34 Amendments of Jonás FERNÁNDEZ related to 2020/0266(COD)
Amendment 209 #
Proposal for a regulation
Recital 53
Recital 53
(53) Rights of access, inspection and audit by the financial entity or an appointed third party should cover the full range of relevant ICT systems, networks, devices, information and data either used for, or contributing to, the provision of services to financial entities. They are crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the latter’s full cooperation during inspections. In the same vein, the competent authority of the financial entity should have those rights, based on notices, to inspect and audit the ICT third-party service provider, subject to confidentiality.
Amendment 286 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6 a (new)
Article 3 – paragraph 1 – point 6 a (new)
(6 a) ‘operational or security payment- related incident’, means an event or a series of linked occurrences unforeseen by financial entities referred to in points (a) to (c) of Article 2(1) which has or is likely to have an adverse impact on the integrity, availability, confidentiality, authenticity or continuity of payment- related services;
Amendment 291 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7 a (new)
Article 3 – paragraph 1 – point 7 a (new)
(7 a) ‘major operational or security payment-related incident’ means an operational or security payment-related incident which meets the criteria set out in Article 16(2)(a);
Amendment 292 #
Proposal for a regulation
Article 3 – paragraph 1 – point 8 a (new)
Article 3 – paragraph 1 – point 8 a (new)
(8 a) ‘significant cyber threat’ means a cyber threat whose characteristics clearly indicate that it is likely to result in a major ICT-related incident or a major operational or security payment-related incident;
Amendment 470 #
Proposal for a regulation
Article 15 – paragraph 3 a (new)
Article 15 – paragraph 3 a (new)
3 a. The requirements laid down in the paragraphs 1, 2 and 3 shall apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 471 #
Proposal for a regulation
Article 15 a (new)
Article 15 a (new)
Article 15 a Operational or security payment-related incidents concerning financial entities referred to in points (a), (b) and (c) of Article 2(1) The requirements laid down in Chapter III of this Regulation shall apply to operational or security payment-related incidents and to major operational or security payment-related incidents where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 474 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
1 a. The classification requirements laid down in paragraph 1 shall apply to operational or security payment-related incidents and major operational or security payment-related incidents in cases where they concern financial entities referred to in points (a), (b) and (c) of Article 2(1).
Amendment 475 #
Proposal for a regulation
Article 16 – paragraph 1 b (new)
Article 16 – paragraph 1 b (new)
1 b. 1b. Financial entities shall classify significant cyber threats based on the following criteria: (a) the number or relevance of clients or financial counterparts targeted and, where applicable, the amount or number of transactions targeted by the significant cyber threat; (b) the duration or the frequency of the significant cyber threat; (c) the geographical spread with regard to the areas targeted by the significant cyber threat, particularly if it affects more than two Member States; (d) the criticality of the services targeted, including the financial entity’s transactions and operations;
Amendment 478 #
Proposal for a regulation
Article 16 – paragraph 2 – point a
Article 16 – paragraph 2 – point a
(a) the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidents or, as applicable, major operational or security payment-related incidents which are subject to the reporting obligation laid down in Article 17(1);
Amendment 479 #
Proposal for a regulation
Article 16 – paragraph 2 – point b
Article 16 – paragraph 2 – point b
(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT- related incidents or, as applicable, major operational or security payment-related incidents, to other Member States’ jurisdictions, and the details of ICT-related incidents reporor, as applicable, major operational or security payment-related incidents, to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.
Amendment 482 #
Proposal for a regulation
Article 16 – paragraph 2 – point b a (new)
Article 16 – paragraph 2 – point b a (new)
(b a) the criteria set out in paragraph 1b, including high materiality thresholds for determining significant cyber threats which are subject to the reporting obligation laid down in Article 17 (1a);
Amendment 487 #
Proposal for a regulation
Article 17 – title
Article 17 – title
17 Reporting of major ICT-related incidents and significant cyber threats
Amendment 492 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1 a. Financial entities shall notify significant cyber threats without undue delay to the relevant competent authority as referred to in Article 41.
Amendment 498 #
Proposal for a regulation
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2 a. Where a significant cyber threat could adversely impact the financial interests of clients, financial entities shall inform their clients, without undue delay, of the significant cyber threat and of the measures which the financial entity intends to take to mitigate the adverse effects of such threat. Where appropriate, the financial entity shall also advise its clients on the measures they can take to mitigate the adverse effects of the threat.
Amendment 523 #
Proposal for a regulation
Article 17 – paragraph 5 – introductory part
Article 17 – paragraph 5 – introductory part
5. Upon receipt of the report referred to in paragraph 1 or the notification referred to in paragraph 1a, the competent authority shall, without undue delay, provide details of the incidenmajor ICT-related incident or significant cyber threat to:
Amendment 524 #
Proposal for a regulation
Article 17 – paragraph 5 – point c a (new)
Article 17 – paragraph 5 – point c a (new)
(c a) the Single Resolution Board for entities referred to in Article 7(2) of Regulation EU 806/2014, and national resolution authorities in relation to entitites referred to in Article 7(3) of Regulation EU 806/2014. National resolution authorities should provide to the SRB, on a six monthly basis, a summary of the report received under this Article.
Amendment 528 #
Proposal for a regulation
Article 18 – paragraph 1 – point a – point 1 a (new)
Article 18 – paragraph 1 – point a – point 1 a (new)
(1 a) establish the content of the notification for significant cyber threats;
Amendment 529 #
Proposal for a regulation
Article 18 – paragraph 1 – point b
Article 18 – paragraph 1 – point b
(b) common draft implementing technical standards in order to establish the standard forms, templates and procedures for financial entities to report a major ICT- related incident and notify a significant cyber threat.
Amendment 545 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Upon receipt of a report as referred to in Article 17(1) and (1a), the competent authority shall acknowledge receipt of notification and shall as quickly as possible provide all necessary feedback or guidance to the financial entity, in particular to discuss remedies at the level of the entity or ways to minimise adverse impact across sectors and also provide appropriately anonymised feedback, insight and intelligence to all relevant financial entities where it could be beneficial, based on any major incident reports they receive.
Amendment 564 #
At the end of the test, after reports and remediation planthe financial entity and the external testers shave bell provide to the competent agreed, the financial entity and uthority or, in the case of ICT third-party service providers entering into contractual arrangements withe external testers shall provide to the competent authoritydirectly, to the Lead Overseers, a confidential summary of the test results and the documentation confirming that the threat led penetration testing has been conducted in accordance with the requirements. Competent authorities shall validate the documentation and issue an attestationissue an attestation confirming that the test was performed in accordance with the requirements based on the documentation in order to allow for mutual recognition of threat led penetration tests between competent authorities.
Amendment 568 #
Proposal for a regulation
Article 23 – paragraph 3 – introductory part
Article 23 – paragraph 3 – introductory part
3. Financial entities shall contract external testers in accordance with Article 24 for the purposes of undertaking threat led penetration testing.
Amendment 576 #
Proposal for a regulation
Article 23 – paragraph 4 – point c
Article 23 – paragraph 4 – point c
(c) the type of supervisory cooperation needed for the implementation and to facilitate full mutual recognition of threat led penetration testing in the context of financial entities which operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub- sectors or local financial markets..
Amendment 580 #
Proposal for a regulation
Article 24 – title
Article 24 – title
24 Requirements for external testers
Amendment 582 #
Proposal for a regulation
Article 24 – paragraph 1 – point d
Article 24 – paragraph 1 – point d
(d) in case of external testers,are independent and provide an independent assurance or an audit report in relation to the sound management of risks associated with the execution of threat led penetration testing, including the proper protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
Amendment 583 #
Proposal for a regulation
Article 24 – paragraph 1 – point e
Article 24 – paragraph 1 – point e
(e) in case of external testers, are dully and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
Amendment 596 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – introductory part
Article 25 – paragraph 1 – point 8 – introductory part
8. Financial entities shall ensure that contractual arrangements on the use of ICT services are terminatedmay be wholly terminated, if no rectification is possible, and partially terminated, if a rectification is possible, at least under the following circumstances:
Amendment 632 #
Proposal for a regulation
Article 27 – paragraph 2 – point h – point i
Article 27 – paragraph 2 – point h – point i
i) unrestricted rights of access, inspection and audit by the competent authority, the financial entity or by an appointed third-party, and the right to take copies of relevant documentation, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
Amendment 634 #
Proposal for a regulation
Article 27 – paragraph 2 – point h – point iii
Article 27 – paragraph 2 – point h – point iii
iii) the commitment to fully cooperate during the onsite inspections and audits performed by the financial enticompetent authority, financial entity or by an appointed third party and details on the scope, modalities and frequency of remotesuch inspections and audits;
Amendment 675 #
Proposal for a regulation
Article 28 – paragraph 9
Article 28 – paragraph 9
9. Financial entities shall not make use ofrefrain from using an ICT third-party service provider established in a third country that would be designated as critical pursuant to point (a) of paragraph 1 if it were establisheddoes not establish a subsidiary in the Union.
Amendment 706 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. The Lead Overseer mayshall decide, in the case of full or partial non-compliance with the appropriate measures taken in accordance with points (a), (b) or (c), within 30 calendar days, to impose a periodic penalty payment to compel the critical ICT third-party service provider to comply with points (a), (b) and (c) of paragraph 1.
Amendment 713 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. The Lead Overseer may by simple request or by decision require the critical ICT third-party providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party provider has outsourced operational functions or activities. Any contractual clauses between the financial entity and the critical ICT third-party service provider restricting access to information by the Lead Overseer shall be declared null and void.
Amendment 715 #
Proposal for a regulation
Article 32 – paragraph 3 – point e
Article 32 – paragraph 3 – point e
(e) indicate the periodic penalty payments provided for in Article 31(4) where the production of the required information is incomplete or when such information is not provided within the time limit established in point (d);
Amendment 734 #
Proposal for a regulation
Article 37 – paragraph 3
Article 37 – paragraph 3
3. Competent authorities may, in accordance with Article 44, as a measure of last resort, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third- party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers, after considering risks and mitigating measures and following the defined exit strategies put in place by the financial entity. Following the request for termination, the competent authorities shall allow sufficient time for financial entities to adjust their contractual arrangements with ICT third-party service providers in such a way as to not jeopardise digital operational resilience.
Amendment 739 #
Proposal for a regulation
Article 37 – paragraph 4 – point d a (new)
Article 37 – paragraph 4 – point d a (new)
(d a) whether the suspension or termination introduces a discontinuity risk for the business operations of the customer of the critical ICT third-party provider.