Bank of Slovenia Regulation on Applying Joint Guidelines for Estimating ICT Incident Costs Under DORA

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE Page 1 of 2  Official Gazette of the Republic of Slovenia, No. 36/25 of 16 May 2025 (in force since 17 May 2025) Pursuant to the third paragraph of Article 13 of the Banking Act (Official Gazette of the Republic of Slovenia, Nos. 92/21, 123/21 [ZBNIP], 2/25 [constitutional court decision] and 17/25; hereinafter: the ZBan-3), and the first paragraph of Article 31 of the Bank of Slovenia Act (Official Gazette of the Republic of Slovenia, Nos. 72/06 [official consolidated version], 59/11 and 55/17), the Governing Board of Bank of Slovenia hereby issues the following REGULATION on the application of the Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 Article 1 (purpose and field of application of guidelines) (1) Pursuant to Article 16 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331 of 15 December 2010, p. 12), last amended by Regulation (EU) No 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (OJ L 2024/1620 of 19 June 2024) (hereinafter: Regulation (EU) 1093/2010), on 17 July 2024 the European Banking Authority (hereinafter: the EBA) published the Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 (JC 2024 34; hereinafter: the guidelines) on its website. (2) The guidelines referred to in the first paragraph of this article set out the approach to the estimation of aggregated annual costs and losses of major information and communication technology)-related incidents, and specify a common template for the submission to competent authorities of the estimates under Article 11(10) of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333 of 27 December 2022; p. 1), last amended by a corrigendum (OJ L 2024/90634 of 25 October 2024) (hereinafter: Regulation (EU) 2022/2554). (3) The guidelines are addressed to:

1. competent authorities referred to in Article 46 of Regulation (EU) 2022/2554; and
2. financial institutions referred to in point 1 of Article 4 of Regulation (EU) 1093/2010, point 1 of Article 4 of Regulation (EU) 1094/2010 and point 1 of Article 4 of Regulation (EU) 1095/2010. Article 2 (content of regulation and scope of application of guidelines) (1) By virtue of this regulation Bank of Slovenia sets out the application of the guidelines and all their future amendments, unless provided otherwise by Bank of Slovenia in respect of a particular amendment to the guidelines, to:

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE Page 2 of 2

1. banks and savings banks that in accordance with the ZBan-3 have obtained an authorisation to provide banking services;
2. payment institutions that in accordance with the Payment Services, Electronic Money Issuance Services and Payment Systems Act (Official Gazette of the Republic of Slovenia, Nos. 7/18, 9/18 [corrigendum], 102/20, 113/24 and 17/25 [ZPPDFT-2B]; hereinafter: the ZPlaSSIED) have obtained an authorisation to provide payment services;
3. electronic money institutions that in accordance with the ZPlaSSIED have obtained an authorisation to provide payment services;
4. payment institutions benefitting from a waiver that in accordance with the ZPlaSSIED have obtained an authorisation to provide payment services;
5. account information service providers entered in the register of payment institutions in accordance with the ZPlaSSIED;
6. Bank of Slovena, when in accordance with Regulation (EU) 2022/2554 in its role as the competent authority it is exercising supervisory powers and tasks over institutions referred to in points 1 to 5 of this paragraph. (2) Institutions referred to in points 1 to 5 of the first paragraph of this article shall take full account of the provisions of the guidelines in the parts addressed to them. (3) In exercising its supervisory powers and tasks in accordance with Regulation (EU) 2022/2554 and the Decree on the implementation of the regulation (EU) on digital operational resilience for the financial sector (Official Gazette of the Republic of Slovenia, No. 25/25), Bank of Slovenia shall take full account of the provisions of the guidelines in the parts relating to the exercise of the powers and tasks of the competent authority. Article 3 (entry into force) This regulation shall enter into force on the day after its publication in the Official Gazette of the Republic of Slovenia. Ljubljana, 13 May 2025 Primož Dolenc Acting President, Governing Board of Bank of Slovenia