The Union needs to adequately and comprehensively address digital risks to all financial entities stemming from an increased use of information and communication technology (ICT) in the provision and consumption of financial services, thereby contributing to the realisation of the potential of digital finance, in terms of boosting innovation and promoting competition in a secure digital environment.
(2)
Financial entities are heavily reliant on the use of digital technologies in their daily business. It is therefore of utmost importance to ensure the operational resilience of their digital operations against ICT risk. This need has become even more pressing due to the growth of breakthrough technologies in the market, in particular technologies enabling digital representations of value or of rights to be transferred and stored electronically, using distributed ledger or similar technology (crypto-assets), and of services related to those assets.
(3)
At Union level, the requirements related to the management of ICT risk in the financial sector are currently provided for in Directives 2009/65/EC (4), 2009/138/EC (5), 2011/61/EU (6), 2013/36/EU (7), 2014/59/EU (8), 2014/65/EU (9), (EU) 2015/2366 (10) and (EU) 2016/2341 (11) of the European Parliament and of the Council.
Those requirements are diverse and occasionally incomplete. In some cases, ICT risk has been addressed only implicitly as part of operational risk, and in other cases it has not been addressed at all. Those issues are remedied by the adoption of Regulation (EU) 2022/2554 of the European Parliament and of the Council (12). Those Directives should therefore be amended to ensure consistency with that Regulation. This Directive enacts a set of amendments that are necessary to bring legal clarity and consistency in relation to the application, by financial entities authorised and supervised in accordance with those Directives, of various digital operational resilience requirements that are necessary in the pursuit of their activities and in the provision of services, thereby guaranteeing the smooth functioning of the internal market. It is necessary to ensure the adequacy of those requirements in relation to market developments, while encouraging proportionality in particular with regard to the size of financial entities and the specific regimes to which they are subject, with the aim of reducing compliance costs.
(4)
In the area of banking services, Directive 2013/36/EU currently sets out only general internal governance rules and operational risk provisions containing requirements for contingency and business continuity plans which implicitly serve as a basis for addressing ICT risk. However, in order to address ICT risk explicitly and clearly, the requirements for contingency and business continuity plans should be amended to also include business continuity plans and response and recovery plans concerning ICT risk, in accordance with the requirements laid down in Regulation (EU) 2022/2554. Furthermore, ICT risk is only implicitly included, as part of operational risk, in the supervisory review and evaluation process (SREP) performed by competent authorities and the criteria for its assessment are currently defined in the Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP), issued by the European Supervisory Authority (European Banking Authority) (EBA), established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council (13). In order to provide legal clarity and ensure that bank supervisors effectively identify ICT risk, and monitor its management by financial entities, in line with the new framework on digital operational resilience, the scope of the SREP should also be amended to explicitly refer to the requirements laid down in Regulation (EU) 2022/2554 and to cover in particular the risks revealed by major ICT-related incident reports and by the results of the digital operational resilience testing performed by financial entities in accordance with that Regulation.
(5)
Digital operational resilience is essential to preserve the critical functions and core business lines of a financial entity in the event of its resolution, and thereby to avoid disruption to the real economy and to the financial system. Major operational incidents can hamper the capacity of a financial entity to continue operating and can jeopardise resolution objectives. Certain contractual arrangements on the use of ICT services are essential to ensure operational continuity and to provide the necessary data in the event of resolution. In order to be aligned with the objectives of the Union framework for operational resilience, Directive 2014/59/EU should be amended accordingly, with a view to ensuring that information relating to operational resilience is taken into account in the context of resolution planning and the assessment of financial entities’ resolvability.
(6)
Directive 2014/65/EU sets out more stringent ICT risk rules for investment firms and trading venues that are engaging in algorithmic trading. Less detailed requirements apply to data reporting services and to trade repositories. Also, Directive 2014/65/EU contains only limited references to control and safeguard arrangements for information processing systems and to the use of appropriate systems, resources and procedures to ensure continuity and regularity of business services. Furthermore, that Directive should be aligned with Regulation (EU) 2022/2554 as regards continuity and regularity in the provision of investment services and in the performance of investment activities, operational resilience, the capacity of trading systems, and the effectiveness of business continuity arrangements and risk management.
(7)
Directive (EU) 2015/2366 sets out specific rules on ICT security controls and mitigation elements for the purposes of obtaining an authorisation to provide payment services. Those authorisation rules should be amended to align them with Regulation (EU) 2022/2554. Furthermore, in order to reduce the administrative burden and to avoid complexity and duplicative reporting requirements, the incident reporting rules in that Directive should cease to apply to payment service providers which are regulated under that Directive and also subject to Regulation (EU) 2022/2554, thus allowing those payment service providers to benefit from a single, fully harmonised incident reporting mechanism with regard to all operational or security payment-related incidents, irrespective of whether such incidents are ICT-related.
(8)
Directives 2009/138/EC and (EU) 2016/2341 partially capture ICT risk within their general provisions on governance and risk management, leaving certain requirements to be specified through delegated acts with or without specific references to ICT risk. Similarly, only very general rules apply to managers of alternative investment funds subject to Directive 2011/61/EU and management companies subject to Directive 2009/65/EC. Those Directives should therefore be aligned with the requirements laid down in Regulation (EU) 2022/2554 with regard to the management of ICT systems and tools.
(9)
In many cases, further ICT risk requirements have already been laid down in delegated and implementing acts, adopted on the basis of draft regulatory technical standards and draft implementing technical standards developed by the competent European Supervisory Authority. Since the provisions of Regulation (EU) 2022/2554 henceforth constitute the legal framework for ICT risk in the financial sector, certain empowerments to adopt delegated and implementing acts in Directives 2009/65/EC, 2009/138/EC, 2011/61/EU and 2014/65/EU should be amended to remove the ICT risk provisions from the scope of those empowerments.
(10)
To ensure a consistent implementation of the new framework on digital operational resilience for the financial sector, Member States should apply the provisions of national law transposing this Directive from the date of application of Regulation (EU) 2022/2554.
(11)
Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 have been adopted on the basis of Article 53(1) or Article 114 of the Treaty on the Functioning of the European Union (TFEU) or both. The amendments in this Directive have been included in a single legislative act due to the interconnectedness of the subject matter and objectives of the amendments. Consequently, this Directive should be adopted on the basis of both Article 53(1) and Article 114 TFEU.
(12)
Since the objectives of this Directive cannot be sufficiently achieved by the Member States as they entail the harmonisation of requirements already contained in Directives but can rather, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve those objectives.
(13)
In accordance with the Joint Political Declaration of 28 September 2011 of Member States and the Commission on explanatory documents (14), Member States have undertaken to accompany, in justified cases, the notification of their transposition measures with one or more documents explaining the relationship between the components of a directive and the corresponding parts of national transposition instruments. With regard to this Directive, the legislator considers the transmission of such documents to be justified,
