Instruction No. 2025-I-09 on the Notification to the ACPR of the Outsourcing of the Obligation to Report Major ICT-Related Incidents

AUTORITÉ DE CONTRÔLE PRUDENTIEL ET DE RÉSOLUTION

Instruction No. 2025-I-09 regarding the notification to the Autorité de Contrôle Prudentiel et de Résolution of the outsourcing of the obligation to report major incidents related to information and communication technologies (ICT)

The Autorité de Contrôle Prudentiel et de Résolution, Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, in particular Article 19(5) relating to the outsourcing of the obligation to report major ICT-related incidents; Having regard to Article 6 of Commission Implementing Regulation (EU) 2024/302 of 23 October 2024 defining the procedures for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards the notification by financial entities that have chosen to outsource the obligation to report major ICT-related incidents of the identity of third-party reporters acting on their behalf; Having regard to the Monetary and Financial Code, in particular Articles L. 612-2 and L. 612-24; Having regard to the Insurance Code, in particular Articles L. 310-3-1, L. 355-1, L. 356-21, L. 381-1, L. 385-6, D. 344-5, R. 355-6 and R. 385-17; Having regard to the Mutual Insurance Code, in particular Articles L. 212-1, L. 211-10, L. 214-1, L. 214-12, D. 114-11 and R. 214-5; Having regard to the Social Security Code, in particular Articles L. 931-6, L. 931-9, L. 942-1, L. 942-11, D. 931-37 and R. 942-5; Having regard to the opinion of the Prudential Affairs Consultative Commission of 5 June 2025, DECIDES

Article 1 Subject to the exclusions mentioned in the third paragraph of Article 2 of Regulation (EU) 2022/2554, the following financial entities - hereinafter referred to as "subject entities" – are concerned by this instruction: A. In the banking, payment services and investment services sector:

1. credit institutions;

2 2) payment institutions; 3) account information service providers; 4) electronic money institutions; 5) investment firms as defined in Article L. 531-4 of the Monetary and Financial Code; 6) token issuers referring to one or more approved assets under Regulation (EU) 2023/1114; 7) central counterparties; B. In the insurance sector: 8) insurance and reinsurance undertakings subject to the so-called "Solvency II" regime mentioned in Articles L. 310-3-1 of the Insurance Code, L. 211-10 of the Mutual Insurance Code and L. 931-6 of the Social Security Code; 9) insurance holding companies and mutual insurance holding companies mentioned in Articles L. 322-1-2 and L. 322-1-3 of the Insurance Code; the mutual group unions mentioned in Article L. 111-4-2 of the Mutual Insurance Code; 10) social protection insurance holding companies mentioned in Article L. 931-2-2 of the Social Security Code; 11) mixed financial holding companies mentioned in Article L. 517-4 of the Monetary and Financial Code, included in group supervision within the meaning of Article L. 356-2 of the Insurance Code; 12) supplementary occupational retirement benefit institutions, namely supplementary occupational retirement funds (FRPS) mentioned in Article L. 381-1 of the Insurance Code, supplementary occupational retirement mutuals or unions (MRPS or URPS) mentioned in Article L. 214-1 of the Mutual Insurance Code and supplementary occupational retirement institutions (IRPS) mentioned in Article L. 942-1 of the Social Security Code, in accordance with the modalities provided for by Regulation (EU) 2022/2554 in its Article 2, paragraph 3(c)); 13) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries that are not microenterprises or small and medium-sized enterprises in accordance with point (e) of Article 2(3) of Regulation (EU) 2022/2554.

Article 2 Subject entities shall notify individually to the Autorité de Contrôle Prudentiel et de Résolution any outsourcing agreement for the reporting of major ICT-related incidents in accordance with the provisions of Article 6 of Implementing Regulation (EU) 2025/302 upon its conclusion, by transmitting all information required by the model provided in Annex 1. In order to ensure the verification of the legitimacy of the third-party reporting service provider by the ACPR services, the first report made under this outsourcing arrangement may only take place the day after the transmission of the aforementioned information.

3

Article 3 Subject entities shall notify without delay and individually to the Autorité de Contrôle Prudentiel et de Résolution the termination of an outsourcing agreement for the reporting of major ICT-related incidents in accordance with the provisions of Article 6 of Implementing Regulation (EU) 2025/302, by transmitting all the information required by the model provided in Annex I. Upon the termination of the outsourcing agreement, subject entities remain obliged to implement the reporting obligation provided for by Article 19 of Regulation (EU) 2022/2554.

Article 4 The technical and methodological procedures for submission are defined by the ACPR instructions in force.

Article 5 This instruction shall enter into force as of 1 July 2025. Paris, 23 June 2025 The President, François VILLEROY de GALHAU