2022R2554 - Summary
REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
Info
🇫🇷 French Version: 2022R2554_FR.0. Open the PDF. Direct link to EUR-LEX.
Article 1 - Subject matter
Article 2 - Scope
Article 3 - Definitions
Article 4 - Proportionality principle
Article 5 - Governance and organisation
Article 6 - ICT risk management framework
Article 7 - ICT systems, protocols and tools
Article 8 - Identification
Article 9 - Protection and prevention
Article 10 - Detection
Article 11 - Response and recovery
Article 12 - Backup policies and procedures, restoration and recovery procedures and methods
Article 13 - Learning and evolving
Article 14 - Communication
Article 15 - Further harmonisation of ICT risk management tools, methods, processes and policies
Article 16 - Simplified ICT risk management framework
Article 17 - ICT-related incident management process
Article 18 - Classification of ICT-related incidents and cyber threats
Article 19 - Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Article 20 - Harmonisation of reporting content and templates
Article 21 - Centralisation of reporting of major ICT-related incidents
Article 22 - Supervisory feedback
Article 23 - Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions
Article 24 - General requirements for the performance of digital operational resilience testing
Article 25 - Testing of ICT tools and systems
Article 26 - Advanced testing of ICT tools, systems and processes based on TLPT
Article 27 - Requirements for testers for the carrying out of TLPT
Article 28 - General principles
Article 29 - Preliminary assessment of ICT concentration risk at entity level
Article 30 - Key contractual provisions
Article 31 - Designation of critical ICT third-party service providers
Article 32 - Structure of the Oversight Framework
Article 33 - Tasks of the Lead Overseer
Article 34 - Operational coordination between Lead Overseers
Article 35 - Powers of the Lead Overseer
Article 36 - Exercise of the powers of the Lead Overseer outside the Union
Article 37 - Request for information
Article 38 - General investigations
Article 39 - Inspections
Article 40 - Ongoing oversight
Article 41 - Harmonisation of conditions enabling the conduct of the oversight activities
Article 42 - Follow-up by competent authorities
Article 43 - Oversight fees
Article 44 - International cooperation
Article 45 - Information-sharing arrangements on cyber threat information and intelligence
Article 46 - Competent authorities
Article 47 - Cooperation with structures and authorities established by Directive (EU) 2022/2555
Article 48 - Cooperation between authorities
Article 49 - Financial cross-sector exercises, communication and cooperation
Article 50 - Administrative penalties and remedial measures
Article 51 - Exercise of the power to impose administrative penalties and remedial measures
Article 52 - Criminal penalties
Article 53 - Notification duties
Article 54 - Publication of administrative penalties
Article 55 - Professional secrecy
Article 56 - Data Protection
Article 57 - Exercise of the delegation
Article 58 - Review clause
Article 59 - Amendments to Regulation (EC) No 1060/2009
Article 60 - Amendments to Regulation (EU) No 648/2012
Article 61 - Amendments to Regulation (EU) No 909/2014
Article 62 - Amendments to Regulation (EU) No 600/2014
Article 63 - Amendment to Regulation (EU) 2016/1011
Article 64 - Entry into force and application