52 Amendments of Markus FERBER related to 2020/0266(COD)
Amendment 173 #
Proposal for a regulation
Recital 20
Recital 20
(20) To remain in full control of ICT risks, financial entities need to have in place comprehensive capabilities enabling a strong and effective ICT risk management, alongside specific mechanisms and policies for ICT-related incident reporting, testing of ICT systems, controls and processes, as well as for managing ICT third-party risk. The digital operational resilience bar for the financial system should be raised while allowing for a proportionate application of requirements for financial entities which are micro enterprises as defined in Commission Recommendation 2003/361/EC32 . _________________ 32Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).;
Amendment 182 #
Proposal for a regulation
Recital 28
Recital 28
(28) There exists a lack of homogeneity and convergence on ICT third party risk and ICT third-party dependencies. Despite some efforts to tackle the specific area of outsourcing such as the 2017 recommendations on outsourcing to cloud service providers,34 the issue of systemic risk which may be triggered by the financial sector’s exposure to a limited number of critical ICT third-party service providers is barely addressed in Union legislation. This lack at Union level is compounded by the absence of specific mandates and tools allowing national supervisors to acquire a good understanding of ICT third-party dependencies and adequately monitor risks arising from concentration of such ICT third-party dependencies. Existing guidelines and guidelines currently under preparation by the ESAs should be reviewed, revised and harmonised to reflect the provisions of this Regulation. _________________ 34Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03), now repealed by the EBA Guidelines on outsourcing (EBA/GL/2019/02).
Amendment 184 #
Proposal for a regulation
Recital 29
Recital 29
(29) Taking into account the potential systemic risks entailed by the increased outsourcing practices and by the ICT third- party concentration, and mindful of the insufficiency of national mechanisms enabling financial superiors to quantify, qualify and redress the consequences of ICT risks occurring at critical ICT third- party service providers, it is necessary to establish an appropriate Union oversight framework allowing for a continuous monitoring of the activities of ICT third- party service providers that are critical providers to financial entities. As intra- group provision of ICT services does not carry the same risks, service providers that are part of the same group or institutional protection scheme should not be defined as critical ICT third-party service providers.
Amendment 188 #
Proposal for a regulation
Recital 33
Recital 33
(33) Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience rules should take into consideration significant differences between financial entities in terms of size, business profiles or exposure to digital risk. As a general principle, when directing resources and capabilities to the implementation of the ICT risk management framework, financial entities should duly balance their ICT-related needs to their size and businessnature, size, complexity, business model and risk profile, while competent authorities should continue to assess and review the approach of such distribution. with a view to ensure a proportionate application;
Amendment 190 #
Proposal for a regulation
Recital 34 – introductory part
Recital 34 – introductory part
(34) As larger financial entities may enjoy wider resources and could swiftly deploy funds to develop governance structures and set up various corporate strategies, only financial entities which are not microsmall and medium enterprises in the sense of this Regulation should be required to establish more complex governance arrangements. Such entities are better equipped in particular to set up dedicated management functions for supervising arrangements with ICT third-party service providers or for dealing with crisis management, to organise their ICT risk management according to the three lines of defence model, or to adopt a human resources document comprehensively explaining access rights policies.
Amendment 192 #
Proposal for a regulation
Recital 35
Recital 35
(35) Moreover, as solely those financial entities identified as significant for the purposes of the advanced digital resilience testing should be required to conduct threat led penetration tests, the administrative processes and financial costs entailed by the performance of such tests should be devolved to a small percentage of financial entities. Finally, with a view to ease regulatory burdens, only financial entities other than microsmall and medium enterprises should be asked to regularly report to the competent authorities all costs and losses caused by ICT disruptions and the results of post- incident reviews after significant ICT disruptions.
Amendment 205 #
Proposal for a regulation
Recital 48
Recital 48
(48) A thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements, while termination of contracts should be prompted by at least a set of circumstances that show severe shortfalls at the ICT third- party service provider.
Amendment 212 #
Proposal for a regulation
Recital 54
Recital 54
(54) Contractual arrangements should provide for clear termination rights as a solution of last resort and related minimum notices as well as dedicated exit strategies enabling, in particular, mandatory transition periods during which the ICT third-party service providers should continue providing the relevant functions with a view to reduce the risk of disruptions at the level of the financial entity or allow the latter to effectively switch to other ICT third-party service providers, or alternatively resort to the use of oin-premihouses solutions, consistent with the complexity of the provided service.
Amendment 237 #
Proposal for a regulation
Recital 71
Recital 71
(71) To facilitate the comparability of major ICT-related incident reports and to ensure transparency on contractual arrangements for the use of ICT services provided by ICT third-party service providers, the ESAs should be mandated to develop draft implementing technical standards establishing standardised templates, forms and procedures for financial entities to report a major ICT- related incident, as well as standardized templates for the register of information. When developing those standards, the ESAs should take into account the size and complexitynature, size, complexity and business profile of financial entities, as well as the nature and level of risk of their activities. The Commission should be empowered to adopt those implementing technical standards by means of implementing acts pursuant to Article 291 TFEU and in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively. Since further requirements have already been specified through delegated and implementing acts based on technical regulatory and implementing technical standards in Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, respectively, it is appropriate to mandate the ESAs, either individually or jointly through the Joint Committee, to submit regulatory and implementing technical standards to the Commission for adoption of delegated and implementing acts carrying over and updating existing ICT risk management rules.
Amendment 243 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
2 a. The requirements of this Regulation shall be applied in a way that is proportionate to the size and risk of the entities subject to this Regulation.
Amendment 259 #
Proposal for a regulation
Article 2 – paragraph 1 – point q
Article 2 – paragraph 1 – point q
Amendment 307 #
Proposal for a regulation
Article 3 – paragraph 1 – point 18
Article 3 – paragraph 1 – point 18
(18) ‘critical ICT third-party service provider’ means an ICT third-party service provider designated in accordance with Article 29 and subject to the Oversight Framework referred to in Articles 30 to 37, unless the ICT third-party service provider is part of the same group or same institutional protection scheme;
Amendment 312 #
Proposal for a regulation
Article 3 – paragraph 1 – point 23
Article 3 – paragraph 1 – point 23
(23) ‘credit institution’ means a credit institution as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council46 , with the exception of small and non-complex institutions as defined in point 145 of Article (1) of Regulation (EU) No 575/2013; _________________ 46Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).
Amendment 321 #
Proposal for a regulation
Article 3 – paragraph 1 – point 41
Article 3 – paragraph 1 – point 41
Amendment 322 #
Proposal for a regulation
Article 3 – paragraph 1 – point 42
Article 3 – paragraph 1 – point 42
Amendment 329 #
Proposal for a regulation
Article 3 – paragraph 1 – point 50 a (new)
Article 3 – paragraph 1 – point 50 a (new)
(50 a) 'small and medium sized enterprises' means companies below the thresholds set out in the definition of medium-sized undertakings in Article 3(3) of Directive 2013/34/EU;
Amendment 337 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Financial entities shall have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks. Those frameworks shall be proportionate to the financial entity's size, nature, scale, complexity and overall risk profile.
Amendment 344 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Financial entities other than microsmall and medium-sized enterprises shall establish a role to monitor the arrangements concluded with ICT third- party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
Amendment 351 #
Proposal for a regulation
Article 5 – paragraph 4
Article 5 – paragraph 4
4. As part of the ICT risk management framework referred to in paragraph 1, financial entities other than microsmall and medium-sized enterprises shall implement an information security management system based on recognized international standards and in accordance with supervisory guidance and shall regularly review it.
Amendment 353 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
5. Financial entities other than microsmall and medium-sized enterprises shall ensure appropriate segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model. Those provisions shall be in line with the financial entity's size, nature, scale, complexity and overall risk profile.
Amendment 364 #
Proposal for a regulation
Article 5 – paragraph 9 – point g
Article 5 – paragraph 9 – point g
Amendment 376 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the systems and tools are appropriate to the nature, variety, complexity, risk profile and magnitude of operations supporting the conduct of their activities;
Amendment 379 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall identify, classify and adequately document all critical ICT- related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems. Financial entities shall review as needed, and at least yearly, the adequacy of the classification of the information assets and of any relevant documentation.
Amendment 382 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. Financial entities shall on a continuousregular basis identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT-related business functions and information assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.
Amendment 383 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. Financial entities other than microsmall and medium-sized enterprises shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their functions, supporting processes or information assets.
Amendment 388 #
Proposal for a regulation
Article 7 – paragraph 7
Article 7 – paragraph 7
7. Financial entities other than microsmall and medium-sized enterprises shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems in relation to critical ICT- related business functions, especially before and after connecting old and new technologies, applications or systems.
Amendment 411 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
3. Financial entities shall devote sufficient resources and capabilities, with due consideration to their size, complexity, business and overall risk profiles, to monitor user activity, occurrence of ICT anomalies and ICT- related incidents, in particular cyber- attacks.
Amendment 421 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
3. As part of the ICT risk management framework referred to in Article 5(1), financial entities shall implement an associated ICT Disaster Recovery Plan, which, in the case of financial entities other than microsmall and medium-sized enterprises, shall be subject to independent audit reviews.
Amendment 427 #
Proposal for a regulation
Article 10 – paragraph 5 – subparagraph 1
Article 10 – paragraph 5 – subparagraph 1
For the purposes of point (a), financial entities other than microsmall and medium-sized enterprises shall include in the testing plans scenarios of cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 11.
Amendment 428 #
Proposal for a regulation
Article 10 – paragraph 6
Article 10 – paragraph 6
6. Financial entities other than microsmall and medium-sized enterprises shall have a crisis management function, which, in case of activation of their ICT Business Continuity Policy or ICT Disaster Recovery Plan, shall set out clear procedures to manage internal and external crisis communications in accordance with Article 13.
Amendment 432 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
9. Financial entities other than microsmall and medium-sized enterprises shall report to competent authorities all substantial costs and losses caused by ICT disruptions and ICT-related incidents.
Amendment 445 #
Proposal for a regulation
Article 11 – paragraph 6
Article 11 – paragraph 6
6. In determining the recovery time and point objectives for each function, financial entities shall take into account the potential overall impact on market efficiency and whether it is a critical ICT- related business function. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met.
Amendment 448 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. Financial entities shall have in place capabilities and staff, suited to their size, complexity, business and overall risk profiles, to gather information on vulnerabilities and cyber threats, ICT- related incidents, in particular cyber- attacks, and analyse their likely impacts on their digital operational resilience.
Amendment 450 #
Amendment 454 #
Proposal for a regulation
Article 12 – paragraph 6 – introductory part
Article 12 – paragraph 6 – introductory part
6. Financial entities shall develop ICT security awareness programs and digital operational resilience trainings as compulsory modules in their staff training schemes. These shall be applicable to all employees operating critical ICT systems and to senior management staff.
Amendment 484 #
Proposal for a regulation
Article 16 – paragraph 3 – introductory part
Article 16 – paragraph 3 – introductory part
3. When developing the common draft regulatory technical standards referred to in paragraph 2, the ESAs shall take into account international standards, as well as specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. The ESAs shall also take into consideration the nature, size and complexity of the financial entities concerned.
Amendment 496 #
2. Where a major ICT-related incident has or may have an impact on the financial interests of service users and clients, financial entities shall, without undue delay, inform their service users and clients about the major ICT-related incident and shall as soon as possible inform them of all measures which have been taken to mitigate the adverse effects of such incident. Where no harm to service users and clients materialises due to the countermeasures takes by the financial entity, the requirement to inform service users and clients shall not apply.
Amendment 504 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
Article 17 – paragraph 3 – point a
(a) an initial notification, without undue delay, but no later than the end of the business day, or, in case of a major ICT- related incident that took place later than 2 hours before the end of the business day, not later than 4 hours from the beginning of the next business day, or, where reporting channels are not available, as soon as they become available;
Amendment 549 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
1. For the purpose of assessing preparedness for ICT-related incidents, of identifying weaknesses, deficiencies or gaps in the digital operational resilience and of promptly implementing corrective measures, financial entities, that are not small and medium-sized enterprises, shall establish, maintain and review, with due consideration to their sizenature, size, complexity, business and overall risk profiles, a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework referred to in Article 5.
Amendment 558 #
Proposal for a regulation
Article 23 – paragraph 2 – introductory part
Article 23 – paragraph 2 – introductory part
2. Threat led penetration testing shall cover at least the critical functions and services of a financial entity, and shall be performed on live production systems supporting such functions. The precise scope of threat led penetration testing, based on the assessment of critical functions and services, shall be determined by financial entities and shall be validated by the competent authorities.
Amendment 570 #
Proposal for a regulation
Article 23 – paragraph 3 – subparagraph 1 – introductory part
Article 23 – paragraph 3 – subparagraph 1 – introductory part
Competent authorities shall identify financial entities to perform threat led penetration testing in a manner that is proportionate to the nature, size, scale, activity and overall risk profile of the financial entity, based on the assessment of the following:
Amendment 587 #
Proposal for a regulation
Article 25 – paragraph 1 – point 3
Article 25 – paragraph 1 – point 3
3. As part of their ICT risk management framework, financial entities shall adopt and regularly review a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in point (g) of Article 5(9). That strategy shall include a policy on the use of ICT services provided by ICT third-party service providers and shall apply on an individual and, as relevant, on a sub- consolidated and consolidated basis. The management body shall regularly review the risks identified in respect of outsourcing of critical or important functions.
Amendment 597 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – introductory part
Article 25 – paragraph 1 – point 8 – introductory part
8. Financial entities shall ensure that contractual arrangements on the use of ICT services arcan be terminated as a matter of last resort at least under the following circumstances:
Amendment 646 #
Proposal for a regulation
Article 27 – paragraph 4 – introductory part
Article 27 – paragraph 4 – introductory part
4. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the elements which a financial entity needs to determine and assess when sub-contracting critical or important functions to properly give effect to the provisions of point (a) of paragraph 2. When devising those standards, the ESAs shall take into consideration the nature, size and complexity of the financial entities concerned.
Amendment 654 #
Proposal for a regulation
Article 28 – paragraph 2 – point a a (new)
Article 28 – paragraph 2 – point a a (new)
(a a) the services provided constitute a function within the meaning of Article 3(17) of this Regulation.
Amendment 667 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
3. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement the criteria referred to in paragraph 2. The Commission shall adopt such a delegated act within 12 months from the date of entry into force of this Regulation.
Amendment 671 #
Proposal for a regulation
Article 28 – paragraph 9
Article 28 – paragraph 9
Amendment 677 #
Proposal for a regulation
Article 28 – paragraph 9 a (new)
Article 28 – paragraph 9 a (new)
9 a. ICT service providers that are part of the same group of financial entities shall not be classified as critical ICT third-party service providers.
Amendment 735 #
Proposal for a regulation
Article 37 – paragraph 3
Article 37 – paragraph 3
3. Competent authorities may, in accordance with Article 44, require financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider until the risks identified in the recommendations addressed to critical ICT third-party providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers. Competent authorities shall only require financial entities to perform any of the above actions as a matter of last resort and taking into account the involved risk and the feasibility of exiting the service in question.
Amendment 736 #
Proposal for a regulation
Article 37 – paragraph 3 a (new)
Article 37 – paragraph 3 a (new)
Amendment 747 #
Proposal for a regulation
Article 41 – paragraph 1 – point p
Article 41 – paragraph 1 – point p
Amendment 763 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
It shall apply from [PO: insert date - 124 months after the date of entry into force].