRTscomputer security incident response teams)).The ESAsEuropean Supervisory Authority and national competent authoritiesas defined in Article 46 should be able to participate in the strategic policy discussions and the technical workings of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; under that Directive, and to exchange information and further cooperate with the single points of contact designated or established in accordance with that Directive. The competent authoritiesas defined in Article 46 under this Regulation should also consult and cooperate with the CSIRTscomputer security incident response teams. The competent authoritiesas defined in Article 46 should also be able to request technical advice from the competent authoritiesas defined in Article 46 designated or established in accordance with Directive (EU) 2022/2555 and establish cooperation arrangements that aim to ensure effective and fast-response coordination mechanisms.

Given the strong interlinkages between the digital resilience and the physical resilience of financial entitiesas defined in Article 2, points (a) to (t), a coherent approach with regard to the resilience of critical entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is necessary in this Regulation and Directive (EU) 2022/2557 of the European Parliament and the Council(⁹)Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (see page 164 of this Official Journal).. Given that the physical resilience of financial entitiesas defined in Article 2, points (a) to (t) is addressed in a comprehensive manner by the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management and reporting obligations covered by this Regulation, the obligations laid down in Chapters III and IV of Directive (EU) 2022/2557 should not apply to financial entitiesas defined in Article 2, points (a) to (t) falling within the scope of that Directive.

Cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers are one category of digital infrastructure covered by Directive (EU) 2022/2555. The Union Oversight Framework (‘Oversight Framework’) established by this Regulation applies to all critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, including cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers providing ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t), and should be considered complementary to the supervision carried out pursuant to Directive (EU) 2022/2555. Moreover, the Oversight Framework established by this Regulation should cover cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers in the absence of a Union horizontal framework establishing a digital oversight authority.

In order to maintain full control over ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, financial entitiesas defined in Article 2, points (a) to (t) need to have comprehensive capabilities to enable a strong and effective ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, as well as specific mechanisms and policies for handling all ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and for reporting major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;. Likewise, financial entitiesas defined in Article 2, points (a) to (t) should have policies in place for the testing of ICT systems, controls and processes, as well as for managing ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;. The digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; baseline for financial entitiesas defined in Article 2, points (a) to (t) should be increased while also allowing for a proportionate application of requirements for certain financial entitiesas defined in Article 2, points (a) to (t), particularly microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;, as well as financial entitiesas defined in Article 2, points (a) to (t) subject to a simplified ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework. To facilitate an efficient supervision of institutions for occupational retirement provision means an institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341; that is proportionate and addresses the need to reduce administrative burdens on the competent authoritiesas defined in Article 46, the relevant national supervisory arrangements in respect of such financial entitiesas defined in Article 2, points (a) to (t) should take into account their size and overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile, and the nature, scale and complexity of their services, activities and operations even when the relevant thresholds established in Article 5 of Directive (EU) 2016/2341 of the European Parliament and of the Council(¹⁰)Directive (EU) 2016/2341 of the European Parliament and of the Council of 14 December 2016 on the activities and supervision of institutions for occupational retirement provision (IORPs) (OJ L 354, 23.12.2016, p. 37). are exceeded. In particular, supervisory activities should focus primarily on the need to address serious risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management of a particular entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting thresholds and taxonomies vary significantly at national level. While common ground may be achieved through the relevant work undertaken by the European Union Agency for Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; (ENISA) established by Regulation (EU) 2019/881 of the European Parliament and of the Council(¹¹)Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15). and the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; under Directive (EU) 2022/2555, divergent approaches on setting the thresholds and use of taxonomies still exist, or can emerge, for the remainder of financial entitiesas defined in Article 2, points (a) to (t). Due to those divergences, there are multiple requirements that financial entitiesas defined in Article 2, points (a) to (t) must comply with, especially when operating across several Member States and when part of a financial group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;. Moreover, such divergences have the potential to hinder the creation of further uniform or centralised Union mechanisms that speed up the reporting process and support a quick and smooth exchange of information between competent authoritiesas defined in Article 46, which is crucial for addressing ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; in the event of large-scale attacks with potentially systemic consequences.

To reduce the administrative burden and potentially duplicative reporting obligations for certain financial entitiesas defined in Article 2, points (a) to (t), the requirement for the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council(¹²)Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35). should cease to apply to payment service providers that fall within the scope of this Regulation. Consequently, credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., e-money institutions, payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; and account information service providers means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;, as referred to in Article 33(1) of that Directive, should, from the date of application of this Regulation, report pursuant to this Regulation, all operational or security payment-related incidents means a single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity; which have been previously reported pursuant to that Directive, irrespective of whether such incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; are ICT-related.

To enable competent authoritiesas defined in Article 46 to fulfil supervisory roles by acquiring a complete overview of the nature, frequency, significance and impact of ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and to enhance the exchange of information between relevant public authorities means any government or other public administration entity, including national central banks., including law enforcement authorities and resolution authorities, this Regulation should lay down a robust ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting regime whereby the relevant requirements address current gaps in financial services law, and remove existing overlaps and duplications to alleviate costs. It is essential to harmonise the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting regime by requiring all financial entitiesas defined in Article 2, points (a) to (t) to report to their competent authoritiesas defined in Article 46 through a single streamlined framework as set out in this Regulation. In addition, the ESAsEuropean Supervisory Authority should be empowered to further specify relevant elements for the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting framework, such as taxonomy, timeframes, data sets, templates and applicable thresholds. To ensure full consistency with Directive (EU) 2022/2555, financial entitiesas defined in Article 2, points (a) to (t) should be allowed, on a voluntary basis, to notify significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; to the relevant competent authorityas defined in Article 46, when they consider that the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; is of relevance to the financial system, service users or clients.

Digital operational resilience testingas defined in Article 24 requirements have been developed in certain financial subsectors setting out frameworks that are not always fully aligned. This leads to a potential duplication of costs for cross-border financial entitiesas defined in Article 2, points (a) to (t) and makes the mutual recognition of the results of digital operational resilience testingas defined in Article 24 complex which, in turn, can fragment the internal market.

In addition, where no ICT testing is required, vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; remain undetected and result in exposing a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and ultimately create a higher risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the stability and integrity of the financial sector. Without Union intervention, digital operational resilience testingas defined in Article 24 would continue to be inconsistent and would lack a system of mutual recognition of ICT testing results across different jurisdictions. In addition, as it is unlikely that other financial subsectors would adopt testing schemes on a meaningful scale, they would miss out on the potential benefits of a testing framework, in terms of revealing ICT vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, and testing defence capabilities and business continuity, which contributes to increasing the trust of customers, suppliers and business partners. To remedy those overlaps, divergences and gaps, it is necessary to lay down rules for a coordinated testing regime and thereby facilitate the mutual recognition of advanced testing for financial entitiesas defined in Article 2, points (a) to (t) meeting the criteria set out in this Regulation.

Financial entitiesas defined in Article 2, points (a) to (t)’ reliance on the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; is partly driven by their need to adapt to an emerging competitive digital global economy, to boost their business efficiency and to meet consumer means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; demand. The nature and extent of such reliance has been continuously evolving in recent years, driving cost reduction in financial intermediation, enabling business expansion and scalability in the deployment of financial activities while offering a wide range of ICT tools to manage complex internal processes.

The extensive use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; is evidenced by complex contractual arrangements, whereby financial entitiesas defined in Article 2, points (a) to (t) often encounter difficulties in negotiating contractual terms that are tailored to the prudential standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). or other regulatory requirements to which they are subject, or otherwise in enforcing specific rights, such as access or audit rights, even when the latter are enshrined in their contractual arrangements. Moreover, many of those contractual arrangements do not provide for sufficient safeguards allowing for the fully-fledged monitoring of subcontracting processes, thus depriving the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; of its ability to assess the associated risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. In addition, as ICT third-party service providers means an undertaking providing ICT services; often provide standardised services to different types of clients, such contractual arrangements do not always cater adequately for the individual or specific needs of financial industry actors.

Even though Union financial services law contains certain general rules on outsourcing, monitoring of the contractual dimension is not fully anchored into Union law. In the absence of clear and bespoke Union standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). applying to the contractual arrangements concluded with ICT third-party service providers means an undertaking providing ICT services;, the external source of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; is not comprehensively addressed. Consequently, it is necessary to set out certain key principles to guide financial entitiesas defined in Article 2, points (a) to (t)’ management of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;, which are of particular importance when financial entitiesas defined in Article 2, points (a) to (t) resort to ICT third-party service providers means an undertaking providing ICT services; to support their critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;. Those principles should be accompanied by a set of core contractual rights in relation to several elements in the performance and termination of contractual arrangements with a view to providing certain minimum safeguards in order to strengthen financial entitiesas defined in Article 2, points (a) to (t)’ ability to effectively monitor all ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; emerging at the level of third-party service providers. Those principles are complementary to the sectoral law applicable to outsourcing.

A certain lack of homogeneity and convergence regarding the monitoring of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; and ICT third-party dependencies is evident today. Despite efforts to address outsourcing, such as EBA Guidelines on outsourcing of 2019 and ESMA Guidelines on outsourcing to cloud service providers of 2021 the broader issue of counteracting systemic risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; which may be triggered by the financial sector’s exposure to a limited number of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; is not sufficiently addressed by Union law. The lack of rules at Union level is compounded by the absence of national rules on mandates and tools that allow financial supervisors to acquire a good understanding of ICT third-party dependencies and to monitor adequately risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; arising from the concentration of ICT third-party dependencies.

Taking into account the potential systemic risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; entailed by increased outsourcing practices and by the ICT third-party concentration, and mindful of the insufficiency of national mechanisms in providing financial supervisors with adequate tools to quantify, qualify and redress the consequences of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; occurring at critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, it is necessary to establish an appropriate Oversight Framework allowing for a continuous monitoring of the activities of ICT third-party service providers means an undertaking providing ICT services; that are critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; to financial entitiesas defined in Article 2, points (a) to (t), while ensuring that the confidentiality and security of customers other than financial entitiesas defined in Article 2, points (a) to (t) is preserved. While intra-group provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; entails specific risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and benefits, it should not be automatically considered less risky than the provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; by providers outside of a financial group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and should therefore be subject to the same regulatory framework. However, when ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; are provided from within the same financial group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, financial entitiesas defined in Article 2, points (a) to (t) might have a higher level of control over intra-group providers, which ought to be taken into account in the overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment.

With ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; becoming more and more complex and sophisticated, good measures for the detection and prevention of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; depend to a great extent on the regular sharing between financial entitiesas defined in Article 2, points (a) to (t) of threat and vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; intelligence. Information sharing contributes to creating increased awareness of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;. In turn, this enhances the capacity of financial entitiesas defined in Article 2, points (a) to (t) to prevent cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; from becoming real ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and enables financial entitiesas defined in Article 2, points (a) to (t) to more effectively contain the impact of ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and to recover faster. In the absence of guidance at Union level, several factors seem to have inhibited such intelligence sharing, in particular uncertainty about its compatibility with data protection, anti-trust and liability rules.

In addition, doubts about the type of information that can be shared with other market participants, or with non-supervisory authorities (such as ENISA, for analytical input, or Europol, for law enforcement purposes) lead to useful information being withheld. Therefore, the extent and quality of information sharing currently remains limited and fragmented, with relevant exchanges mostly being local (by way of national initiatives) and with no consistent Union-wide information-sharing arrangements tailored to the needs of an integrated financial system. It is therefore important to strengthen those communication channels.

Financial entitiesas defined in Article 2, points (a) to (t) should be encouraged to exchange among themselves cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; information and intelligence, and to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhancing their capabilities to adequately assess, monitor, defend against, and respond to cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, by participating in information sharing arrangements. It is therefore necessary to enable the emergence at Union level of mechanisms for voluntary information-sharing arrangements which, when conducted in trusted environments, would help the community of the financial industry to prevent and collectively respond to cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; by quickly limiting the spread of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and impeding potential contagion throughout the financial channels. Those mechanisms should comply with the applicable competition law rules of the Union set out in the Communication from the Commission of 14 January 2011 entitled ‘Guidelines on the applicability of Article 101 of the Treaty on the Functioning of the European Union to horizontal cooperation agreements’, as well as with Union data protection rules, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council(¹³)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).. They should operate based on the use of one or more of the legal bases that are laid down in Article 6 of that Regulation, such as in the context of the processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; that is necessary for the purposes of the legitimate interest pursued by the controller or by a third party, as referred to in Article 6(1), point (f), of that Regulation, as well as in the context of the processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; necessary for compliance with a legal obligation to which the controller is subject, necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, as referred to in Article 6(1), points (c) and (e), respectively, of that Regulation.

In order to maintain a high level of digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; for the whole financial sector, and at the same time to keep pace with technological developments, this Regulation should address risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from all types of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;. To that end, the definition of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; in the context of this Regulation should be understood in a broad manner, encompassing digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. That definition should, for instance, include so called ‘over the top’ services, which fall within the category of electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972;. It should exclude only the limited category of traditional analogue telephone services qualifying as Public Switched Telephone Network (PSTN) services, landline services, Plain Old Telephone Service (POTS), or fixed-line telephone services.

Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; rules should take into account the significant differences between financial entitiesas defined in Article 2, points (a) to (t) in terms of their size and overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile. As a general principle, when distributing resources and capabilities for the implementation of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework, financial entitiesas defined in Article 2, points (a) to (t) should duly balance their ICT-related needs to their size and overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile, and the nature, scale and complexity of their services, activities and operations, while competent authoritiesas defined in Article 46 should continue to assess and review the approach of such distribution.

Account information service providers means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;, referred to in Article 33(1) of Directive (EU) 2015/2366, are explicitly included in the scope of this Regulation, taking into account the specific nature of their activities and the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; arising therefrom. In addition, electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; and payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; exempted pursuant to Article 9(1) of Directive 2009/110/EC of the European Parliament and of the Council(¹⁴)Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (OJ L 267, 10.10.2009, p. 7). and Article 32(1) of Directive (EU) 2015/2366 are included in the scope of this Regulation even if they have not been granted authorisation in accordance Directive 2009/110/EC to issue electronic money, or if they have not been granted authorisation in accordance with Directive (EU) 2015/2366 to provide and execute payment services. However, post office giro institutions, referred to in Article 2(5), point (3), of Directive 2013/36/EU of the European Parliament and of the Council(¹⁵)Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338)., are excluded from the scope of this Regulation. The competent authorityas defined in Article 46 for payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; exempted pursuant to Directive (EU) 2015/2366, electronic money institutions exempted pursuant to Directive 2009/110/EC means an electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC; and account information service providers means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366; as referred to in Article 33(1) of Directive (EU) 2015/2366, should be the competent authorityas defined in Article 46 designated in accordance with Article 22 of Directive (EU) 2015/2366.

As larger financial entitiesas defined in Article 2, points (a) to (t) might enjoy wider resources and can swiftly deploy funds to develop governance structures and set up various corporate strategies, only financial entitiesas defined in Article 2, points (a) to (t) that are not microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; in the sense of this Regulation should be required to establish more complex governance arrangements. Such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are better equipped in particular to set up dedicated management functions for supervising arrangements with ICT third-party service providers means an undertaking providing ICT services; or for dealing with crisis management, to organise their ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management according to the three lines of defence model, or to set up an internal risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management and control model, and to submit their ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework to internal audits.

Some financial entitiesas defined in Article 2, points (a) to (t) benefit from exemptions or are subject to a very light regulatory framework under the relevant sector-specific Union law. Such financial entitiesas defined in Article 2, points (a) to (t) include managers of alternative investment funds means a manager of alternative investment funds as defined in Article 4(1), point (b), of Directive 2011/61/EU; referred to in Article 3(2) of Directive 2011/61/EU of the European Parliament and of the Council(¹⁶)Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010 (OJ L 174, 1.7.2011, p. 1)., insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC; referred to in Article 4 of Directive 2009/138/EC of the European Parliament and of the Council(¹⁷)Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1)., and institutions for occupational retirement provision means an institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341; which operate pension schemes which together do not have more than 15 members in total. In light of those exemptions it would not be proportionate to include such financial entitiesas defined in Article 2, points (a) to (t) in the scope of this Regulation. In addition, this Regulation acknowledges the specificities of the insurance intermediation market structure, with the result that insurance intermediaries means an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 of the European Parliament and of the Council (^34^); Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (OJ L 26, 2.2.2016, p. 19)., reinsurance intermediaries means a reinsurance intermediary as defined in Article 2(1), point (5), of Directive (EU) 2016/97; and ancillary insurance intermediaries means an ancillary insurance intermediary as defined in Article 2(1), point (4), of Directive (EU) 2016/97; qualifying as microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; or as small or medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; should not be subject to this Regulation.

Since the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU are excluded from the scope of that Directive, Member States should consequently be able to choose to exempt from the application of this Regulation such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; located within their respective territories.

Similarly, in order to align this Regulation to the scope of Directive 2014/65/EU of the European Parliament and of the Council(¹⁸)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349)., it is also appropriate to exclude from the scope of this Regulation natural and legal persons referred in Articles 2 and 3 of that Directive which are allowed to provide investment services without having to obtain an authorisation under Directive 2014/65/EU. However, Article 2 of Directive 2014/65/EU also excludes from the scope of that Directive entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which qualify as financial entitiesas defined in Article 2, points (a) to (t) for the purposes of this Regulation such as, central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;, collective investment undertakings or insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC;. The exclusion from the scope of this Regulation of the persons and entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; referred to in Articles 2 and 3 of that Directive should not encompass those central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;, collective investment undertakings or insurance and reinsurance undertakings means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC;.

Under sector-specific Union law, some financial entitiesas defined in Article 2, points (a) to (t) are subject to lighter requirements or exemptions for reasons associated with their size or the services they provide. That category of financial entitiesas defined in Article 2, points (a) to (t) includes small and non-interconnected investment firms means an investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033 of the European Parliament and of the Council (^33^); Regulation (EU) 2019/2033 of the European Parliament and of the Council of 27 November 2019 on the prudential requirements of investment firms and amending Regulations (EU) No 1093/2010, (EU) No 575/2013, (EU) No 600/2014 and (EU) No 806/2014 (OJ L 314, 5.12.2019, p. 1)., small institutions for occupational retirement provision means an institution for occupational retirement provision which operates pension schemes which together have less than 100 members in total; which may be excluded from the scope of Directive (EU) 2016/2341 under the conditions laid down in Article 5 of that Directive by the Member State concerned and operate pension schemes which together do not have more than 100 members in total, as well as institutions exempted pursuant to Directive 2013/36/EU means an entity as referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU;. Therefore, in accordance with the principle of proportionality and to preserve the spirit of sector-specific Union law, it is also appropriate to subject those financial entitiesas defined in Article 2, points (a) to (t) to a simplified ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework under this Regulation. The proportionate character of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework covering those financial entitiesas defined in Article 2, points (a) to (t) should not be altered by the regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). that are to be developed by the ESAsEuropean Supervisory Authority. Moreover, in accordance with the principle of proportionality, it is appropriate to also subject payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; referred to in Article 32(1) of Directive (EU) 2015/2366 and electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; referred to in Article 9 of Directive 2009/110/EC exempted in accordance with national law transposing those Union legal acts to a simplified ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework under this Regulation, while payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; and electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; which have not been exempted in accordance with their respective national law transposing sectoral Union law should comply with the general framework laid down by this Regulation.

Similarly, financial entitiesas defined in Article 2, points (a) to (t) which qualify as microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; or are subject to the simplified ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework under this Regulation should not be required to establish a role to monitor their arrangements concluded with ICT third-party service providers means an undertaking providing ICT services; on the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;; or to designate a member of senior management to be responsible for overseeing the related risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; exposure and relevant documentation; to assign the responsibility for managing and overseeing ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest; to document and review at least once a year the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework; to subject to internal audit on a regular basis the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework; to perform in-depth assessments after major changes in their network and information system means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; infrastructures and processes; to regularly conduct risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; analyses on legacy ICT systems means an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity;; to subject the implementation of the ICT Response and Recovery plans to independent internal audit reviews; to have a crisis management function, to expand the testing of business continuity and response and recovery plans to capture switchover scenarios between primary ICT infrastructure and redundant facilities; to report to competent authoritiesas defined in Article 46, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, to maintain redundant ICT capacities; to communicate to national competent authoritiesas defined in Article 46 implemented changes following post ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reviews; to monitor on a continuous basis relevant technological developments, to establish a comprehensive digital operational resilience testingas defined in Article 24 programme as an integral part of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework provided for in this Regulation, or to adopt and regularly review a strategy on ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;. In addition, microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; should only be required to assess the need to maintain such redundant ICT capacities based on their risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile. Microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; should benefit from a more flexible regime as regards digital operational resilience testingas defined in Article 24 programmes. When considering the type and frequency of testing to be performed, they should properly balance the objective of maintaining a high digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, the available resources and their overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile. Microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and financial entitiesas defined in Article 2, points (a) to (t) subject to the simplified ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework under this Regulation should be exempted from the requirement to perform advanced testing of ICT tools, systems and processes based on threat-led penetration testinga framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems (TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems), as only financial entitiesas defined in Article 2, points (a) to (t) meeting the criteria set out in this Regulation should be required to carry out such testing. In light of their limited capabilities, microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; should be able to agree with the ICT third-party service provider means an undertaking providing ICT services; to delegate the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s rights of access, inspection and audit to an independent third-party, to be appointed by the ICT third-party service provider means an undertaking providing ICT services;, provided that the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is able to request, at any time, all relevant information and assurance on the ICT third-party service provider means an undertaking providing ICT services;’s performance from the respective independent third-party.

As only those financial entitiesas defined in Article 2, points (a) to (t) identified for the purposes of the advanced digital resilience testing should be required to conduct threat-led penetration tests, the administrative processes and financial costs entailed in the performance of such tests should be borne by a small percentage of financial entitiesas defined in Article 2, points (a) to (t).

To ensure full alignment and overall consistency between financial entitiesas defined in Article 2, points (a) to (t)’ business strategies, on the one hand, and the conduct of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, on the other hand, the financial entitiesas defined in Article 2, points (a) to (t)’ management bodies means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). should be required to maintain a pivotal and active role in steering and adapting the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework and the overall digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; strategy. The approach to be taken by management bodies means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). should not only focus on the means of ensuring the resilience of the ICT systems, but should also cover people and processes through a set of policies which cultivate, at each corporate layer, and for all staff, a strong sense of awareness about cyber risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and a commitment to observe a strict cyber hygiene at all levels. The ultimate responsibility of the management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). in managing a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; should be an overarching principle of that comprehensive approach, further translated into the continuous engagement of the management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). in the control of the monitoring of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management.

Moreover, the principle of the management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32).’s full and ultimate responsibility for the management of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; goes hand in hand with the need to secure a level of ICT-related investments and an overall budget for the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that would enable the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to achieve a high level of digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;.

Inspired by relevant international, national and industry best practices, guidelines, recommendations and approaches to the management of cyber risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, this Regulation promotes a set of principles that facilitate the overall structure of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management. Consequently, as long as the main capabilities which financial entitiesas defined in Article 2, points (a) to (t) put in place address the various functions in the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management (identification, protection and prevention, detection, response and recovery, learning and evolving and communication) set out in this Regulation, financial entitiesas defined in Article 2, points (a) to (t) should remain free to use ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management models that are differently framed or categorised.

To keep pace with an evolving cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; landscape, financial entitiesas defined in Article 2, points (a) to (t) should maintain updated ICT systems that are reliable and capable, not only for guaranteeing the processing of data required for their services, but also for ensuring sufficient technological resilience to allow them to deal adequately with additional processing needs due to stressed market conditions or other adverse situations.

Efficient business continuity and recovery plans are necessary to allow financial entitiesas defined in Article 2, points (a) to (t) to promptly and quickly resolve ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, in particular cyber-attacks means a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset;, by limiting damage and giving priority to the resumption of activities and recovery actions in accordance with their back-up policies. However, such resumption should in no way jeopardise the integrity and security of the network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; or the availability, authenticity, integrity or confidentiality of data.

While this Regulation allows financial entitiesas defined in Article 2, points (a) to (t) to determine their recovery time and recovery point objectives in a flexible manner and hence to set such objectives by fully taking into account the nature and the criticality of the relevant functions and any specific business needs, it should nevertheless require them to carry out an assessment of the potential overall impact on market efficiency when determining such objectives.

The propagators of cyber-attacks means a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset; tend to pursue financial gains directly at the source, thus exposing financial entitiesas defined in Article 2, points (a) to (t) to significant consequences. To prevent ICT systems from losing integrity or becoming unavailable, and hence to avoid data breaches and damage to physical ICT infrastructure, the reporting of major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; by financial entitiesas defined in Article 2, points (a) to (t) should be significantly improved and streamlined. ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting should be harmonised through the introduction of a requirement for all financial entitiesas defined in Article 2, points (a) to (t) to report directly to their relevant competent authoritiesas defined in Article 46. Where a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is subject to supervision by more than one national competent authorityas defined in Article 46, Member States should designate a single competent authorityas defined in Article 46 as the addressee of such reporting. Credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). classified as significant in accordance with Article 6(4) of Council Regulation (EU) No 1024/2013(¹⁹)Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63). should submit such reporting to the national competent authoritiesas defined in Article 46, which should subsequently transmit the report to the European Central Bank (ECB).

The direct reporting should enable financial supervisors to have immediate access to information about major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;. Financial supervisors should in turn pass on details of major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; to public non-financial authorities (such as competent authoritiesas defined in Article 46 and single points of contact under Directive (EU) 2022/2555, national data protection authorities, and to law enforcement authorities for major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; of a criminal nature) in order to enhance such authorities awareness of such incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and, in the case of CSIRTscomputer security incident response teams, to facilitate prompt assistance that may be given to financial entitiesas defined in Article 2, points (a) to (t), as appropriate. Member States should, in addition, be able to determine that financial entitiesas defined in Article 2, points (a) to (t) themselves should provide such information to public authorities means any government or other public administration entity, including national central banks. outside the financial services area. Those information flows should allow financial entitiesas defined in Article 2, points (a) to (t) to swiftly benefit from any relevant technical input, advice about remedies, and subsequent follow-up from such authorities. The information on major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; should be mutually channelled: financial supervisors should provide all necessary feedback or guidance to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, while the ESAsEuropean Supervisory Authority should share anonymised data on cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; relating to an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, to aid wider collective defence.

While all financial entitiesas defined in Article 2, points (a) to (t) should be required to carry out incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting, that requirement is not expected to affect all of them in the same manner. Indeed, relevant materiality thresholds, as well as reporting timelines, should be duly adjusted, in the context of delegated acts based on the regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). to be developed by the ESAsEuropean Supervisory Authority, with a view to covering only major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;. In addition, the specificities of financial entitiesas defined in Article 2, points (a) to (t) should be taken into account when setting timelines for reporting obligations.

This Regulation should require credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;, account information service providers means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366; and electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; to report all operational or security payment-related incidents means a single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity; – previously reported under Directive (EU) 2015/2366 – irrespective of the ICT nature of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

The ESAsEuropean Supervisory Authority should be tasked with assessing the feasibility and conditions for a possible centralisation of ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reports at Union level. Such centralisation could consist of a single EU Hub for major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; reporting either directly receiving relevant reports and automatically notifying national competent authoritiesas defined in Article 46, or merely centralising relevant reports forwarded by the national competent authoritiesas defined in Article 46 and thus fulfilling a coordination role. The ESAsEuropean Supervisory Authority should be tasked with preparing, in consultation with the ECB and ENISA, a joint report exploring the feasibility of setting up a single EU Hub.

In order to achieve a high level of digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, and in line with both the relevant international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testinga framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems) and with the frameworks applied in the Union, such as the TIBER-EU, financial entitiesas defined in Article 2, points (a) to (t) should regularly test their ICT systems and staff having ICT-related responsibilities with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;. To reflect differences that exist across, and within, the various financial subsectors as regards financial entitiesas defined in Article 2, points (a) to (t)’ level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; preparedness, testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements (e.g. vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software means the part of an electronic information system which consists of computer code; solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. Such advanced testing should be required only of financial entitiesas defined in Article 2, points (a) to (t) that are mature enough from an ICT perspective to reasonably carry it out. The digital operational resilience testingas defined in Article 24 required by this Regulation should thus be more demanding for those financial entitiesas defined in Article 2, points (a) to (t) meeting the criteria set out in this Regulation (for example, large, systemic and ICT-mature credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., stock exchanges, central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014; and central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;) than for other financial entitiesas defined in Article 2, points (a) to (t). At the same time, the digital operational resilience testingas defined in Article 24 by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should be more relevant for financial entitiesas defined in Article 2, points (a) to (t) operating in core financial services subsectors and playing a systemic role (for example, payments, banking, and clearing and settlement), and less relevant for other subsectors (for example, asset managers and credit rating agencies means a credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009;).

Financial entitiesas defined in Article 2, points (a) to (t) involved in cross-border activities and exercising the freedoms of establishment, or of provision of services within the Union, should comply with a single set of advanced testing requirements (i.e. TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems) in their home Member State, which should include the ICT infrastructures in all jurisdictions where the cross-border financial group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; operates within the Union, thus allowing such cross-border financial groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU; to incur related ICT testing costs in one jurisdiction only.

To draw on the expertise already acquired by certain competent authoritiesas defined in Article 46, in particular with regard to implementing the TIBER-EU framework, this Regulation should allow Member States to designate a single public authority means any government or other public administration entity, including national central banks. as responsible in the financial sector, at national level, for all TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems matters, or competent authoritiesas defined in Article 46, to delegate, in the absence of such designation, the exercise of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems related tasks to another national financial competent authorityas defined in Article 46.

Since this Regulation does not require financial entitiesas defined in Article 2, points (a) to (t) to cover all critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; in one single threat-led penetration test, financial entitiesas defined in Article 2, points (a) to (t) should be free to determine which and how many critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; should be included in the scope of such a test.

Pooled testing within the meaning of this Regulation – involving the participation of several financial entitiesas defined in Article 2, points (a) to (t) in a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and for which an ICT third-party service provider means an undertaking providing ICT services; can directly enter into contractual arrangements with an external tester – should be allowed only where the quality or security of services delivered by the ICT third-party service provider means an undertaking providing ICT services; to customers that are entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling outside the scope of this Regulation, or the confidentiality of the data related to such services, are reasonably expected to be adversely impacted. Pooled testing should also be subject to safeguards (direction by one designated financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, calibration of the number of participating financial entitiesas defined in Article 2, points (a) to (t)) to ensure a rigorous testing exercise for the financial entitiesas defined in Article 2, points (a) to (t) involved which meet the objectives of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems pursuant to this Regulation.

In order to take advantage of internal resources available at corporate level, this Regulation should allow the use of internal testers for the purposes of carrying out TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, provided there is supervisory approval, no conflicts of interest, and periodical alternation of the use of internal and external testers (every three tests), while also requiring the provider of the threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems to always be external to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. The responsibility for conducting TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should remain fully with the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Attestations provided by authorities should be solely for the purpose of mutual recognition and should not preclude any follow-up action needed to address the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; to which the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is exposed, nor should they be seen as a supervisory endorsement of a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management and mitigation capabilities.

To ensure a sound monitoring of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; in the financial sector, it is necessary to lay down a set of principle-based rules to guide financial entitiesas defined in Article 2, points (a) to (t)’ when monitoring risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; arising in the context of functions outsourced to ICT third-party service providers means an undertaking providing ICT services;, particularly for ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, as well as more generally in the context of all ICT third-party dependencies.

To address the complexity of the various sources of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, while taking into account the multitude and diversity of providers of technological solutions which enable a smooth provision of financial services, this Regulation should cover a wide range of ICT third-party service providers means an undertaking providing ICT services;, including providers of cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations;, software means the part of an electronic information system which consists of computer code;, data analytics services and providers of data centre services means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control;. Similarly, since financial entitiesas defined in Article 2, points (a) to (t) should effectively and coherently identify and manage all types of risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, including in the context of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; procured within a financial group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, it should be clarified that undertakings which are part of a financial group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and provide ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; predominantly to their parent undertaking means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU;, or to subsidiaries means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU; or branches of their parent undertaking means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU;, as well as financial entitiesas defined in Article 2, points (a) to (t) providing ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to other financial entitiesas defined in Article 2, points (a) to (t), should also be considered as ICT third-party service providers means an undertaking providing ICT services; under this Regulation. Lastly, in light of the evolving payment services market becoming increasingly dependent on complex technical solutions, and in view of emerging types of payment services and payment-related solutions, participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, should also be considered to be ICT third-party service providers means an undertaking providing ICT services; under this Regulation, with the exception of central banks when operating payment or securities settlement systems, and public authorities means any government or other public administration entity, including national central banks. when providing ICT related services in the context of fulfilling State functions.

A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should at all times remain fully responsible for complying with its obligations set out in this Regulation. Financial entitiesas defined in Article 2, points (a) to (t) should apply a proportionate approach to the monitoring of risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; emerging at the level of the ICT third-party service providers means an undertaking providing ICT services;, by duly considering the nature, scale, complexity and importance of their ICT-related dependencies, the criticality or importance of the services, processes or functions subject to the contractual arrangements and, ultimately, on the basis of a careful assessment of any potential impact on the continuity and quality of financial services at individual and at group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; level, as appropriate.

The conduct of such monitoring should follow a strategic approach to ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; formalised through the adoption by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). of a dedicated ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; strategy, rooted in a continuous screening of all ICT third-party dependencies. To enhance supervisory awareness of ICT third-party dependencies, and with a view to further supporting the work in the context of the Oversight Framework established by this Regulation, all financial entitiesas defined in Article 2, points (a) to (t) should be required to maintain a register of information with all contractual arrangements about the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided by ICT third-party service providers means an undertaking providing ICT services;. Financial supervisors should be able to request the full register, or to ask for specific sections thereof, and thus to obtain essential information for acquiring a broader understanding of the ICT dependencies of financial entitiesas defined in Article 2, points (a) to (t).

A thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements, in particular by focusing on elements such as the criticality or importance of the services supported by the envisaged ICT contract, the necessary supervisory approvals or other conditions, the possible concentration risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; entailed, as well as applying due diligence in the process of selection and assessment of ICT third-party service providers means an undertaking providing ICT services; and assessing potential conflicts of interest. For contractual arrangements concerning critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, financial entitiesas defined in Article 2, points (a) to (t) should take into consideration the use by ICT third-party service providers means an undertaking providing ICT services; of the most up-to-date and highest information security standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. Termination of contractual arrangements could be prompted at least by a series of circumstances showing shortfalls at the ICT third-party service provider means an undertaking providing ICT services; level, in particular significant breaches of laws or contractual terms, circumstances revealing a potential alteration of the performance of the functions provided for in the contractual arrangements, evidence of weaknesses of the ICT third-party service provider means an undertaking providing ICT services; in its overall ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, or circumstances indicating the inability of the relevant competent authorityas defined in Article 46 to effectively supervise the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

To address the systemic impact of ICT third-party concentration risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, this Regulation promotes a balanced solution by means of taking a flexible and gradual approach to such concentration risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; since the imposition of any rigid caps or strict limitations might hinder the conduct of business and restrain the contractual freedom. Financial entitiesas defined in Article 2, points (a) to (t) should thoroughly assess their envisaged contractual arrangements to identify the likelihood of such risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; emerging, including by means of in-depth analyses of subcontracting arrangements, in particular when concluded with ICT third-party service providers established in a third country means an ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services;. At this stage, and with a view to striking a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to set out rules on strict caps and limits to ICT third-party exposures. In the context of the Oversight Framework, a Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, appointed pursuant to this Regulation, should, in respect to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, pay particular attention to fully grasp the magnitude of interdependences, discover specific instances where a high degree of concentration of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; in the Union is likely to put a strain on the Union financial system’s stability and integrity and maintain a dialogue with critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; where that specific risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; is identified.

To evaluate and monitor on a regular basis the ability of an ICT third party service provider to securely provide services to a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; without adverse effects on a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, several key contractual elements with ICT third-party service providers means an undertaking providing ICT services; should be harmonised. Such harmonisation should cover minimum areas which are crucial for enabling a full monitoring by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; of the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; that could emerge from the ICT third-party service provider means an undertaking providing ICT services;, from the perspective of a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s need to secure its digital resilience because it is deeply dependent on the stability, functionality, availability and security of the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; received.

When renegotiating contractual arrangements to seek alignment with the requirements of this Regulation, financial entitiesas defined in Article 2, points (a) to (t) and ICT third-party service providers means an undertaking providing ICT services; should ensure the coverage of the key contractual provisions as provided for in this Regulation.

The definition of ‘critical or important function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;’ provided for in this Regulation encompasses the ‘critical functions’ as defined in Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council(²⁰)Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190).. Accordingly, functions deemed to be critical pursuant to Directive 2014/59/EU are included in the definition of critical functions within the meaning of this Regulation.

Irrespective of the criticality or importance of the function supported by the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, contractual arrangements should, in particular, provide for a specification of the complete descriptions of functions and services, of the locations where such functions are provided and where data is to be processed, as well as an indication of service level descriptions. Other essential elements to enable a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s monitoring of ICT third party risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; are: contractual provisions specifying how the accessibility, availability, integrity, security and protection of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; are ensured by the ICT third-party service provider means an undertaking providing ICT services;, provisions laying down the relevant guarantees for enabling the access, recovery and return of data in the case of insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider means an undertaking providing ICT services;, as well as provisions requiring the ICT third-party service provider means an undertaking providing ICT services; to provide assistance in case of ICT incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; in connection with the services provided, at no additional cost or at a cost determined ex-ante; provisions on the obligation of the ICT third-party service provider means an undertaking providing ICT services; to fully cooperate with the competent authoritiesas defined in Article 46 and resolution authorities of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;; and provisions on termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authoritiesas defined in Article 46 and resolution authorities.

In addition to such contractual provisions, and with a view to ensuring that financial entitiesas defined in Article 2, points (a) to (t) remain in full control of all developments occurring at third-party level which may impair their ICT security, the contracts for the provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; should also provide for the following: the specification of the full service level descriptions, with precise quantitative and qualitative performance targets, to enable without undue delay appropriate corrective actions when the agreed service levels are not met; the relevant notice periods and reporting obligations of the ICT third-party service provider means an undertaking providing ICT services; in the event of developments with a potential material impact on the ICT third-party service provider means an undertaking providing ICT services;’s ability to effectively provide their respective ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;; a requirement upon the ICT third-party service provider means an undertaking providing ICT services; to implement and test business contingency plans and have ICT security measures, tools and policies allowing for the secure provision of services, and to participate and fully cooperate in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems carried out by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

Contracts for the provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; should also contain provisions enabling the rights of access, inspection and audit by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, or an appointed third party, and the right to take copies as crucial instruments in the financial entitiesas defined in Article 2, points (a) to (t)’ ongoing monitoring of the ICT third-party service provider means an undertaking providing ICT services;’s performance, coupled with the service provider’s full cooperation during inspections. Similarly, the competent authorityas defined in Article 46 of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should have the right, based on notices, to inspect and audit the ICT third-party service provider means an undertaking providing ICT services;, subject to the protection of confidential information.

Such contractual arrangements should also provide for dedicated exit strategies to enable, in particular, mandatory transition periods during which ICT third-party service providers means an undertaking providing ICT services; should continue providing the relevant services with a view to reducing the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of disruptions at the level of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, or to allow the latter effectively to switch to the use of other ICT third-party service providers means an undertaking providing ICT services; or, alternatively, to change to in-house solutions, consistent with the complexity of the provided ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;. Moreover, financial entitiesas defined in Article 2, points (a) to (t) within the scope of Directive 2014/59/EU should ensure that the relevant contracts for ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; are robust and fully enforceable in the event of resolution of those financial entitiesas defined in Article 2, points (a) to (t). Therefore, in line with the expectations of the resolution authorities, those financial entitiesas defined in Article 2, points (a) to (t) should ensure that the relevant contracts for ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; are resolution resilient. As long as they continue meeting their payment obligations, those financial entitiesas defined in Article 2, points (a) to (t) should ensure, among other requirements, that the relevant contracts for ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; contain clauses for non-termination, non-suspension and non-modification on grounds of restructuring or resolution.

Moreover, the voluntary use of standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). contractual clauses developed by public authorities means any government or other public administration entity, including national central banks. or Union institutions, in particular the use of contractual clauses developed by the Commission for cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; could provide further comfort to the financial entitiesas defined in Article 2, points (a) to (t) and ICT third-party service providers means an undertaking providing ICT services;, by enhancing their level of legal certainty regarding the use of cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; in the financial sector, in full alignment with the requirements and expectations set out by the Union financial services law. The development of standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). contractual clauses builds on measures already envisaged in the 2018 Fintech Action Plan that announced the Commission’s intention to encourage and facilitate the development of standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). contractual clauses for the use of cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; outsourcing by financial entitiesas defined in Article 2, points (a) to (t), drawing on cross-sectorial cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; stakeholders’ efforts, which the Commission has facilitated with the help of the financial sector’s involvement.

With a view to promoting convergence and efficiency in relation to supervisory approaches when addressing ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; in the financial sector, as well as to strengthening the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; of financial entitiesas defined in Article 2, points (a) to (t) which rely on critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; for the provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support the supply of financial services, and thereby to contributing to the preservation of the Union’s financial system stability and the integrity of the internal market for financial services, critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; should be subject to a Union Oversight Framework. While the set-up of the Oversight Framework is justified by the added value of taking action at Union level and by virtue of the inherent role and specificities of the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; in the provision of financial services, it should be recalled, at the same time, that this solution appears suitable only in the context of this Regulation specifically dealing with digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; in the financial sector. However, such Oversight Framework should not be regarded as a new model for Union supervision in other areas of financial services and activities.

The Oversight Framework should apply only to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;. There should therefore be a designation mechanism to take into account the dimension and nature of the financial sector’s reliance on such ICT third-party service providers means an undertaking providing ICT services;. That mechanism should involve a set of quantitative and qualitative criteria to set the criticality parameters as a basis for inclusion in the Oversight Framework. In order to ensure the accuracy of that assessment, and regardless of the corporate structure of the ICT third-party service provider means an undertaking providing ICT services;, such criteria should, in the case of a ICT third-party service provider means an undertaking providing ICT services; that is part of a wider group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, take into consideration the entire ICT third-party service provider means an undertaking providing ICT services;’s group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; structure. On the one hand, critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, which are not automatically designated by virtue of the application of those criteria, should have the possibility to opt in to the Oversight Framework on a voluntary basis, on the other hand, ICT third-party service providers means an undertaking providing ICT services;, that are already subject to oversight mechanism frameworks supporting the fulfilment of the tasks of the European System of Central Banks as referred to in Article 127(2) TFEU, should be exempted.

Similarly, financial entitiesas defined in Article 2, points (a) to (t) providing ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to other financial entitiesas defined in Article 2, points (a) to (t), while belonging to the category of ICT third-party service providers means an undertaking providing ICT services; under this Regulation, should also be exempted from the Oversight Framework since they are already subject to supervisory mechanisms established by the relevant Union financial services law. Where applicable, competent authoritiesas defined in Article 46 should take into account, in the context of their supervisory activities, the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; posed to financial entitiesas defined in Article 2, points (a) to (t) by financial entitiesas defined in Article 2, points (a) to (t) providing ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;. Likewise, due to the existing risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; monitoring mechanisms at group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; level, the same exemption should be introduced for ICT third-party service providers means an undertaking providing ICT services; delivering services predominantly to the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; of their own group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;. ICT third-party service providers means an undertaking providing ICT services; providing ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; solely in one Member State to financial entitiesas defined in Article 2, points (a) to (t) that are active only in that Member State should also be exempted from the designation mechanism because of their limited activities and lack of cross-border impact.

The digital transformation experienced in financial services has brought about an unprecedented level of use of, and reliance upon, ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;. Since it has become inconceivable to provide financial services without the use of cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations;, software means the part of an electronic information system which consists of computer code; solutions and data-related services, the Union financial ecosystem has become intrinsically co-dependent on certain ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided by ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; suppliers. Some of those suppliers, innovators in developing and applying ICT-based technologies, play a significant role in the delivery of financial services, or have become integrated into the financial services value chain. They have thus become critical to the stability and integrity of the Union financial system. This widespread reliance on services supplied by critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, combined with the interdependence of the information systems of various market operators, create a direct, and potentially severe, risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the Union financial services system and to the continuity of delivery of financial services if critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; were to be affected by operational disruptions or major cyber incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;. Cyber incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; have a distinctive ability to multiply and propagate throughout the financial system at a considerably faster pace than other types of risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; monitored in the financial sector and can extend across sectors and beyond geographical borders. They have the potential to evolve into a systemic crisis, where trust in the financial system has been eroded due to the disruption of functions supporting the real economy, or to substantial financial losses, reaching a level which the financial system is unable to withstand, or which requires the deployment of heavy shock absorption measures. To prevent these scenarios from taking place and thereby endangering the financial stability and integrity of the Union, it is essential to provide the convergence of supervisory practices relating to ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; in finance, in particular through new rules enabling the Union oversight of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;.

The Oversight Framework largely depends on the degree of collaboration between the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; delivering to financial entitiesas defined in Article 2, points (a) to (t) services affecting the supply of financial services. Successful oversight is predicated, inter alia, upon the ability of the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to effectively conduct monitoring missions and inspections to assess the rules, controls and processes used by the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, as well as to assess the potential cumulative impact of their activities on financial stability and the integrity of the financial system. At the same time, it is crucial that critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; follow the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;’s recommendations and address its concerns. Since a lack of cooperation by a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; providing services that affect the supply of financial services, such as the refusal to grant access to its premises or to submit information, would ultimately deprive the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; of its essential tools in appraising ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;, and could adversely impact the financial stability and the integrity of the financial system, it is necessary to also provide for a commensurate sanctioning regime.

Against this background, the need of the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to impose penalty payments to compel critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; to comply with the transparency and access-related obligations set out in this Regulation should not be jeopardised by difficulties raised by the enforcement of those penalty payments in relation to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; established in third countries. In order to ensure the enforceability of such penalties, and to allow a swift roll out of procedures upholding the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;’ rights of defence in the context of the designation mechanism and the issuance of recommendations, those critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, providing services to financial entitiesas defined in Article 2, points (a) to (t) that affect the supply of financial services, should be required to maintain an adequate business presence in the Union. Due to the nature of the oversight, and the absence of comparable arrangements in other jurisdictions, there are no suitable alternative mechanisms ensuring this objective by way of effective cooperation with financial supervisors in third countries in relation to the monitoring of the impact of digital operational risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed by systemic ICT third-party service providers means an undertaking providing ICT services;, qualifying as critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; established in third countries. Therefore, in order to continue its provision of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to financial entitiesas defined in Article 2, points (a) to (t) in the Union, an ICT third-party service provider established in a third country means an ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services; which has been designated as critical in accordance with this Regulation should undertake, within 12 months of such designation, all necessary arrangements to ensure its incorporation within the Union, by means of establishing a subsidiary means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU;, as defined throughout the Union acquis, namely in Directive 2013/34/EU of the European Parliament and of the Council(²¹)Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (OJ L 182, 29.6.2013, p. 19)..

The requirement to set up a subsidiary means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU; in the Union should not prevent the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; from supplying ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; and related technical support from facilities and infrastructure located outside the Union. This Regulation does not impose a data localisation obligation as it does not require data storage or processing to be undertaken in the Union.

Critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; should be able to provide ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; from anywhere in the world, not necessarily or not only from premises located in the Union. Oversight activities should be first conducted on premises located in the Union and by interacting with entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; located in the Union, including the subsidiaries means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU; established by critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; pursuant to this Regulation. However, such actions within the Union might be insufficient to allow the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to fully and effectively perform its duties under this Regulation. The Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should therefore also be able to exercise its relevant oversight powers in third countries. Exercising those powers in third countries should allow the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to examine the facilities from which the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; or the technical support services are actually provided or managed by the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, and should give the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; a comprehensive and operational understanding of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;. The possibility for the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;, as a Union agency, to exercise powers outside the territory of the Union should be duly framed by relevant conditions, in particular the consent of the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; concerned. Similarly, the relevant authorities of the third country should be informed of, and not have objected to, the exercise on their own territory of the activities of the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;. However, in order to ensure efficient implementation, and without prejudice to the respective competences of the Union institutions and the Member States, such powers also need to be fully anchored in the conclusion of administrative cooperation arrangements with the relevant authorities of the third country concerned. This Regulation should therefore enable the ESAsEuropean Supervisory Authority to conclude administrative cooperation arrangements with the relevant authorities of third countries, which should not otherwise create legal obligations in respect of the Union and its Member States.

To facilitate communication with the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; and to ensure adequate representation, critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; which are part of a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should designate one legal person as their coordination point.

The Oversight Framework should be without prejudice to Member States’ competence to conduct their own oversight or monitoring missions in respect to ICT third-party service providers means an undertaking providing ICT services; which are not designated as critical under this Regulation, but which are regarded as important at national level.

To leverage the multi-layered institutional architecture in the financial services area, the Joint Committee means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; of the ESAsEuropean Supervisory Authority should continue to ensure overall cross-sectoral coordination in relation to all matters pertaining to ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, in accordance with its tasks on cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;. It should be supported by a new Subcommittee (the ‘Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors’) carrying out preparatory work both for the individual decisions addressed to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, and for the issuing of collective recommendations, in particular in relation to benchmarking the oversight programmes for critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, and identifying best practices for addressing ICT concentration risk means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole; issues.

To ensure that critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; are appropriately and effectively overseen on a Union level, this Regulation provides that any of the three ESAsEuropean Supervisory Authority could be designated as a Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;. The individual assignment of a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; to one of the three ESAsEuropean Supervisory Authority should result from an assessment of the preponderance of financial entitiesas defined in Article 2, points (a) to (t) operating in the financial sectors for which that ESAEuropean Supervisory Authority has responsibilities. This approach should lead to a balanced allocation of tasks and responsibilities between the three ESAsEuropean Supervisory Authority, in the context of exercising the oversight functions, and should make the best use of the human resources and technical expertise available in each of the three ESAsEuropean Supervisory Authority.

Lead Overseers means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should be granted the necessary powers to conduct investigations, to carry out onsite and offsite inspections at the premises and locations of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; and to obtain complete and updated information. Those powers should enable the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; to acquire real insight into the type, dimension and impact of the ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; posed to financial entitiesas defined in Article 2, points (a) to (t) and ultimately to the Union’s financial system. Entrusting the ESAsEuropean Supervisory Authority with the lead oversight role is a prerequisite for understanding and addressing the systemic dimension of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; in finance. The impact of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; on the Union financial sector and the potential issues caused by the ICT concentration risk means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole; entailed call for taking a collective approach at Union level. The simultaneous carrying out of multiple audits and access rights, performed separately by numerous competent authoritiesas defined in Article 46, with little or no coordination among them, would prevent financial supervisors from obtaining a complete and comprehensive overview of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; in the Union, while also creating redundancy, burden and complexity for critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; if they were subject to numerous monitoring and inspection requests.

Due to the significant impact of being designated as critical, this Regulation should ensure that the rights of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; are observed throughout the implementation of the Oversight Framework. Prior to being designated as critical, such providers should, for example, have the right to submit to the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; a reasoned statement containing any relevant information for the purposes of the assessment related to their designation. Since the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should be empowered to submit recommendations on ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; matters and suitable remedies thereto, which include the power to oppose certain contractual arrangements ultimately affecting the stability of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or the financial system, critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; should also be given the opportunity to provide, prior to the finalisation of those recommendations, explanations regarding the expected impact of the solutions, envisaged in the recommendations, on customers that are entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling outside the scope of this Regulation and to formulate solutions to mitigate risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; disagreeing with the recommendations should submit a reasoned explanation of their intention not to endorse the recommendation. Where such reasoned explanation is not submitted or where it is considered to be insufficient, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should issue a public notice summarily describing the matter of non-compliance.

Competent authoritiesas defined in Article 46 should duly include the task of verifying substantive compliance with recommendations issued by the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; in their functions with regard to prudential supervision of financial entitiesas defined in Article 2, points (a) to (t). Competent authoritiesas defined in Article 46 should be able to require financial entitiesas defined in Article 2, points (a) to (t) to take additional measures to address the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified in the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;’s recommendations, and should, in due course, issue notifications to that effect. Where the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; addresses recommendations to critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; that are supervised under Directive (EU) 2022/2555, the competent authoritiesas defined in Article 46 should be able, on a voluntary basis and before adopting additional measures, to consult the competent authoritiesas defined in Article 46 under that Directive in order to foster a coordinated approach to dealing with the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; in question.

The exercise of the oversight should be guided by three operational principles seeking to ensure: (a) close coordination among the ESAsEuropean Supervisory Authority in their Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; roles, through a joint oversight network (JONJoint Oversight Network ), (b) consistency with the framework established by Directive (EU) 2022/2555 (through a voluntary consultation of bodies under that Directive to avoid duplication of measures directed at critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;), and (c) applying diligence to minimise the potential risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of disruption to services provided by the critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31; to customers that are entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling outside the scope of this Regulation.

The Oversight Framework should not replace, or in any way or for any part substitute for, the requirement for financial entitiesas defined in Article 2, points (a) to (t) to manage themselves the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; entailed by the use of ICT third-party service providers means an undertaking providing ICT services;, including their obligation to maintain an ongoing monitoring of contractual arrangements concluded with critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;. Similarly, the Oversight Framework should not affect the full responsibility of financial entitiesas defined in Article 2, points (a) to (t) for complying with, and discharging, all the legal obligations laid down in this Regulation and in the relevant financial services law.

To avoid duplications and overlaps, competent authoritiesas defined in Article 46 should refrain from taking individually any measures aiming to monitor the critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;’s risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and should, in that respect, rely on the relevant Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;’s assessment. Any measures should in any case be coordinated and agreed in advance with the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; in the context of the exercise of tasks in the Oversight Framework.

To promote convergence at international level as regards the use of best practices in the review and monitoring of ICT third-party service providers means an undertaking providing ICT services;’ digital risk-management, the ESAsEuropean Supervisory Authority should be encouraged to conclude cooperation arrangements with relevant supervisory and regulatory third-country authorities.

To leverage the specific competences, technical skills and expertise of staff specialising in operational and ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; within the competent authoritiesas defined in Article 46, the three ESAsEuropean Supervisory Authority and, on a voluntary basis, the competent authoritiesas defined in Article 46 under Directive (EU) 2022/2555, the Lead Overseer means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation; should draw on national supervisory capabilities and knowledge and set up dedicated examination teams for each critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31;, pooling multidisciplinary teams in support of the preparation and execution of oversight activities, including general investigations and inspections of critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, as well as for any necessary follow-up thereto.

Whereas costs resulting from oversight tasks would be fully funded from fees levied on critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;, the ESAsEuropean Supervisory Authority are. however, likely to incur, before the start of the Oversight Framework, costs for the implementation of dedicated ICT systems supporting the upcoming oversight, since dedicated ICT systems would need to be developed and deployed beforehand. This Regulation therefore provides for a hybrid funding model, whereby the Oversight Framework would, as such, be fully fee-funded, while the development of the ESAsEuropean Supervisory Authority’ ICT systems would be funded from Union and national competent authoritiesas defined in Article 46’ contributions.

Competent authoritiesas defined in Article 46 should have all required supervisory, investigative and sanctioning powers to ensure the proper exercise of their duties under this Regulation. They should, in principle, publish notices of the administrative penalties they impose. Since financial entitiesas defined in Article 2, points (a) to (t) and ICT third-party service providers means an undertaking providing ICT services; can be established in different Member States and supervised by different competent authoritiesas defined in Article 46, the application of this Regulation should be facilitated by, on the one hand, close cooperation among relevant competent authoritiesas defined in Article 46, including the ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/2013, and, on the other hand, by consultation with the ESAsEuropean Supervisory Authority through the mutual exchange of information and the provision of assistance in the context of relevant supervisory activities.

In order to further quantify and qualify the criteria for the designation of ICT third-party service providers means an undertaking providing ICT services; as critical and to harmonise oversight fees, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to supplement this Regulation by further specifying the systemic impact that a failure or operational outage of an ICT third-party service provider means an undertaking providing ICT services; could have on the financial entitiesas defined in Article 2, points (a) to (t) it provides ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to, the number of global systemically important institutions (G-SIIs), or other systemically important institutions (O-SIIs), that rely on the ICT third-party service provider means an undertaking providing ICT services; in question, the number of ICT third-party service providers means an undertaking providing ICT services; active on a given market, the costs of migrating data and ICT workloads to other ICT third-party service providers means an undertaking providing ICT services;, as well as the amount of the oversight fees and the way in which they are to be paid. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making(²²)OJ L 123, 12.5.2016, p. 1.. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States’ experts, and their experts should systematically have access to meetings of Commission expert groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU; dealing with the preparation of delegated acts.

Regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). should ensure the consistent harmonisation of the requirements laid down in this Regulation. In their roles as bodies endowed with highly specialised expertise, the ESAsEuropean Supervisory Authority should develop draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). which do not involve policy choices, for submission to the Commission. Regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). should be developed in the areas of ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; reporting, testing, as well as in relation to key requirements for a sound monitoring of ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;. The Commission and the ESAsEuropean Supervisory Authority should ensure that those standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). and requirements can be applied by all financial entitiesas defined in Article 2, points (a) to (t) in a manner that is proportionate to their size and overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile, and the nature, scale and complexity of their services, activities and operations. The Commission should be empowered to adopt those regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). by means of delegated acts pursuant to Article 290 TFEU and in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

To facilitate the comparability of reports on major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and major operational or security payment-related incidents means an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;, as well as to ensure transparency regarding contractual arrangements for the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided by ICT third-party service providers means an undertaking providing ICT services;, the ESAsEuropean Supervisory Authority should develop draft implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). establishing standardised templates, forms and procedures for financial entitiesas defined in Article 2, points (a) to (t) to report a major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and a major operational or security payment-related incident means an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;, as well as standardised templates for the register of information. When developing those standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)., the ESAsEuropean Supervisory Authority should take into account the size and the overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and the nature, scale and complexity of its services, activities and operations. The Commission should be empowered to adopt those implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). by means of implementing acts pursuant to Article 291 TFEU and in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Since further requirements have already been specified through delegated and implementing acts based on technical regulatory and implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). in Regulations (EC) No 1060/2009(²³)Regulation (EC) No 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies (OJ L 302, 17.11.2009, p. 1)., (EU) No 648/2012(²⁴)Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1)., (EU) No 600/2014(²⁵)Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84). and (EU) No 909/2014(²⁶)Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1). of the European Parliament and of the Council, it is appropriate to mandate the ESAsEuropean Supervisory Authority, either individually or jointly through the Joint Committee means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010;, to submit regulatory and implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). to the Commission for adoption of delegated and implementing acts carrying over and updating existing ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management rules.

Since this Regulation, together with Directive (EU) 2022/2556 of the European Parliament and of the Council(²⁷)Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector (see page 153 of this Official Journal)., entails a consolidation of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management provisions across multiple regulations and directives of the Union’s financial services acquis, including Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, and Regulation (EU) 2016/1011 of the European Parliament and of the Council(²⁸)Regulation (EU) 2016/1011 of the European Parliament and of the Council of 8 June 2016 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds and amending Directives 2008/48/EC and 2014/17/EU and Regulation (EU) No 596/2014 (OJ L 171, 29.6.2016, p. 1)., in order to ensure full consistency, those Regulations should be amended to clarify that the applicable ICT risk-related provisions are laid down in this Regulation.

Consequently, the scope of the relevant articles related to operational risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, upon which empowerments laid down in Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014, and (EU) 2016/1011 had mandated the adoption of delegated and implementing acts, should be narrowed down with a view to carry over into this Regulation all provisions covering the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; aspects which today are part of those Regulations.

The potential systemic cyber risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the use of ICT infrastructures that enable the operation of payment systems and the provision of payment processing activities should be duly addressed at Union level through harmonised digital resilience rules. To that effect, the Commission should swiftly assess the need for reviewing the scope of this Regulation while aligning such review with the outcome of the comprehensive review envisaged under Directive (EU) 2015/2366. Numerous large-scale attacks over the past decade demonstrate how payment systems have become exposed to cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;. Placed at the core of the payment services chain and showing strong interconnections with the overall financial system, payment systems and payment processing activities acquired a critical significance for the functioning of the Union financial markets. Cyber-attacks means a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset; on such systems can cause severe operational business disruptions with direct repercussions on key economic functions, such as the facilitation of payments, and indirect effects on related economic processes. Until a harmonised regime and the supervision of operators of payment systems and processing entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are put in place at Union level, Member States may, with a view to applying similar market practices, draw inspiration from the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; requirements laid down by this Regulation, when applying rules to operators of payment systems and processing entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; supervised under their own jurisdictions.

Since the objective of this Regulation, namely to achieve a high level of digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; for regulated financial entitiesas defined in Article 2, points (a) to (t), cannot be sufficiently achieved by the Member States because it requires harmonisation of various different rules in Union and national law, but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(²⁹)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered an opinion on 10 May 2021(³⁰)OJ C 229, 15.6.2021, p. 16.,