Beta

Source: OJ L 333, 27.12.2022, pp. 153–163

EN

Article 4 Amendments to Directive 2013/36/EU

Directive 2013/36/EU is amended as follows:

  1. in Article 65(3), point (a)(vi) is replaced by the following:

    1. ‘third parties to whom the entities referred to in points (i) to (iv) have outsourced functions or activities, including ICT third-party service providers means an undertaking providing ICT services; referred to in Chapter V of Regulation (EU) 2022/2554 of the European Parliament and of the Council(18)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;;

  2. in Article 74(1), the first subparagraph is replaced by the following:

    ‘Institutions shall have robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks they are or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, network and information systems means a network and information system as defined in Article 6, point 1, of Directive (EU) 2022/2555; that are set up and managed in accordance with Regulation (EU) 2022/2554, and remuneration policies and practices that are consistent with and promote sound and effective risk management.’;

  3. in Article 85, paragraph 2 is replaced by the following:

    1. Competent authoritiesas defined in Article 46 shall ensure that institutions have adequate contingency and business continuity policies and plans, including ICT business continuity policies and plans and ICT response and recovery plans for the technology they use for the communication of information, and that those plans are established, managed and tested in accordance with Article 11 of Regulation (EU) 2022/2554, in order to allow institutions to keep operating in the event of severe business disruption and limit losses incurred as a consequence of such disruption.’;

  4. in Article 97(1), the following point is added:

    1. ‘risks revealed by digital operational resilience testingas defined in Article 24 in accordance with Chapter IV of Regulation (EU) 2022/2554.’.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod