Legal provisions of COM(2020)596 - Amendment of Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2020)596 - Amendment of Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and ...
document COM(2020)596 EN
date December 14, 2022


Article 1

Amendments to Directive 2009/65/EC

Article 12 of Directive 2009/65/EC is amended as follows:

(1)in the second subparagraph of paragraph 1, point (a) is replaced by the following:

‘(a)has sound administrative and accounting procedures, control and safeguard arrangements for electronic data processing, including with regard to network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*1), as well as adequate internal control mechanisms, including, in particular, rules for personal transactions by its employees or for the holding or management of investments in financial instruments in order to invest on its own account and ensuring, at least, that each transaction involving the UCITS may be reconstructed according to its origin, the parties to it, its nature, and the time and place at which it was effected and that the assets of the UCITS managed by the management company are invested according to the fund rules or the instruments of incorporation and the legal provisions in force;

(*1)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;"

(2)paragraph 3 is replaced by the following:

‘3.   Without prejudice to Article 116, the Commission shall adopt, by means of delegated acts in accordance with Article 112a, measures specifying:

(a)the procedures and arrangements referred to in point (a) of the second subparagraph of paragraph 1, other than the procedures and arrangements concerning network and information systems;

(b)the structures and organisational requirements to minimise conflicts of interests referred to in point (b) of the second subparagraph of paragraph 1.’.

Article 2

Amendments to Directive 2009/138/EC

Directive 2009/138/EC is amended as follows:

(1)in Article 41, paragraph 4 is replaced by the following:

‘4.   Insurance and reinsurance undertakings shall take reasonable steps to ensure continuity and regularity in the performance of their activities, including the development of contingency plans. To that end, the undertakings shall employ appropriate and proportionate systems, resources and procedures, and shall, in particular, set up and manage network and information systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*2).

(*2)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;"

(2)in Article 50(1), points (a) and (b) are replaced by the following:

‘(a)the elements of the systems referred to in Article 41, Article 44, in particular the areas listed in Article 44(2), and Articles 46 and 47, other than the elements concerning information and communication technology risk management;

(b)the functions referred to in Articles 44, 46, 47 and 48, other than functions related to information and communication technology risk management.’.

Article 3

Amendment to Directive 2011/61/EU

Article 18 of Directive 2011/61/EU is replaced by the following:

‘Article 18

General principles

1. Member States shall require that AIFMs use, at all times, adequate and appropriate human and technical resources that are necessary for the proper management of AIFs.

In particular, the competent authorities of the home Member State of the AIFM, having regard also to the nature of the AIFs managed by the AIFM, shall require that the AIFM has sound administrative and accounting procedures, control and safeguard arrangements for electronic data processing, including with regard to network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*3), as well as adequate internal control mechanisms, including, in particular, rules for personal transactions by its employees or for the holding or management of investments in order to invest on its own account and ensuring, at least, that each transaction involving the AIFs may be reconstructed according to its origin, the parties to it, its nature, and the time and place at which it was effected and that the assets of the AIFs managed by the AIFM are invested in accordance with the AIF rules or instruments of incorporation and the legal provisions in force.

2. The Commission shall, by means of delegated acts in accordance with Article 56 and subject to the conditions of Articles 57 and 58, adopt measures specifying the procedures and arrangements referred to in paragraph 1 of this Article, other than the procedures and arrangements concerning network and information systems.

Article 4

Amendments to Directive 2013/36/EU

Directive 2013/36/EU is amended as follows:

(1)in Article 65(3), point (a)(vi) is replaced by the following:

‘(vi)third parties to whom the entities referred to in points (i) to (iv) have outsourced functions or activities, including ICT third-party service providers referred to in Chapter V of Regulation (EU) 2022/2554 of the European Parliament and of the Council (*4);

(*4)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;"

(2)in Article 74(1), the first subparagraph is replaced by the following:

‘Institutions shall have robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks they are or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554, and remuneration policies and practices that are consistent with and promote sound and effective risk management.’;

(3)in Article 85, paragraph 2 is replaced by the following:

‘2.   Competent authorities shall ensure that institutions have adequate contingency and business continuity policies and plans, including ICT business continuity policies and plans and ICT response and recovery plans for the technology they use for the communication of information, and that those plans are established, managed and tested in accordance with Article 11 of Regulation (EU) 2022/2554, in order to allow institutions to keep operating in the event of severe business disruption and limit losses incurred as a consequence of such disruption.’;

(4)in Article 97(1), the following point is added:

‘(d)risks revealed by digital operational resilience testing in accordance with Chapter IV of Regulation (EU) 2022/2554.’.

Article 5

Amendments to Directive 2014/59/EU

Directive 2014/59/EU is amended as follows:

(1)Article 10 is amended as follows:

(a)in paragraph 7, point (c) is replaced by the following:

‘(c)a demonstration of how critical functions and core business lines could be legally and economically separated, to the extent necessary, from other functions so as to ensure continuity and digital operational resilience upon the failure of the institution;’;

(b)in paragraph 7, point (q) is replaced by the following:

‘(q)a description of essential operations and systems for maintaining the continuous functioning of the institution’s operational processes, including network and information systems as referred to in Regulation (EU) 2022/2554 of the European Parliament and of the Council (*5);

(*5)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;"

(c)in paragraph 9, the following subparagraph is added:

‘In accordance with Article 10 of Regulation (EU) No 1093/2010, EBA shall review and, if appropriate, update the regulatory technical standards in order to, inter alia, take account of the provisions of Chapter II of Regulation (EU) 2022/2554.’;

(2)the Annex is amended as follows:

(a)in Section A, point (16) is replaced by the following:

‘(16)arrangements and measures necessary to maintain the continuous functioning of the institution’s operational processes, including network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554;’;

(b)Section B is amended as follows:

(i)point (14) is replaced by the following:

‘(14)an identification of the owners of the systems identified in point (13), service level agreements related thereto, and any software and systems or licenses, including a mapping to their legal entities, critical operations and core business lines, as well as an identification of critical ICT third-party service providers as defined in Article 3, point (23), of Regulation (EU) 2022/2554;’;

(ii)the following point is inserted:

‘(14a)the results of institutions’ digital operational resilience testing under Regulation (EU) 2022/2554;’;

(c)Section C is amended as follows:

(i)point (4) is replaced by the following:

‘(4)the extent to which the service agreements, including contractual arrangements on the use of ICT services, that the institution maintains are robust and fully enforceable in the event of resolution of the institution;’;

(ii)the following point is inserted:

‘(4a)the digital operational resilience of the network and information systems supporting critical functions and core business lines of the institution, taking into account major ICT-related incident reports and the results of digital operational resilience testing under Regulation (EU) 2022/2554;’.

Article 6

Amendments to Directive 2014/65/EU

Directive 2014/65/EU is amended as follows:

(1)Article 16 is amended as follows:

(a)paragraph 4 is replaced by the following:

‘4.   An investment firm shall take reasonable steps to ensure continuity and regularity in the performance of investment services and activities. To that end, the investment firm shall employ appropriate and proportionate systems, including information and communication technology (“ICT”) systems that are set up and managed in accordance with Article 7 of Regulation (EU) 2022/2554 of the European Parliament and of the Council (*6), as well as appropriate and proportionate resources and procedures.

(*6)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;"

(b)in paragraph 5, the second and third subparagraphs are replaced by the following:

‘An investment firm shall have sound administrative and accounting procedures, internal control mechanisms and effective procedures for risk assessment.

Without prejudice to the ability of competent authorities to require access to communications in accordance with this Directive and Regulation (EU) No 600/2014, an investment firm shall have sound security mechanisms in place to ensure, in accordance with the requirements laid down in Regulation (EU) 2022/2554, the security and authentication of the means of transfer of information, to minimise the risk of data corruption and unauthorised access and to prevent information leakage, thereby maintaining the confidentiality of the data at all times.’;

(2)Article 17 is amended as follows:

(a)paragraph 1 is replaced by the following:

‘1.   An investment firm that engages in algorithmic trading shall have in place effective systems and risk controls suitable to the business it operates to ensure that its trading systems are resilient and have sufficient capacity in accordance with the requirements laid down in Chapter II of Regulation (EU) 2022/2554, are subject to appropriate trading thresholds and limits and prevent the sending of erroneous orders or the systems otherwise functioning in a way that may create or contribute to a disorderly market.

Such a firm shall also have in place effective systems and risk controls to ensure the trading systems cannot be used for any purpose that is contrary to Regulation (EU) No 596/2014 or to the rules of a trading venue to which it is connected.

The investment firm shall have in place effective business continuity arrangements to deal with any failure of its trading systems, including ICT business continuity policy and plans and ICT response and recovery plans established in accordance with Article 11 of Regulation (EU) 2022/2554, and shall ensure its systems are fully tested and properly monitored to ensure that they meet the general requirements laid down in this paragraph and any specific requirements laid down in Chapters II and IV of Regulation (EU) 2022/2554.’;

(b)in paragraph 7, point (a) is replaced by the following:

‘(a)the details of organisational requirements laid down in paragraphs 1 to 6, other than those related to ICT risk management, which are to be imposed on investment firms providing different investment services, investment activities, ancillary services or combinations thereof, whereby the specifications in relation to the organisational requirements laid down in paragraph 5 shall set out specific requirements for direct market access and for sponsored access in such a way as to ensure that the controls applied to sponsored access are at least equivalent to those applied to direct market access;’;

(3)in Article 47, paragraph 1 is amended as follows:

(a)point (b) is replaced by the following:

‘(b)to be adequately equipped to manage the risks to which it is exposed, including to manage ICT risk in accordance with Chapter II of Regulation (EU) 2022/2554, to implement appropriate arrangements and systems for identifying significant risks to its operation, and to put in place effective measures to mitigate those risks;’;

(b)point (c) is deleted;

(4)Article 48 is amended as follows:

(a)paragraph 1 is replaced by the following:

‘1.   Member States shall require a regulated market to establish and maintain its operational resilience in accordance with the requirements laid down in Chapter II of Regulation (EU) 2022/2554 to ensure its trading systems are resilient, have sufficient capacity to deal with peak order and message volumes, are able to ensure orderly trading under conditions of severe market stress, are fully tested to ensure such conditions are met and are subject to effective business continuity arrangements, including ICT business continuity policy and plans and ICT response and recovery plans established in accordance with Article 11 of Regulation (EU) 2022/2554, to ensure continuity of its services if there is any failure of its trading systems.’;

(b)paragraph 6 is replaced by the following:

‘6.   Member States shall require a regulated market to have in place effective systems, procedures and arrangements, including requiring members or participants to carry out appropriate testing of algorithms and providing environments to facilitate such testing in accordance with the requirements laid down in Chapters II and IV of Regulation (EU) 2022/2554, to ensure that algorithmic trading systems cannot create or contribute to disorderly trading conditions on the market and to manage any disorderly trading conditions which do arise from such algorithmic trading systems, including systems to limit the ratio of unexecuted orders to transactions that may be entered into the system by a member or participant, to be able to slow down the flow of orders if there is a risk of its system capacity being reached and to limit and enforce the minimum tick size that may be executed on the market.’;

(c)paragraph 12 is amended as follows:

(i)point (a) is replaced by the following:

‘(a)the requirements to ensure trading systems of regulated markets are resilient and have adequate capacity, except the requirements related to digital operational resilience;’;

(ii)point (g) is replaced by the following:

‘(g)the requirements to ensure appropriate testing of algorithms, other than digital operational resilience testing, so as to ensure that algorithmic trading systems including high-frequency algorithmic trading systems cannot create or contribute to disorderly trading conditions on the market.’.

Article 7

Amendments to Directive (EU) 2015/2366

Directive (EU) 2015/2366 is amended as follows:

(1)in Article 3, point (j) is replaced by the following:

‘(j)services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity authentication, information and communication technology (ICT) and communication network provision, provision and maintenance of terminals and devices used for payment services, with the exclusion of payment initiation services and account information services;’;

(2)Article 5(1) is amended as follows:

(a)the first subparagraph is amended as follows:

(i)point (e) is replaced by the following:

‘(e)a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures as well as arrangements for the use of ICT services in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*7), which demonstrates that those governance arrangements and internal control mechanisms are proportionate, appropriate, sound and adequate;

(*7)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).’;"

(ii)point (f) is replaced by the following:

‘(f)a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incident reporting mechanism which takes account of the notification obligations of the payment institution laid down in Chapter III of Regulation (EU) 2022/2554;’;

(iii)point (h) is replaced by the following:

‘(h)a description of business continuity arrangements including a clear identification of the critical operations, effective ICT business continuity policy and plans and ICT response and recovery plans and a procedure to regularly test and review the adequacy and efficiency of such plans in accordance with Regulation (EU) 2022/2554;’;

(b)the third subparagraph is replaced by the following:

‘The security control and mitigation measures referred to in point (j) of the first subparagraph shall indicate how they ensure a high level of digital operational resilience in accordance with Chapter II of Regulation (EU) 2022/2554, in particular in relation to technical security and data protection, including for the software and ICT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures shall also include the security measures laid down in Article 95(1) of this Directive. Those measures shall take into account EBA’s guidelines on security measures as referred to in Article 95(3) of this Directive, when in place.’;

(3)in Article 19(6), the second subparagraph is replaced by the following:

‘Outsourcing of important operational functions, including ICT systems, shall not be undertaken in such way as to impair materially the quality of the payment institution’s internal control and the ability of the competent authorities to monitor and retrace the payment institution’s compliance with all of the obligations laid down in this Directive.’;

(4)in Article 95(1), the following subparagraph is added:

‘The first subparagraph is without prejudice to the application of Chapter II of Regulation (EU) 2022/2554 to:

(a)payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive;

(b)account information service providers referred to in Article 33(1) of this Directive;

(c)payment institutions exempted pursuant to Article 32(1) of this Directive; and

(d)electronic money institutions benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC.’;

(5)in Article 96, the following paragraph is added:

‘7.   Members States shall ensure that paragraphs 1 to 5 of this Article do not apply to:

(a)payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive;

(b)account information service providers referred to in Article 33(1) of this Directive;

(c)payment institutions exempted pursuant to Article 32(1) of this Directive; and

(d)electronic money institutions benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC.’;

(6)in Article 98, paragraph 5 is replaced by the following:

‘5.   In accordance with Article 10 of Regulation (EU) No 1093/2010, EBA shall review and, if appropriate, update the regulatory technical standards on a regular basis in order, inter alia, to take account of innovation and technological developments, and of the provisions of Chapter II of Regulation (EU) 2022/2554.’.

Article 8

Amendment to Directive (EU) 2016/2341

Article 21(5) of Directive (EU) 2016/2341 is replaced by the following:

‘5.   Member States shall ensure that IORPs take reasonable steps to ensure continuity and regularity in the performance of their activities, including the development of contingency plans. To that end, IORPs shall employ appropriate and proportionate systems, resources and procedures, and shall, in particular, set up and manage network and information systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*8), where applicable.

Article 9

Transposition

1. By 17 January 2025, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.

They shall apply those measures from 17 January 2025.

When Member States adopt those measures, they shall contain a reference to this Directive or shall be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.

2. Member States shall communicate to the Commission the text of the main measures of national law which they adopt in the field covered by this Directive.

Article 10

Entry into force

This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 11

Addressees

This Directive is addressed to the Member States.