Gaps and overlaps in ICT risk provisions


To date, due to the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; related provisions being only partially addressed at Union level, there are gaps or overlaps in important areas, such as ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting and digital operational resilience testingas defined in Article 24, and inconsistencies as a result of emerging divergent national rules or cost-ineffective application of overlapping rules. This is particularly detrimental for an ICT-intensive user such as the financial sector since technology risks have no borders and the financial sector deploys its services on a wide cross-border basis within and outside the Union. Individual financial entitiesas defined in Article 2, points (a) to (t) operating on a cross-border basis or holding several authorisations (e.g. one financial entity can have a banking, an investment firmmeans an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU;, and a payment institutionmeans a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366; licence, each issued by a different competent authorityas defined in Article 46 in one or several Member States) face operational challenges in addressing ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and mitigating adverse impacts of ICT incidents on their own and in a coherent cost-effective way.