Regulation on the Application of the Guidelines on ICT and Security Risk Management

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE  Official Gazette of the Republic of Slovenia, No. 52/2020 of 15 April 2020 (in force as of 16 April 2020) Pursuant to the third paragraph of Article 13 of the Banking Act (Official Gazette of the Republic of Slovenia, Nos. 25/15, 44/16 [ZRPPB], 77/16 [ZCKR], 41/17, 77/18 [ZTFI-1], 22/19 [ZIUDSOL] and 44/19 [constitutional court decision]; hereinafter: the ZBan-2), the eleventh paragraph of Article 243 of the Payment Services, Electronic Money Issuance Services and Payment Systems Act (Official Gazette of the Republic of Slovenia, Nos. 7/18 and 9/18 [corrigendum]; hereinafter: the ZPlaSSIED), and the first paragraph of Article 31 of the Bank of Slovenia Act (Official Gazette of the Republic of Slovenia, Nos. 72/06 [official consolidated version], 59/11 and 55/17), the Governing Board of Banka Slovenije hereby issues the following REGULATION on the application of the Guidelines on ICT and security risk management Article 1 (purpose and field of application of guidelines) (1) Pursuant to Article 16(1) of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331 of 15 December 2010, p 12), as last amended by Regulation (EU) No 2018/1717 of the European Parliament and of the Council of 14 November 2018 amending Regulation (EU) No 1093/2010 as regards the location of the seat of the European Banking Authority (OJ L 291 of 16 November 2018; p 1; hereinafter: Regulation (EU) No 1093/2010), on 28 November 2019 the European Banking Authority published the Guidelines on ICT and security risk management (EBA/GL/2019/04; hereinafter: the guidelines) on its website. (2) The guidelines referred to in the first paragraph of this article specify the risk management measures that financial institutions must take in accordance with Article 74 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC to manage their ICT and security risks for all activities, and that payment service providers must take in accordance with Article 95(1) of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337 of 23 December 2015, pp 35-127; hereinafter: Directive (EU) 2015/2366) to manage the operational and security risks relating to the payment services that they provide. The guidelines include requirements for information security, including cybersecurity, to the extent that the information is held on ICT systems (3) The guidelines are addressed to:

1. institutions as defined in point 3 of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176 of 27 June 2013, p 1), as last amended by Regulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending Regulation (EU) No 575/2013 as regards the leverage ratio, the net stable funding ratio, requirements for own funds and eligible liabilities, counterparty credit risk, market risk, exposures to central counterparties, exposures to collective

BS-RESTRICTED investment undertakings, large exposures, reporting and disclosure requirements, and Regulation (EU) No 648/2012 (OJ L 150 of 7 June 2019, pp 1- 225; hereinafter: Regulation (EU) No 575/2013); 2. payment service providers as defined in point 11 of Article 4 of Directive (EU) 2015/2366; 3. competent authorities as defined in point 40 of Article 4(1) of Regulation (EU) No 575/2013; 4. the European Central Bank, in connection with matters relating to the tasks transferred to it in accordance with Regulation (EU) No 1024/2013; 5. competent authorities in accordance with Directive (EU) 2015/2366, as defined in point (i) of Article 4(2) of Regulation (EU) No 1093/2010. Article 2 (content of regulation and scope of application of guidelines) (1) By virtue of this regulation Banka Slovenije sets out the application of the guidelines to:

1. banks and savings banks that in accordance with the ZBan-2 have obtained an authorisation to provide banking services in the Republic of Slovenia (hereinafter: banks);
2. other payment service providers as defined in Article 20 of the ZPlaSSIED;
3. Banka Slovenije, when in accordance with the ZBan-2 and the ZPlaSSIED in its role as the competent authority it is exercising supervisory powers and tasks over banks referred to in point 1 of this paragraph and payment service providers referred to in point 2 of this paragraph. (2) Banks referred to in point 1 of the first paragraph of this article shall take full account of the provisions of the guidelines in the parts addressed to banks. (3) Other payment service providers referred to point 2 of the first paragraph of this article shall take full account of the provisions of the guidelines in the parts addressed to other payment service providers. (4) In exercising its supervisory powers and tasks in accordance with the ZBan-2, the ZPlaSSIED and Regulation (EU) No 575/2013, Banka Slovenije shall take full account of the provisions of the guidelines in the parts relating to the exercise of the powers and tasks of the competent authority. Article 3 (repeal of previous regulation) On the day that this regulation enters into force, the Regulation on the application of the Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) (Official Gazette of the Republic of Slovenia, No. 11/18) shall cease to be in force. Article 4 (entry into force) This regulation shall enter into force on the day after its publication in the Official Gazette of the Republic of Slovenia, and shall begin to be applied on 30 June 2020. Ljubljana, 7 April 2020 Boštjan Vasle President, Governing Board of Banka Slovenije