1. In order to achieve a high common level of digital operational resilience, this Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities as follows:
| (a) | requirements applicable to financial entities in relation to:(i)information and communication technology (ICT) risk management;(ii)reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;(iii)reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d);(iv)digital operational resilience testing;(v)information and intelligence sharing in relation to cyber threats and vulnerabilities;(vi)measures for the sound management of ICT third-party risk; |
| (b) | requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities; |
| (c) | rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities; |
| (d) | rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation. |
2. In relation to financial entities identified as essential or important entities pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 4 of that Directive.
3. This Regulation is without prejudice to the responsibility of Member States’ regarding essential State functions concerning public security, defence and national security in accordance with Union law.