ITS
Chapter III - ICT-related incident management, classification and reporting
Article 19 - Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Financial entitiesas defined in Article 2, points (a) to (t) may, on a voluntary basis, notify significant cyber threatsa cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident to the relevant competent authorityas defined in Article 46 when they deem the threat to be of relevance to the financial system, service users or clients. The relevant competent authorityas defined in Article 46 may provide such information to other relevant authorities referred to in paragraph 6.
Credit institutionsa credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council classified as significant, in accordance with Article 6(4) of Regulation (EU) No 1024/2013, may, on a voluntary basis, notify significant cyber threatsa cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident to relevant national competent authorityas defined in Article 46, designated in accordance with Article 4 of Directive 2013/36/EU, that shall immediately transmit the notification to the ECB.
Member States may determine that those financial entitiesas defined in Article 2, points (a) to (t) that on a voluntary basis notify in accordance with the first subparagraph may also transmit that notification to the CSIRTscomputer security incident response teams designated or established in accordance with Directive (EU) 2022/2555.
Chapter V - Managing of ICT third-party risk
Article 28 - General principles
As part of their ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework, financial entitiesas defined in Article 2, points (a) to (t) shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided by ICT third-party service providersan undertaking providing ICT services.
The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law and those that do not.
Financial entitiesas defined in Article 2, points (a) to (t) shall report at least yearly to the competent authoritiesas defined in Article 46 on the number of new arrangements on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services, the categories of ICT third-party service providersan undertaking providing ICT services, the type of contractual arrangements and the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services and functions which are being provided.
Financial entitiesas defined in Article 2, points (a) to (t) shall make available to the competent authorityas defined in Article 46, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.
Financial entitiesas defined in Article 2, points (a) to (t) shall inform the competent authorityas defined in Article 46 in a timely manner about any planned contractual arrangement on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law as well as when a function has become critical or important.