12 Amendments of Marco ZANNI related to 2020/0266(COD)
Amendment 185 #
Proposal for a regulation
Recital 30
Recital 30
(30) With ICT threats becoming more complex and sophisticated, good detection and prevention measures depend to a great extent on regular threat and vulnerability intelligence sharing between financial entities. Information sharing contributes to increased awareness on cyber threats, which, in turn, enhances financial entities’ capacity to prevent threats from materialising into real incidents and enables financial entities to better contain the effects of ICT-related incidents and recover more efficiently. In the absence of guidance at Union level, several factors seem to have inhibited such intelligence sharing, notably uncertainty over the compatibility with the data protection, anti-trust and liability rulesanti-trust and liability rules. Data protection does not constitute an obstacle to intelligence sharing in the financial sector because data protection requirements should be perceived as a basic requirement, which should be complied with to ensure that the rights of individuals within the data operational resilience framework of financial entities are safeguarded. In that regard, the national data protection authorities (DPAs) have an important role to play in promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to data processing, as well as the awareness of controllers and processors in relation to their obligations under the General Data Protection Regulation. Moreover, the European Data Protection Board's guidance set out in its guidelines, recommendations and best practices encourages consistent application of the General Data Protection Regulation.
Amendment 303 #
Proposal for a regulation
Article 3 – paragraph 1 – point 16
Article 3 – paragraph 1 – point 16
(16) ‘ICT services’ means digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, on an ongoing basis, including data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services, hardware as a service, and hardware services which encompass technical support via software or firmware updates by the hardware provider;
Amendment 331 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50 a (new)
Article 3 – paragraph 1 – point 50 a (new)
(50 a) 'competent authorities' means national competent authorities in accordance with Article 41 or, for credit institutions considered to be significant, the ECB pursuant to Regulation (EU) No 1024/2013.
Amendment 348 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Financial entities shall have a sound, comprehensive and well- documented ICT risk management framework, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience that matches their business needs, size and, complexity and risk profile. Such ICT risk management framework shall be based on the three lines of defense model.
Amendment 370 #
Proposal for a regulation
Article 5 – paragraph 10
Article 5 – paragraph 10
10. Upon notification to, and approval of, competent authorities, financial entities may delegatoutsource the tasks of verifying compliance with the ICT risk management requirements to intra-group or external undertakings. Where such outsourcing occurs, the financial entity shall remain fully accountable for the verification of compliance with ICT risk management requirements.
Amendment 422 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Financial entities shall put in place, maintain and periodically test appropriate ICT business continuitResponse and Recovery plans, notably with regard to critical or important functions outsourced or contracted through arrangements with ICT third-party service providers.
Amendment 426 #
Proposal for a regulation
Article 10 – paragraph 5 – point a
Article 10 – paragraph 5 – point a
(a) test the ICT Bbusiness Ccontinuity Ppolicy and the ICT Disaster Recovery Plan at least yearly and after substantive changes to the ICT systems following a risk-based approach;
Amendment 552 #
Proposal for a regulation
Article 21 – paragraph 4
Article 21 – paragraph 4
4. Financial entities shall ensure that tests, including threat led penetration testing, are undertaken by independent parties, whether internal or external. In the case of an internal tester, an adequate analysis and identification of the proper resources to be allocated in the design and execution phases of the tests shall be performed, in order to avoid any conflicts of interest and other potential managerial issues.
Amendment 579 #
Proposal for a regulation
Article 23 – paragraph 4 a (new)
Article 23 – paragraph 4 a (new)
4 a. Results of threat led penetration testing, including those performed under the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), shall be mutually recognized within the Union among competent authorities.
Amendment 618 #
Proposal for a regulation
Article 26 – paragraph 2 – subparagraph 1 a (new)
Article 26 – paragraph 2 – subparagraph 1 a (new)
With regard to the respect of data protection referred to point (a), financial entities shall comply with the requirement of Chater V of Regulation (EU) 2016/679, as interpreted in the case-law of the Court of Justice of the European Union.
Amendment 653 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. The designation referred to in point (a) of paragraph 1 shall be based on all of the following criteria: -a) on the basis of a structured risk-based approach which takes into account both the provider and the nature of the service it provides;
Amendment 660 #
Proposal for a regulation
Article 28 – paragraph 2 a (new)
Article 28 – paragraph 2 a (new)
2 a. The designation shall not apply in relation to intragroup ICT third-party service providers.