Decision on Terms and Conditions of Outsourcing Relating to Financial Institution’s Information System

RS Official Gazette, No 100/23 Pursuant to Article 15, paragraph 1 and Article 63, paragraph 3 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005 – other law, 44/2010, 76/2012, 106/2012, 14/2015, 40/2015 – CC decision and 44/2018), the Executive Board of the National Bank of Serbia issues the following DECISION ON TERMS AND CONDITIONS OF OUTSOURCING RELATING TO FINANCIAL INSTITUTION’S INFORMATION SYSTEM Introductory provisions

1. This Decision lays down the terms and conditions of outsourcing in relation to the information system of the financial institution to third parties, and the manner of managing the outsourced activities, with the aim of safe and sound operation concerning information system management in banks, insurance undertakings, financial leasing providers, voluntary pension fund management companies, payment institutions, electronic money institutions and the public postal operator in the part of its operation regarding the provision of payment services and/or issuance of electronic money (hereinafter: financial institution). This Decision applies to all financial institutions referred to in paragraph 1 hereof, unless stipulated otherwise by some of its provisions.
2. For the purpose of this Decision, some terms are defined as follows:

1. information system, information system resources, software components, hardware components, information assets, information system risk, incident, information system security, confidentiality, integrity and availability means as defined by the decision governing minimum information system management standards for financial institutions;
2. critical/key business processes means business processes or functions whose inadequate functioning may significantly jeopardise the stability and continuity of operation of the financial institution, or cause the absence of the provision of financial institution services determined by law;
3. outsourcing means a set of activities undertaken by the financial institution to select the service provider and conclude a contract based on which the service provider performs activities/services relating to the information system;

2 4) service provider means a legal person or entrepreneur to which the financial institution outsourced activities or a part of activities relating to its information system; 5) sub-outsourcing means a set of activities undertaken for the purpose of concluding a contract between the service provider and the subservice provider, based on which the service provider further outsources some activities within the information system-related activities outsourced to it (the service provider) by the financial institution, while such activities must include the granting of the financial institution’s prior consent to the conclusion of that contract; 6) subservice provider means a legal person or entrepreneur to which the service provider outsourced activities or a part of activities relating to the information system of the financial institution; 7) cloud services means services where, on request, a widely distributed and adequate network access to the joint set of adaptable information system resources is enabled (i.e. networks, servers, data storage devices, applications, services etc.), which can be easily provisioned and released, with minimum engagement of the service provider. Notion and scope of outsourcing of information system-related activities 3. The outsourcing shall be performed in line with regulations governing the operation of financial institutions, unless stipulated otherwise by this Decision. 4. The activities that the financial institution can outsource to the service provider, to which the provisions of this Decision shall apply, include in particular the following:

1. development, maintenance and management of information system resources;
2. development and maintenance of business applications impacting critical/key business processes;
3. processing and/or keeping of data available to the financial institutions and relating to its operation and/or access to those data;
4. services of verifying information system security (testing the information system vulnerability and weaknesses, penetration testing etc.);
5. information system internal audit. The provisions of this Decision shall not apply to the procurement and use of:

3

1. services of global financial communication services (e.g. SWIFT) if key information system resources needed for the provision of such service are within the financial institution;
2. service of provision of information on financial markets (Bloomberg, Reuters etc.);
3. services of global network infrastructure (Visa, MasterCard etc.) and telecommunication services;
4. software which, being off-the-shelf, is commercially available in the market and does not require customisation;
5. other services similar to those under subparagraphs 1) to 4) of this paragraph subject to the NBS’s prior opinion stating that the provisions of this Decision shall not apply to the use of those services. The financial institution shall not outsource to the service provider the process of information system management which includes the following:
6. process of adoption of the information system development strategy;
7. establishment of policies and procedures for information system management, revision and upgrade;
8. key control functions of management bodies in relation to its information system. The financial institution shall not transfer authorisations and competences of its management and supervisory bodies to the service provider.

5. The outsourcing shall include each service provider with a separate legal subjectivity in relation to the financial institution that outsources. The outsourcing referred to in paragraph 1 of this Section shall also include the outsourcing to parties related to the financial institution through ownership and/or management relations (persons with participation, members of the group of companies to which the institution belongs etc.), which operate in the Republic of Serbia or abroad. Responsibility for managing the outsourced activities
6. The financial institution shall ensure that the outsourcing referred to in Section 4, paragraph 1 of this Decision shall not diminish the responsibilities of competent management bodies of that institution, or the employees responsible for managing its information system.

4 7. The competent management body of the financial institution shall be responsible for efficient application of this Decision, compliance and application of regulatory requirements, management of risks relating to outsourced activities, and the monitoring and supervision of outsourced activities. 8. In order to ensure adequate management, monitoring and supervision of outsourced activities, in accordance with the nature, scope and complexity of operation, and the complexity of the information system, the financial institution shall set up an adequate organisational structure, with a clearly defined division of tasks and duties of employees, for the purpose of safe and sound functioning of that system. Framework for managing the outsourced activities 9. The financial institution shall regulate by its internal acts the procedure of outsourcing in order to cover:

1. the decision-making process containing the lines of responsibility;
2. the criteria based on which the decision on outsourcing is adopted;
3. the criteria for selection of the service provider;
4. assessment of the risk of concentration of exposure to a single service provider (dependence on a single service provider) and determining internal control measures that mitigate the risk;
5. assessment of the expected benefits and costs arising from the procedure of outsourcing individual activities;
6. manner of including outsourced activities into the risk management process, particularly the information system risk, and into the risk internal reporting system;
7. manner of sub-outsourcing to the subservice provider;
8. manner in which the financial institution ensures the continuity of performance of outsourced activities and measures it undertakes in the event of termination of the contractual relationship with the service provider, and in the event of temporary interruption or discontinuation of the provision of those services, and/or the possibility of resuming the performance of outsourced activities by the financial institution or possibility of transferring those activities to another service provider (“replaceability of the service provider”);
9. manner of keeping records of outsourced activities;
10. manner of monitoring the application of the outsourcing contract, which also includes the procedure of informing about changes to the contract and the procedure of renewal (extension of validity) of the contract;
11. impact of outsourced activities on critical/key business processes;
12. procedures concerning the protection of data available to the financial institution and relating to its operation (infringement of data confidentiality, integrity and availability).

5 10. The financial institution shall establish continuous supervision of the performance of outsourced activities which includes the following:

1. determining employees responsible for monitoring the level and quality of provided services (service-level agreement – SLA) and determining whether services are provided fully in line with the agreement;
2. analysis of satisfaction with provided services, which, among other things, takes into account interruptions in service provision, regularity and content of the service provider’s report on outsourced activities, and responses to incidents that impacted the financial institution’s business processes;
3. timely monitoring and notifying the financial institution’s competent bodies about the date of contract expiry;
4. regular testing of business continuity plans for critical/key business processes with service providers;
5. verification of compliance of outsourced activities with regulations, good business practices and generally accepted standards in the relevant field etc.

11. In the event of outsourcing referred to in Section 5, paragraph 2 of this Decision, the financial institution shall regulate in particular the manner of exercising supervision of outsourced activities, and determine the types and dynamics of reports on outsourced activities which it will receive from those persons. When the supervision of outsourced activities for all members is performed by the group to which the financial institution belongs (consolidated supervision), the financial institution shall ensure that the group regularly submits to it the reports on performed supervision, and ensure fully independent supervision of outsourced activities for critical/key business processes, regardless of the completed group-wide supervision.
12. The bank intending to outsource to a third party activities whose implementation is important for ensuring the continuity of its critical functions shall ensure the continuity of those functions in the case of implementing resolution instruments and/or measures, in one of the following ways:

1. by obliging the third party to carry out the outsourced activities in all situations in which it is necessary to ensure the continuity of critical functions of the bank in resolution, and/or bridge bank;
2. by a contract with an alternative service provider which could ensure the continuity of performance of critical functions of the bank in resolution and/or bridge bank;
3. a detailed plan for ensuring the continuity of performance of critical functions by using internally available resources of the bank in resolution and/or a bridge bank.

6 Management of risks arising from outsourced activities 13. The financial institution shall adequately manage information system risks and other risks arising from outsourced activities. The financial institution shall establish the management of risks arising from outsourced activities as a continuous process. Within the assessment of risks arising from outsourced activities, the financial institution shall identify information system resources affected by those activities, potential security threats to the information system and damage that may occur if those threats materialised, and/or shall identify, assess and monitor information system risks, and determine and regularly re￾examine controls whereby those risks would be mitigated. In risk assessment, the financial institution shall take into account the expected benefits and costs arising from the procedure of outsourcing concrete activities, risks arising from outsourcing to the service provider which cannot be easily replaced, risks connected with a larger number of contracts concluded with the same service provider or related persons and risks connected with sub-outsourcing, and shall, in relation to this, undertake measures with the aim of managing and/or mitigating those risks. Outsourcing procedure 14. Outsourcing shall be performed based on the contract concluded between the financial institution and the service provider, pursuant to which the service provider carries out specific activities, and/or provides specific services in relation to the financial institution’s information system, which would otherwise be performed by the financial institution. The financial institution outsourcing activities to persons referred to in Section 5, paragraph 2 of this Decision shall ensure that the concluded contracts referred to in paragraph 1 of this Section are in compliance with laws and other regulations of the Republic of Serbia. 15. Before making the decision on each individual outsourcing, and/or change of the service provider, the financial institution shall:

1. explore the market of the services concerned and collect the offers of several potential service providers;
2. carry out a detailed comparative analysis of all potential service providers concerning the quality of their services, the cost of service provision, their capacity to perform those activities, adequate information system resources that can support the outsourced activities, the sufficient number of

7 employees designated to perform the outsourced activity, financial position and business reputation; 3) assess whether interruptions in provision or inadequate level of the provided service may have a negative impact on the continuity of operation of the financial institution and the services it provides, and/or whether the activity it outsources impacts the critical/key business process; 4) determine whether there is dependence on a single service provider; 5) determine whether the regulations of the country or countries in which the potential service provider operates enable the National Bank of Serbia to smoothly exercise on-site supervision of that operation in the part that concerns or is related to the performance of outsourced activities; 6) assess potential difficulties and time required for the selection of another service provider or the possibility of resuming the performance of those activities by the financial institution in the event of termination of the provision of the contracted services, as well as determine an appropriate exit strategy; 7) when possible, carry out an analysis of the success of previous cooperation with a particular service provider. When making the decision referred to in paragraph 1 hereof or when making a significant change to the outsourced activity (e.g. adding/removing services, application solutions, etc.), the financial institution shall particularly assess the impact of outsourcing on:

1. business continuity and reputation of the financial institution;
2. costs, financial result, liquidity and solvency of the financial institution;
3. the risk profile of the financial institution;
4. the risk of the financial institution’s information system;
5. the quality of services provided by the financial institution to clients.

16. When outsourcing activities to persons referred to in Section 5, paragraph 2 of this Decision, the financial institution shall determine the price of services according to market conditions, and shall take into account that the price of the service is affected by the fact that the same service is performed for several institutions connected by ownership and/or management relations.
17. In accordance with Section 15, paragraph 1, subparagraph 6) of this Decision, the financial institution shall adopt an exit strategy in the event of termination of the provision of contracted services, which in particular contains:

1. the criteria based on which the decision to implement this strategy is made;
2. the responsibility of competent bodies of the financial institution for the implementation of that strategy;

8 3) the list of measures and activities that need to be undertaken from the moment of termination of the provision of contracted services until the selection of another service provider or full establishment of the process of performing those activities within the financial institution, as well as the dynamics of their implementation; 4) analysis of the financial and human resources required for the implementation of this strategy, including the performance of activities within the financial institution; 5) provision of conditions for the performance of outsourced activities to be continued by another service provider or the financial institution itself (procurement of software components, hardware components, licences, etc.). 18. The financial institution shall ensure that every contract concluded with the service provider contains in particular the provisions that:

1. describe in detail and precisely the outsourced activity that is the subject of the contract;
2. determine the obligations of the service provider referred to in Section 19, paragraphs 2 and 4 of this Decision;
3. enable the financial institution to unilaterally terminate the contract if the National Bank of Serbia so orders;
4. regulate the possibility of sub-outsourcing activities, specifying the necessary conditions for sub-outsourcing;
5. determine the deadline for the conclusion of the contract, and/or termination of the provision of services;
6. determine the locations where the outsourced activity will be performed and the locations where the financial institution’s data related to the outsourced activity will be processed and stored, as well as the obligation of the service provider to inform the financial institution about the change in those locations;
7. regulate the method of access to the financial institution’s information system, and/or the method of managing access rights when it is necessary to provide the service;
8. regulate the manner in which the financial institution will continuously monitor the quality and level of services provided (quantitative and qualitative), as well as the types and dynamics of reports that the financial institution will receive from the service provider;
9. define incident management in such a way as to determine the procedures and roles for solving incidents, as well as the manner of reporting on the incident and its consequences for the financial institution in accordance with the provisions of the decision regulating minimum information system management standards for financial institutions;
10. regulate the manner of cooperation with the service provider in relation to requests for changes of hardware/software components, the

9 elimination of observed defects or emergency interventions in the event of an incident; 11) determine the conditions based on which the contract may be terminated; 12) determine the obligation of the service provider referred to in Section 31, paragraphs 1 and 2 of this Decision; 13) establish the obligation of the service provider to fully comply with the regulations of the Republic of Serbia when providing services. 19. The financial institution shall ensure that the outsourcing does not jeopardise security or functionality of its information system, as well as that the financial institution’s data remain in its possession, and/or under its control. The financial institution shall ensure that the service provider performs outsourced activities in accordance with the information system security policy and other acts of the financial institution that regulate the security of its information system. The financial institution shall ensure maintenance and regular testing of its business continuity plans with service providers for all outsourced critical/key business processes. When outsourcing and/or performing outsourced activities, the financial institution and the service provider shall act in accordance with the law governing personal data protection, as well as other regulations governing the keeping of secrets arising from the operation of financial institutions. 20. The financial institution can outsource certain activities and conclude an outsourcing contract, significantly change the outsourcing contract (by adding/removing outsourced activities) and change the service provider, i.e. select a new service provider – only if it notifies the National Bank of Serbia thereof no later than 30 days before concluding the outsourcing contract or its annex, in the form contained in Annex 1, which is printed along with this Decision and makes its integral part. Along with the notification referred to in paragraph 1 of this Section, the financial institution shall submit:

1. the decision of the competent management body of the financial institution on outsourcing, on important change to the outsourcing contract or change of the service provider, and/or selection of a new service provider;
2. draft outsourcing contract in accordance with Section 18 of this Decision, i.e. the draft of the annex to that contract, including all accompanying contracts (e.g. relating to the level of services provided and data protection);

10 3) a detailed analysis of the service provider, the conditions it must fulfil and the criteria based on which it was selected; 4) results of the assessment referred to in Section 15, paragraph 2 of this Decision; 5) the exit strategy referred to in Section 17 of this Decision; 6) evidence that the regulations of the country, and/or the countries in which the service provider operates enable the National Bank of Serbia to smoothly perform on-site supervision of operations in the part that concerns or is related to the performance of outsourced activities – if the service provider is headquartered outside the Republic of Serbia or if contracted that the outsourced activities be performed outside the Republic of Serbia. If, on the basis of the notification, documentation and evidence referred to in paragraph 2 of this Section, it is not possible to determine all the facts important for acting on that notification, the National Bank of Serbia may request from the financial institution to supply other documentation that it deems necessary. If the contract referred to in paragraph 1 of this Section is changed in such way that the changes refer to the duration of that contract, financial conditions (price of services) or changes to provisions that do not affect the performance of outsourced activities – the financial institution shall, no later than 15 days before the conclusion of the annex to that contract, inform the National Bank of Serbia thereof in the form contained in Annex 1, and shall submit to it the draft annex. Deadlines referred to in paragraphs 1 and 4 of this Section shall be counted from the day of submission of complete documentation referred to in this Section. 21. The National Bank of Serbia shall particularly assess whether outsourcing to the service provider may lead to the concentration of participants in the market of information technology services provided to financial institutions or to the dominant position of the service provider in that market, which may negatively impact this market, smooth functioning of the payment system or financial stability. The National Bank of Serbia can give the assessment referred to in paragraph 1 of this Section after submission of the notification along with complete documentation referred to in Section 20 of this Decision, before or after outsourcing at any time. If it assesses that outsourcing to the service provider may lead to the concentration of participants in the market of information technology services provided to financial institutions or to the dominant position of the service

11 provider in that market, which may negatively impact this market or the smooth functioning of the payment system or financial stability – the National Bank of Serbia shall notify the financial institution thereof, based on which the institution cannot outsource the activities to the service provider referred to in paragraph 1 of this Section. If it received the notification referred to in this paragraph after outsourcing – the financial institution shall terminate the outsourcing contract within the period determined by the National Bank of Serbia, which cannot be shorter than three months from the date of receipt of that notification. 22. The financial institution shall submit the contract referred to in Section 20, paragraph 1 of this Decision to the National Bank of Serbia, including the annexes to that contract, within 15 days from the date of conclusion of that contract, and/or the annex. In the event that the concluded contract differs from the draft contract submitted by the financial institution along with the notification referred to in Section 20, paragraph 1 of this Decision, when submitting the contract referred to in this Section, it is necessary to indicate the part in which the changes were made. In the event of termination of the contract referred to in paragraph 1 of this Section, the financial institution shall inform the National Bank of Serbia thereof without delay. Sub-outsourcing procedure 23. The service provider may outsource to the subservice provider the activities outsourced to it by the financial institution or other tasks related to those activities – only with the prior consent of the financial institution, which is issued in each individual case. In the event of critical/key business processes, before giving the consent referred to in paragraph 1 of this Section, the financial institution shall assess the risks associated with sub-outsourcing and the risks that may arise when one service provider engages several subservice providers for the implementation of outsourced activities (complex outsourcing chains). 24. The financial institution shall ensure that every contract concluded with the subservice provider contains in particular the provisions that:

1. describe in detail and precisely the sub-outsourced activities that are the subject of the contract;
2. determine the obligations of the subservice provider referred to in Section 19, paragraphs 2 and 4 of this Decision;
3. oblige the service provider to supervise the quality, quantity and continuity of the outsourced activities;

12 4) provide the financial institution with the right to object to the quality and level of services provided, and potentially terminate the contract with the service provider or the right to require the service provider to terminate the contract with the subservice provider; 5) define the locations where the sub-outsourced activities will be performed and the locations where data will be processed and stored; 6) regulate the method of access to the financial institution’s information system, and/or the method of managing access rights when this is necessary to provide the service; 7) establish the obligation of the subservice provider to fully comply with the regulations of the Republic of Serbia when providing services. 25. The financial institution may give the consent referred to in Section 23, paragraph 1 of this Decision only if it has notified the National Bank of Serbia of the intended sub-outsourcing no later than 30 days before the consent, in the form contained in Annex 1. Along with the notification referred to in paragraph 1 of this Section, the financial institution shall submit:

1. the draft decision of the competent management body of the financial institution on giving the consent referred to in Section 23, paragraph 1 of this Decision;
2. the draft sub-outsourcing contract in accordance with Section 24 of this Decision;
3. results of the risk assessment referred to in Section 23, paragraph 2 of this Decision;
4. results of the revised assessment referred to in Section 15, paragraph 2 of this Decision;
5. the revised exit strategy referred to in Section 17 of this Decision;
6. evidence that the regulations of the country, and/or the countries in which the subservice provider operates enable the National Bank of Serbia to smoothly perform on-site supervision of operations in the part that concerns or is related to the performance of outsourced activities – if the subservice provider is headquartered outside the Republic of Serbia or if contracted that the outsourced activities be performed outside the Republic of Serbia. The deadline referred to in paragraph 1 of this Section shall be calculated from the day of submission of complete documentation referred to in this Section. Cloud outsourcing

26. Cloud outsourcing shall be carried out in accordance with the provisions of this Decision.

13 27. In the event of outsourcing referred to in Section 26 of this Decision, the financial institution shall additionally determine:

1. clear roles and responsibility for information security of the cloud service provider towards the financial institution;
2. responsibilities for maintaining hardware and software components according to the manufacturer’s requirements, testing and applying security patches;
3. the method of managing incidents so that the procedures and roles for solving incidents are determined, as well as the method of reporting on the incident and its consequences for the financial institution;
4. secure authentication mechanism, and/or control of access to data and services using multi-factor authentication;
5. procedures that ensure adequate encryption of data during data transmission, storage and backup.

28. The financial institution intending to perform cloud outsourcing shall additionally take into account the following when assessing the risk of such outsourcing:

1. cloud service implementation model (public, private, shared, hybrid, etc.);
2. type of cloud services (infrastructure as a service – IaaS, platform as a service – PaaS and software as a service – SaaS, etc.);
3. the impact of data migration and resource implementation in the chosen type of cloud services;
4. network capacities for simple and secure data transfer (data portability);
5. data protection during cloud migration and storage.

29. When cloud outsourcing, the financial institution shall, in accordance with Section 17 of this Decision, develop an adequate exit strategy in the event of termination of the provision of these services, which additionally includes procedures governing the termination and re-establishment of cloud services or their transfer to another service provider or that financial institution, as well as detailed plans for the migration of data and/or resources of information systems depending on the type of cloud services.
30. The financial institution shall ensure that any contract on cloud outsourcing, in addition to the provisions referred to in Section 18 of this Decision, shall also contain provisions governing the ownership of data, the method of accessing data and services, as well as the download of the financial institution’s data in a readable format after the termination of the provision of that service and their adequate deletion by the service provider.

14 Supervision of outsourced activities 31. The financial institution shall ensure that the service provider provides to it, the external auditor and the National Bank of Serbia timely and unrestricted access to documentation and data related to outsourced activities. The financial institution shall also enable the National Bank of Serbia to smoothly perform on-site supervision of outsourced activities on the premises of the service provider or subservice provider, and/or at the location where outsourced activities are performed. If in the process of supervision, it determines that the financial institution, due to omissions in the work of the service provider or subservice provider, does not act in accordance with this Decision and other regulations – the National Bank of Serbia may order the financial institution to terminate the outsourcing contract concluded with the service provider. 32. The financial institution shall be fully responsible for the activities it has outsourced to the service providers. 33. The financial institution shall take appropriate measures, including the termination of the contract, if the service provider or subservice provider does not act in accordance with the contract, regulations or professional standards or if significant omissions have been determined in connection with the keeping of confidentiality, integrity, availability, authenticity, provability, non-repudiation and reliability in the information system. 34. The financial institution shall regularly supervise the services provided, and/or perform at least once a year:

1. a detailed analysis of each service provider in relation to its capacity to provide services, the capacity of its information system to support the outsourced activities, the number of employees of the service provider designated to perform the outsourced activity, financial condition, business reputation, etc.;
2. risk assessment of the information system in relation to outsourced activities;
3. assessment of whether interruptions in the provision of the service or an inadequate level of the service provided may have a negative impact on the continuity of the financial institution’s operations and the services it provides, and/or whether the activity it outsources affects a critical/key business process;
4. analysis of the success of previous cooperation with a specific service provider and the possibility of its replacement.

15 Records of outsourced activities 35. The financial institution shall keep up-to-date records of outsourced information system-related activities, containing:

1. the number of outsourcing contracts;
2. dates of conclusion, possible changes and termination of validity of the contract;
3. data about the service provider – business name, headquarters, registration number and other relevant data;
4. information on whether the service provider is connected to the financial institution by ownership and/or management relations;
5. the classification of the outsourced activity that should facilitate its identification (e.g. maintenance of hardware equipment, implementation of software components, penetration testing, maintenance of the core business application, etc.);
6. a brief description of the outsourced activity;
7. description of the data that the service provider has access to or are in its possession, and/or the information on whether the data were transferred to another service provider;
8. information on whether the outsourced activity is critical/key or affects critical/key business processes;
9. the name of the country or countries in which the outsourced activity is carried out and the country or countries in which the data are located;
10. information about the model and type of cloud service;
11. the date of the last assessment of the level of the service provided and the risk assessment of the information system in connection with outsourced activities; 12)information about sub-outsourced services (short description of the service, basic data about the subservice provider, etc.). The bank shall submit to the National Bank of Serbia an excerpt from the records containing an overview of all outsourced activities in accordance with the decision governing the outsourcing of the bank’s activities to a third party. Transitional and final provisions

36. The financial institution shall harmonise its internal acts with the provisions of this Decision within six months from the date of its entry into force.
37. The financial institution shall harmonise the existing outsourcing contracts concluded in accordance with the Decision on Minimum Information System Management Standards for Financial Institutions (RS Official Gazette,

16 Nos 23/2013, 113/2013, 2/2017, 88/2019 and 37/2021) with the provisions of this Decision upon the first change of the contract, and no later than 31 December 2024. 38. As of the day of application of this Decision, Sections 40 to 48a of the Decision on Minimum Information System Management Standards for Financial Institutions (RS Official Gazette, Nos 23/2013, 113/2013, 2/2017, 88/2019 and 37/2021) shall cease to be valid. 39. This Decision enters into force on the eighth day following its publication in the Official Gazette of the Republic of Serbia, and applies starting from 1 March 2024. NBS EB No 83 Chairperson 9 November 2023 Executive Board of the National Bank of Serbia Belgrade Governor National Bank of Serbia Dr Jorgovanka Tabaković, sgd.