REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 14 December 2022
on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Central Bank 1,
Having regard to the opinion of the European Economic and Social Committee 2,
Acting in accordance with the ordinary legislative procedure 3,
Whereas:
The following recitals,
HAVE ADOPTED THIS REGULATION:
Article 12 Backup policies and procedures, restoration and recovery procedures and methods Article 15 Further harmonisation of ICT risk management tools, methods, processes and policies Article 16 Simplified ICT risk management framework Chapter III ICT-related incident management, classification and reporting Article 17 ICT-related incident management process Article 18 Classification of ICT-related incidents and cyber threats Article 19 Reporting of major ICT-related incidents and voluntary notification of significant cyber threats Article 20 Harmonisation of reporting content and templates Article 21 Centralisation of reporting of major ICT-related incidents Article 23 Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions Article 24 General requirements for the performance of digital operational resilience testing Article 26 Advanced testing of ICT tools, systems and processes based on TLPT Article 27 Requirements for testers for the carrying out of TLPT Section I Key principles for a sound management of ICT third-party risk Article 29 Preliminary assessment of ICT concentration risk at entity level Section II Oversight Framework of critical ICT third-party service providers Article 31 Designation of critical ICT third-party service providers Article 34 Operational coordination between Lead Overseers Article 36 Exercise of the powers of the Lead Overseer outside the Union Article 41 Harmonisation of conditions enabling the conduct of the oversight activities Article 45 Information-sharing arrangements on cyber threat information and intelligence Article 47 Cooperation with structures and authorities established by Directive (EU) 2022/2555 Article 49 Financial cross-sector exercises, communication and cooperation Article 50 Administrative penalties and remedial measures Article 51 Exercise of the power to impose administrative penalties and remedial measures Article 54 Publication of administrative penalties Article 59 Amendments to Regulation (EC) No 1060/2009 Article 60 Amendments to Regulation (EU) No 648/2012 Article 61 Amendments to Regulation (EU) No 909/2014 Article 62 Amendments to Regulation (EU) No 600/2014
