REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 14 December 2022
on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Central Bank 1,
Having regard to the opinion of the European Economic and Social Committee 2,
Acting in accordance with the ordinary legislative procedure 3,
Whereas:
The following recitals
HAVE ADOPTED THIS REGULATION:
Article 12 Backup policies and procedures, restoration and recovery procedures and methods Article 15 Further harmonisation of ICT risk management tools, methods, processes and policies Article 16 Simplified ICT risk management framework Chapter III ICT-related incident management, classification and reporting Article 17 ICT-related incident management process Article 18 Classification of ICT-related incidents and cyber threats Article 19 Reporting of major ICT-related incidents and voluntary notification of significant cyber threats Article 20 Harmonisation of reporting content and templates Article 21 Centralisation of reporting of major ICT-related incidents Article 23 Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions Article 24 General requirements for the performance of digital operational resilience testing Article 26 Advanced testing of ICT tools, systems and processes based on TLPT Article 27 Requirements for testers for the carrying out of TLPT Section I Key principles for a sound management of ICT third-party risk Article 29 Preliminary assessment of ICT concentration risk at entity level Section II Oversight Framework of critical ICT third-party service providers Article 31 Designation of critical ICT third-party service providers Article 34 Operational coordination between Lead Overseers Article 36 Exercise of the powers of the Lead Overseer outside the Union Article 41 Harmonisation of conditions enabling the conduct of the oversight activities Article 43 Information-sharing arrangements on cyber threat information and intelligence Article 45 Cooperation with structures and authorities established by Directive (EU) 2022/2555 Article 47 Financial cross-sector exercises, communication and cooperation Article 48 Administrative penalties and remedial measures Article 49 Exercise of the power to impose administrative penalties and remedial measures Article 52 Publication of administrative penalties Article 57 Amendments to Regulation (EC) No 1060/2009 Article 58 Amendments to Regulation (EU) No 648/2012 Article 59 Amendments to Regulation (EU) No 909/2014 Article 60 Amendments to Regulation (EU) No 600/2014
