BETA

35 Amendments of Olivier CHASTEL related to 2020/0266(COD)

Amendment 158 #
Proposal for a regulation
Recital 2
(2) The use of ICT has in the last decades gained a pivotal role in finance, assuming today critical relevance in the operation of typical daily functions of all financial entities. Digitalisation covers, for instance, payments, which have increasingly moved from cash and paper- based methods to the use of digital solutions, as well as securities clearing and settlement, electronic and algorithmic trading, lending and funding operations, peer-to-peer finance, credit rating, insurance underwriting, claim management and back-office operations. The insurance sector has also been transformed by the use of ICT technology, from the emergence of digital insurance intermediaries operating with InsurTech to digital insurance underwriting and contract distributions. Finance has not only become largely digital throughout the whole sector, but digitalisation has also deepened interconnections and dependencies within the financial sector and with third-party infrastructure and service providers.
2021/06/01
Committee: ECON
Amendment 198 #
Proposal for a regulation
Recital 43
(43) Further reflection on the possible cCentralisation of ICT-related incident reports should be envisaged, by means of a single central EU Hub either directly receiving the relevant reports and automatically notifying national competent authorities, or merelywill be achieved with the establishment of a single central EU Hub for major ICT-related incident reporting. The new EU Hub will centralisinge reports forwarded by the national competent authorities and fulfilling a coordination role. The ESAs should be required to prepare, in consultation with ECB and ENISA, by a certain date a joint report exploring the feasibility of setting up such a central EU Hub.
2021/06/01
Committee: ECON
Amendment 217 #
Proposal for a regulation
Recital 58
(58) The requirement of legal incorporationto establish a subsidiary in the Union ofor ICT third- party service providers which have been designated as critical does not amount to data localisation since this Regulation does not entail any further requirement on data storage or processing to be undertaken in Union. The requirement to have a subsidiary in the Union is intended to provide a contact point between the ICT third-party service provider, on the one hand, and the ESAs and Joint Oversight Executive Body, on the other, and to ensure that the Joint Oversight Executive Body is able to carry out its duties and exercise its powers of oversight and enforcement as foreseen under this Regulation.
2021/06/01
Committee: ECON
Amendment 228 #
Proposal for a regulation
Recital 66 a (new)
(66 a) In order to include the full range of practical experience and operational expertise, the Joint Oversight Executive Body should include independent directors from each ESA, in charge of digital operational resilience for the financial sector.
2021/06/01
Committee: ECON
Amendment 229 #
Proposal for a regulation
Recital 66 b (new)
(66 b) To provide for an appropriate level of expertise and accountability, the independent directors should be appointed by the Board of Supervisors of each ESA on the basis of merit, knowledge and relevant experience on digital operational resilience, following an open selection procedure organised and managed by the relevant Board of Supervisors, assisted by the Commission, which should respect the principle of gender balance. Before the appointment of the independent directors, and up to one month after their selection by the relevant Board of Supervisors, the European Parliament should, after having heard the persons selected, approve or reject their designation. Only selected candidates approved by the European Parliament may be appointed by the relevant Board of Supervisors.
2021/06/01
Committee: ECON
Amendment 230 #
Proposal for a regulation
Recital 66 c (new)
(66 c) In order to ensure transparency and democratic control, as well as to safeguard the rights of the Union institutions, the independent directors should be accountable to the European Parliament and to the Council for any decisions taken on the basis of this Regulation.
2021/06/01
Committee: ECON
Amendment 231 #
Proposal for a regulation
Recital 66 d (new)
(66 d) The independent directors should act independently and objectively in the interests of the Union. They should ensure that appropriate account is taken of the proper functioning of the internal market as well as financial stability in each Member State and in the Union.
2021/06/01
Committee: ECON
Amendment 235 #
Proposal for a regulation
Recital 69 – point 1
Technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation. As bodies with highly specialised expertise, the ESAs should be mandated to develop draft regulatory technical standards which do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of ICT risk management, reporting, testing and key requirements for a sound monitoring of ICT third-party risk. When developing draft regulatory technical standards, the ESAs should take due consideration of their mandate in relation to proportionality aspects, and seek advice from their respective Advisory Committees on Proportionality, in particular in relation to the application of the DORA framework to SMEs and mid-caps.
2021/06/01
Committee: ECON
Amendment 252 #
Proposal for a regulation
Article 2 – paragraph 1 – point n
(n) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, unless they are micro, small or medium-sized enterprises and do not rely exclusively on organised automated sales systems,
2021/06/01
Committee: ECON
Amendment 263 #
Proposal for a regulation
Article 2 – paragraph 1 – point b a (new)
(b a) payment systems
2021/06/01
Committee: ECON
Amendment 274 #
Proposal for a regulation
Article 3 – paragraph 1 – point 4
(4) ‘ICT risk’ means any reasonably identifiable circumstance in relation toderived from the use of network and information systems, - including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non-malicious event - which, if materialised, may compromise the security ofr adversely affect the network and information systems, of any technology-dependant tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects;
2021/06/01
Committee: ECON
Amendment 285 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6
(6) ‘ICT-related incident’ means an unforeseen identified occurrence in they event having an actual adverse effect on the security of network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity;
2021/06/01
Committee: ECON
Amendment 315 #
Proposal for a regulation
Article 3 – paragraph 1 – point 25 a (new)
(25 a) 'payment system' means a payment system as defined in Article 4(7) of Directive (EU) 2015/2366, with the exception of payment systems subject to ECB Regulation (EU) 795/2014.
2021/06/01
Committee: ECON
Amendment 490 #
Proposal for a regulation
Article 17 – paragraph 1 – subparagraph 1
For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, an incident report using the template referred to in Article 18 and submit it to the competent authoritysingle EU Hub.
2021/06/01
Committee: ECON
Amendment 502 #
Proposal for a regulation
Article 17 – paragraph 3 – introductory part
3. Financial entities shall submit to the competent authoritysingle EU Hub as referred to in Article 419:
2021/06/01
Committee: ECON
Amendment 507 #
Proposal for a regulation
Article 17 – paragraph 3 – point a
(a) an initial notification, without delay, but no later than the end of the business day, or, in case of a major24 hours after the ICT- related incident that took place later than 2 hours before the end of the business day, not later than 4 hours from the beginning of the next business dais classified as major by the financial entity, or, where reporting channels are not available, as soon as they become available;
2021/06/01
Committee: ECON
Amendment 512 #
Proposal for a regulation
Article 17 – paragraph 3 – point c
(c) a final report, when the root cause analysis has been completed, regardless of whether or not mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates, but not later than one month from the moment of sending the initial reportday of sending the initial report. In duly justified cases, and following agreement with the competent authority, financial entities may deviate from the deadline laid down in this point.
2021/06/01
Committee: ECON
Amendment 520 #
Proposal for a regulation
Article 17 – paragraph 5
5. Upon receipt of the report referred to in paragraph 1, the competent authority shall, without undue delay, provide details of the incident to: (a) EBA, ESMA or EIOPA, as appropriate; (b) the ECB, as appropriate, in the case of financial entities referred to in points (a), (b) and (c) of Article 2(1); and (c) the single point of contact designated under Article 8 of Directive (EU) 2016/1148.deleted
2021/06/01
Committee: ECON
Amendment 531 #
Proposal for a regulation
Article 19 – paragraph 1
1. The1. ESAs, through the Joint Committee and in consultation with ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence shall establish and operate a single EU Hub for major ICT-related incident reporting by financial entities.
2021/06/01
Committee: ECON
Amendment 537 #
Proposal for a regulation
Article 19 – paragraph 2
2. The report referred to in the paragraph 1 shall comprise at least the following elements: (a) prerequisites for the establishment of such an EU Hub; (b) benefits, limitations and possible risks; (c) elements of operational management; (d) conditions of membership; (e) modalities for financial entities and national competent authorities to access the EU Hub; (f) a preliminary assessment of financial costs entailed by the setting-up the operational platform supporting the EU Hub, including the required expertisedeleted
2021/06/01
Committee: ECON
Amendment 538 #
Proposal for a regulation
Article 19 – paragraph 2 – introductory part
2. The reportEU Hub shall collect and maintain incident data and shall ensure that the entities referred to in the paragraph 1 shall comprise at least the following elements:3 have direct and immediate access to the relevant information.
2021/06/01
Committee: ECON
Amendment 541 #
Proposal for a regulation
Article 19 – paragraph 3
3. The ESAs shall submitU Hub shall make the necessary information available to the following entities to enable them to fulfil their report referred to in the paragraph 1 to the Commission, the European Parliament and to the Council by xx 202x [OJ: insert date 3 years after the date of entry into force]. spective responsibilities and mandates: (a) Competent authorities as referred to in Article 41; (b) EBA, ESMA or EIOPA, as appropriate; (c) the ECB, as appropriate, in the case of financial entities referred to in points (a), (b) and (c) of Article 2(1); (d) the single point of contact designated under Article 8 of Directive (EU) 2016/1148; (e) the Single Resolution Board (SRB), for entities referred to in Article 7(2) of Regulation (EU) No 806/2014, and national resolution authorities in relation to entities referred to in Article 7(3) of Regulation (EU) No 806/2014; and (f) the relevant national CSIRT belonging to the CSIRTs network as established by Article 12 of Directive (EU) 2016/1148, in cases where the reporting entity falls within the scope of that Directive.
2021/06/01
Committee: ECON
Amendment 544 #
3 a. The ESAs, through the Joint Committee and after consultation with ENISA and the ECB, shall develop common draft regulatory technical standards specifying the following: (a) modalities and operational standards for the entities referred to in paragraph 3 to access the EU Hub; (b) the terms and conditions, the arrangements and the required documentation under which access to the EU Hub is granted to the entities referred to in paragraph 3; (c) the conditions for membership of financial entities.
2021/06/01
Committee: ECON
Amendment 595 #
Proposal for a regulation
Article 25 – paragraph 1 – point 8 – introductory part
8. Financial entities shall ensure that contractual arrangements on the use of ICT services are terminallow the financial entity to terminate the arrangement under applicable law, after all other remedies have been exhausted, at least under the following circumstances:
2021/06/01
Committee: ECON
Amendment 642 #
Proposal for a regulation
Article 27 – paragraph 2 a (new)
2 a. The contractual arrangements for the provision of ICT services by an ICT third-party service provider established in a third country and designated as critical pursuant to Article 28(9), shall, in addition to the provisions set out in paragraphs 2 and 2a of this Article: (a) be concluded with a legal entity in the Union of that ICT third-party service provider; and (b) guarantee that the Joint Oversight Executive Body can carry out its duties specified in Article 30 on the basis of its competences set out in Article 31. The services for which the contractual arrangements are concluded shall not be required to be performed by the legal entity located in the Union.
2021/06/01
Committee: ECON
Amendment 652 #
Proposal for a regulation
Article 28 – paragraph 1 – point b
(b) appoint either EBA, ESMA or EIOPA as Lead Overseer for each critical ICT third-party service provider, depending on whether the total value of assets of financial entities making use of the services of that critical ICT third-party service provider and which are covered by one of the Regulations (EU) No 1093/2010 (EU), No 1094/2010 or (EU) No 1095/2010 respectively, represents more than a half of the value of the total assets of all financial entities making use of the services of the, on a rotational basis, to be rotated following the annual publication of the list referred to in paragraph 6, as having the responsibility to adopt formal decisions and recommendations addressed to critical ICT third- party service providers, as evidenced by the consolidated balance sheets, or the individual balance sheets where balance sheets are not consolidated, of those financial entitieson the basis of draft decisions and recommendations from the Joint Oversight Executive Body.
2021/06/01
Committee: ECON
Amendment 673 #
Proposal for a regulation
Article 28 – paragraph 9
9. Financial entities shall not make use of an ICT third-party service provider established in a third country that would be designated as critical pursuant to point (a) of paragraph 1 if it were establishedthat ICT third-party service provider has a subsidiary in the Union.
2021/06/01
Committee: ECON
Amendment 682 #
Proposal for a regulation
Article 29 – paragraph 4
4. The Joint Oversight ForumExecutive Body shall be composed of the Chairpersons of theone independent director from EBA, one independent director from EIOPA, one independent director from ESMAs, and one high-level representative from the current staff of the relevant competent authority from each Member Stateat least five of the national competent authorities. The Executive Directors of each ESA and one representative from the European Commission, from the ESRB, from ECB and from ENISA shall participate in the Joint Oversight ForumExecutive Body as observers.
2021/06/01
Committee: ECON
Amendment 684 #
Proposal for a regulation
Article 29 – paragraph 4 a (new)
4 a. The independent directors from each ESA referred to in paragraph 4 shall be full-time, independent professionals. They shall be appointed by the respective Board of Supervisors of each ESA on the basis of merit, skills, knowledge and experience relevant to digital operational resilience for the financial sector, following an open selection procedure. Before the appointment of independent directors from each ESA, and up to one month after the selection by the Board of Supervisors, which shall submit its shortlist of selected candidates, respecting gender balance, to the European Parliament, the European Parliament, after having heard the selected candidates, shall approve or reject them. Where an independent director no longer fulfil the conditions required for the performance of his or her duties or has been found guilty of serious misconduct, the Council may, on a proposal from the Commission which has been approved by the European Parliament, adopt an implementing decision to remove the independent director from office. The Council shall act by qualified majority. The European Parliament or the Council may inform the Commission that they consider the conditions for the removal of one of the independent directors to be fulfilled, to which the Commission shall respond. The term of office of the independent directors shall be five years and may be extended once. The independent directors shall not hold any office at national, Union, or international level. They shall act independently and objectively in the sole interest of the Union as a whole and shall neither seek nor take instructions from Union institutions or bodies, from any government of a Member State or from any other public or private body. Neither Member States, the Union institutions or bodies, nor any other public or private body shall seek to influence the independent directors in the performance of their tasks. In accordance with the Staff Regulations referred to in Article 68 of Regulation (EU) No 1093/2010, Article 68 of Regulation (EU) No 1094/2010 and Article 68 of Regulation (EU) No 1095/2010, the independent directors shall, after leaving service, continue to be bound by the duty to behave with integrity and discretion as regards the acceptance of certain appointments or benefits.
2021/06/01
Committee: ECON
Amendment 693 #
Proposal for a regulation
Article 30 – paragraph 3 a (new)
3 a. When preparing the Oversight plan, the Joint Oversight Executive body shall consult all relevant competent authorities and single points of contact referred to in Article 8 of Directive (EU) 2016/1148 to ensure that there are no inconsistencies or duplications with the critical ICT third-party service provider's obligations under Directive (EU) 2016/1148.
2021/06/01
Committee: ECON
Amendment 700 #
Proposal for a regulation
Article 31 – paragraph 1 – subparagraph 1 (new)
The powers referred to in the first subparagraph shall primarily be used in respect of the critical or important services provided by the critical ICT third- party service provider to financial entities, but may also be used in respect of other services provided to financial entities when necessary.
2021/06/01
Committee: ECON
Amendment 704 #
Proposal for a regulation
Article 31 – paragraph 2 a (new)
2 a. When preparing the recommendations, the Joint Oversight Executive body shall consult all relevant competent authorities and single points of contact referred to in Article 8 of Directive (EU) 2016/1148 to ensure there are no inconsistencies or duplications with the critical ICT third-party service provider's obligations under Directive (EU) 2016/1148
2021/06/01
Committee: ECON
Amendment 727 #
Proposal for a regulation
Article 37 – paragraph 1
1. Within 30 calendar days after the receipt of the recommendations issued by Lead Overseersthe Joint Oversight Executive Body pursuant to point (d) of Article 31(1), critical ICT third-party service providers shall notify the LeadJoint Overseeright Executive Body whether they intend to follow those recommendations. Lead OverseersThe Joint Oversight Executive Body shall immediately transmit this information to competent authorities.
2021/06/01
Committee: ECON
Amendment 730 #
Proposal for a regulation
Article 37 – paragraph 3
3. Competent authorities may, in accordance with Article 44, requireThe ESAs may decide, upon recommendation from the Joint Oversight Executive Body and after consultation with the Competent authorities of the affected financial entities, to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party provider untilo financial entity customers exposed to the risks identified in the recommendations addressed to critical ICT third-party service providers until those risks have been addressed. Where necessary, they may require financial entitiethe critical ICT third-party service providers to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providerfinancial entity customers exposed to the identified risks.
2021/06/01
Committee: ECON
Amendment 737 #
Proposal for a regulation
Article 37 – paragraph 4 – introductory part
4. When tmaking those drecisions referred to in paragraph 3, competent authoritiesommendations, the Joint Oversight Executive Body shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provider, as well as the seriousness of the non-compliance, having regard to the following criteria:
2021/06/01
Committee: ECON