+DORA Ch. IX Sec. II Amendments
---+DORA Ch. IX Sec. II Art. 59 Amendments to Regulation (EC) No 1060/2009
---+DORA Ch. IX Sec. II Art. 60
---+DORA Ch. IX Sec. II Art. 61
---+DORA Ch. IX Sec. II Art. 62
---+DORA Ch. IX Sec. II Art. 63
---+DORA Ch. IX Sec. II Art. 64
|
1. Overview
DORA Ch. IX Sec. II Amendments
Amendments
| Summary |
Regulation |
|
DORA Ch. IX Sec. II Art. 59 Amendments to Regulation (EC) No 1060/2009
|
Amendments to Regulation (EC) No 1060/2009
Regulation (EC) No 1060/2009 is amended as follows:
(1) in Annex I, Section A, point 4, the first subparagraph is replaced by the following:
‘A credit rating agency shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*1).
(*1) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).’;"
(2) in Annex III, point 12 is replaced by the following:
‘12. The credit rating agency infringes Article 6(2), in conjunction with point 4 of Section A of Annex I, by not having sound administrative or accounting procedures, internal control mechanisms, effective procedures for risk assessment, or effective control or safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554; or by not implementing or maintaining decision-making procedures or organisational structures as required by that point.’.
|
|
DORA Ch. IX Sec. II Art. 60
|
Amendments to Regulation (EU) No 648/2012
Regulation (EU) No 648/2012 is amended as follows:
(1)
Article 26 is amended as follows:
(a)
paragraph 3 is replaced by the following:
‘3. A CCP shall maintain and operate an organisational structure that ensures continuity and orderly functioning in the performance of its services and activities. It shall employ appropriate and proportionate systems, resources and procedures, including ICT systems managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*2).
(*2) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).’;"
(b)
paragraph 6 is deleted;
(2)
Article 34 is amended as follows:
(a)
paragraph 1 is replaced by the following:
‘1. A CCP shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan, which shall include ICT business continuity policy and ICT response and recovery plans put in place and implemented in accordance with Regulation (EU) 2022/2554, aiming to ensure the preservation of its functions, the timely recovery of operations and the fulfilment of the CCP’s obligations.’;
(b)
in paragraph 3, the first subparagraph is replaced by the following:
‘3. In order to ensure consistent application of this Article, ESMA shall, after consulting the members of the ESCB, develop draft regulatory technical standards specifying the minimum content and requirements of the business continuity policy and of the disaster recovery plan, excluding ICT business continuity policy and disaster recovery plans.’;
(3)
in Article 56(3), the first subparagraph is replaced by the following:
‘3. In order to ensure consistent application of this Article, ESMA shall develop draft regulatory technical standards specifying the details, other than for requirements related to ICT risk management, of the application for registration referred to in paragraph 1.’;
(4)
in Article 79, paragraphs 1 and 2 are replaced by the following:
‘1. A trade repository shall identify sources of operational risk and minimise them also through the development of appropriate systems, controls and procedures, including ICT systems managed in accordance with Regulation (EU) 2022/2554.
2. A trade repository shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan including ICT business continuity policy and ICT response and recovery plans established in accordance with Regulation (EU) 2022/2554, aiming to ensure the maintenance of its functions, the timely recovery of operations and the fulfilment of the trade repository’s obligations.’;
(5)
in Article 80, paragraph 1 is deleted.
(6)
in Annex I, Section II is amended as follows:
(a)
points (a) and (b) are replaced by the following:
‘(a)
a trade repository infringes Article 79(1) by not identifying sources of operational risk or by not minimising those risks through the development of appropriate systems, controls and procedures including ICT systems managed in accordance with Regulation (EU) 2022/2554;
(b)
a trade repository infringes Article 79(2) by not establishing, implementing or maintaining an adequate business continuity policy and disaster recovery plan established in accordance with Regulation (EU) 2022/2554, aiming to ensure the maintenance of its functions, the timely recovery of operations and the fulfilment of the trade repository’s obligations;’;
(b)
point (c) is deleted.
(7)
Annex III is amended as follows:
(a)
Section II is amended as follows:
(i)
point (c) is replaced by the following:
‘(c)
a Tier 2 CCP infringes Article 26(3) by not maintaining or operating an organisational structure that ensures continuity and orderly functioning in the performance of its services and activities or by not employing appropriate and proportionate systems, resources or procedures including ICT systems managed in accordance with Regulation (EU) 2022/2554;’;
(ii)
point (f) is deleted.
(b)
in Section III, point (a) is replaced by the following:
‘(a)
a Tier 2 CCP infringes Article 34(1) by not establishing, implementing or maintaining an adequate business continuity policy and response and recovery plan set up in accordance with Regulation (EU) 2022/2554, aiming to ensure the preservation of its functions, the timely recovery of operations and the fulfilment of the CCP’s obligations, which at least allows for the recovery of all transactions at the time of disruption to allow the CCP to continue to operate with certainty and to complete settlement on the scheduled date;’.
|
|
DORA Ch. IX Sec. II Art. 61
|
Amendments to Regulation (EU) No 909/2014
Article 45 of Regulation (EU) No 909/2014 is amended as follows:
(1)
paragraph 1 is replaced by the following:
‘1. A CSD shall identify sources of operational risk, both internal and external, and minimise their impact also through the deployment of appropriate ICT tools, processes and policies set up and managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*3), as well as through any other relevant appropriate tools, controls and procedures for other types of operational risk, including for all the securities settlement systems it operates.
(*3) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).’;"
(2)
paragraph 2 is deleted;
(3)
paragraphs 3 and 4 are replaced by the following:
‘3. For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan, including ICT business continuity policy and ICT response and recovery plans established in accordance with Regulation (EU) 2022/2554, to ensure the preservation of its services, the timely recovery of operations and the fulfilment of the CSD’s obligations in the case of events that pose a significant risk to disrupting operations.
4. The plan referred to in paragraph 3 shall provide for the recovery of all transactions and participants’ positions at the time of disruption to allow the participants of a CSD to continue to operate with certainty and to complete settlement on the scheduled date, including by ensuring that critical IT systems can resume operations from the time of disruption as provided for in Article 12(5) and (7) of Regulation (EU) 2022/2554.’;
(4)
paragraph 6 is replaced by the following:
‘6. A CSD shall identify, monitor and manage the risks that key participants in the securities settlement systems it operates, as well as service and utility providers, and other CSDs or other market infrastructures might pose to its operations. It shall, upon request, provide competent and relevant authorities with information on any such risk identified. It shall also inform the competent authority and relevant authorities without delay of any operational incidents, other than in relation to ICT risk, resulting from such risks.’;
(5)
in paragraph 7, the first subparagraph is replaced by the following:
‘7. ESMA shall, in close cooperation with the members of the ESCB, develop draft regulatory technical standards to specify the operational risks referred to in paragraphs 1 and 6, other than ICT risk, and the methods to test, to address or to minimise those risks, including the business continuity policies and disaster recovery plans referred to in paragraphs 3 and 4 and the methods of assessment thereof.’.
|
|
DORA Ch. IX Sec. II Art. 62
|
Amendments to Regulation (EU) No 600/2014
Regulation (EU) No 600/2014 is amended as follows:
(1)
Article 27g is amended as follows:
(a)
paragraph 4 is replaced by the following:
‘4.
An APA shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554 of the European Parliament and of the Council (*4).
(*4) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).’;"
(b)
in paragraph 8, point (c) is replaced by the following:
‘(c)
the concrete organisational requirements laid down in paragraphs 3 and 5.’;
(2)
Article 27h is amended as follows:
(a)
paragraph 5 is replaced by the following:
‘5. A CTP shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554.’.
(b)
in paragraph 8, point (e) is replaced by the following:
‘(e)
the concrete organisational requirements laid down in paragraph 4.’;
(3)
Article 27i is amended as follows:
(a)
paragraph 3 is replaced by the following:
‘3. An ARM shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554.’;
(b)
in paragraph 5, point (b) is replaced by the following:
‘(b)
the concrete organisational requirements laid down in paragraphs 2 and 4.’.
|
|
DORA Ch. IX Sec. II Art. 63
|
Amendment to Regulation (EU) 2016/1011
In Article 6 of Regulation (EU) 2016/1011, the following paragraph is added:
‘6.
For critical benchmarks, an administrator shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council (*5).
|
|
DORA Ch. IX Sec. II Art. 64
|
Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 17 January 2025.
|
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|