Source: OJ L 333, 27.12.2022, pp. 153–163

Current language: EN

Article 5 Amendments to Directive 2014/59/EU

Directive 2014/59/EU is amended as follows:

  1. Article 10 is amended as follows:

    1. in paragraph 7, point (c) is replaced by the following:

      1. ‘a demonstration of how critical functions and core business lines could be legally and economically separated, to the extent necessary, from other functions so as to ensure continuity and digital operational resilience upon the failure of the institution;’;

    2. in paragraph 7, point (q) is replaced by the following:

      1. ‘a description of essential operations and systems for maintaining the continuous functioning of the institution’s operational processes, including network and information systems as referred to in Regulation (EU) 2022/2554 of the European Parliament and of the Council(19)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;;

    3. in paragraph 9, the following subparagraph is added:

      ‘In accordance with Article 10 of Regulation (EU) No 1093/2010, EBA shall review and, if appropriate, update the regulatory technical standards in order to, inter alia, take account of the provisions of Chapter II of Regulation (EU) 2022/2554.’;

  2. the Annex is amended as follows:

    1. in Section A, point (16) is replaced by the following:

      1. ‘arrangements and measures necessary to maintain the continuous functioning of the institution’s operational processes, including network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554;’;

    2. Section B is amended as follows:

      1. point (14) is replaced by the following:

        1. ‘an identification of the owners of the systems identified in point (13), service level agreements related thereto, and any software and systems or licenses, including a mapping to their legal entities, critical operations and core business lines, as well as an identification of critical ICT third-party service providers as defined in Article 3, point (23), of Regulation (EU) 2022/2554;’;

      2. the following point is inserted:

        1. ‘the results of institutions’ digital operational resilience testing under Regulation (EU) 2022/2554;’;

    3. Section C is amended as follows:

      1. point (4) is replaced by the following:

        1. ‘the extent to which the service agreements, including contractual arrangements on the use of ICT services, that the institution maintains are robust and fully enforceable in the event of resolution of the institution;’;

      2. the following point is inserted:

        1. ‘the digital operational resilience of the network and information systems supporting critical functions and core business lines of the institution, taking into account major ICT-related incident reports and the results of digital operational resilience testing under Regulation (EU) 2022/2554;’.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod