LogoRegulatory Alerts
2023-01-01

Law on Digital Operational Resilience for the Financial Sector

The Parliament of Montenegro adopted this law to establish requirements for digital operational resilience across the financial sector, applying to entities such as credit institutions, investment firms, and crypto-asset service providers. The legislation mandates that financial entities implement robust ICT risk management frameworks and governance structures to ensure the security and continuity of their network and information systems. Competent authorities, including the Central Bank and the Capital Market Authority, are designated to supervise compliance while applying proportionality principles based on entity size and risk profile.

Central Bank of Montenegro logo

Montenegro

Central Bank of Montenegro

Click to view thumbnail

[unofficially consolidated translation] Pursuant to Article 82 paragraph 1 item 2 and Article 91 paragraph 1 of the Constitution of Montenegro, the Parliament of Montenegro of the 28th Convocation, at the session of the First Extraordinary Sitting in 2026, held on 2 February 2026, adopted the LAW ON DIGITAL OPERATIONAL RESILIENCE FOR THE FINANCIAL SECTOR* I BASIC PROVISIONS Subject matter Article 1 This Law governs the requirements, procedures and measures for determining high level of digital operational resilience for the financial sector, including requirements concerning security of network and information systems supporting the operations of financial entities, as well as other matters important for digital operational resilience for the financial sector. Scope of application Article 2 (1) This law shall apply to financial sector entities (hereinafter: financial entity), as follows:

  1. credit institution;
  2. payment institution with head office in Montenegro;
  3. registered account information service provider with head office in Montenegro;
  4. electronic money institution with head office in Montenegro;
  5. investment firm;
  6. central securities depository and clearing company;
  7. central counterparty;
  8. trading venue;
  9. trading repository;
  10. alternative investment fund management company;
  11. open-ended investment fund with a public offering management company;
  12. institution for occupational retirement provision;
  13. data reporting service provider;
  14. administrator of key benchmarks;
  15. insurance undertaking;
  16. reinsurance undertaking;
  17. branch of foreign insurance undertaking;
  18. branch of foreign reinsurance undertaking;
  19. insurance intermediary;
  20. ancillary insurance intermediary;
  21. insurance broker - entrepreneur;
  22. insurance agency;
  23. ancillary insurance agent;
  24. insurance agent - entrepreneur;
  25. agency for providing other insurance services;
  26. crypto-asset service provider;
  27. issuer of asset-referenced tokens.

(2) This Law shall not apply to the following:

  1. Development Bank of Montenegro;
  2. insurance and reinsurance undertakings as referred to in Articles 3 and 4 of the Insurance Law (OGM 33/25);
  3. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries classified as micro, small or medium financial entities;
  4. institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total, and are regulated by the law governing voluntary pension funds. (3) This law shall not affect the provisions of the laws governing the powers of state bodies concerning protection of public security, national security and defence. Competent authority Article 3 (1) Competent authority, within the meaning of this Law, shall be an authority which, in accordance with the law governing the establishment and operations of a financial entity referred to in Article 2 paragraph (1) of this Law is competent for examination, supervision of that entity, as follows:
  5. for a financial entity referred to in Article 2 paragraph (1) items 1) to 4) of this Law, the Central Bank of Montenegro (hereinafter: the Central Bank);
  6. for a financial entity referred to in Article 2 paragraph (1) items 5) do 14) of this Law, Capital Market Authority of Montenegro (hereinafter: Capital Market Authority);
  7. for a financial entity referred to in Article 2 paragraph (1) items 15) do 25) of this Law, Insurance Supervision Agency (hereinafter: the Agency);
  8. for financial entity referred to in Article 2 paragraph (1) items 26) and 27) of this Law, authority established by way of separate law. (2) The competent authorities referred to in paragraph (1) of this Article shall cooperate with each other and exchange information and data necessary for the implementation of this Law. (3) An administrative dispute by way of a lawsuit may be brought against the administrative decision of the competent authority that is passed in accordance with the provisions of this Law. (4) In an administrative dispute against the administrative decision of the competent authority referred to in paragraph (3) of this Article, the competent court may not decide on the merits of the subject matter of the administrative dispute for which this Law establishes the competence of the competent authority. Digital operational resilience Article 4 Digital operational resilience, within the meaning of this law, shall be the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by information and communication technology (hereinafter: ICT) third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions. Principle of proportionality Article 5 (1) A financial entity shall implement the provisions of this law which are proportionate to its size and overall risk profile, and the nature, scale and complexity of its services, activities and operations, the manner laid down in this Law. (2) The competent authority shall consider the application of the proportionality principle referred to in paragraph (1) of this Article when reviewing the consistency of the financial entity’s ICT risk management framework, taking into account the reports submitted upon the request of the competent authority in accordance with Article 11 paragraph (3) of this Law or Article 21 of this Law.

Classification of financial entities based on the size Article 6 (1) Financial entities shall be classified, within the meaning of this Law, depending on the average number of employees, total annual income and total assets, as follows:

  1. micro financial entities, where:
  • their annual average number of employees in a business year is lower than ten; and
  • their total annual income and/or total assets is up to EUR 2,000,000.00;
  1. small financial entities, where:
  • their annual average number of employees in a business year is from ten to 49; and
  • their total annual income and/or total assets is from EUR 2,000,000.01 to EUR 10,000,000.00;
  1. medium-sized financial entities, where:
  • their annual average number of employees in a business year is lower than 250; and
  • their total annual income is up to EUR 50,000,000.00 and/or total assets is up to EUR 43,000,000.00;
  1. other financial entities that may not be classified as micro, small or medium-sized financial entities, in accordance with items 1) to 3) of this paragraph. (2) A financial entity shall carry out the classification in accordance with the criteria laid down in paragraph (1) of this Article as of the day of drawing up financial statements and shall use the data obtained, on the basis of which the classification was carried out, for the next business year. (3) By way of derogation from paragraph (2) of this Article, new financial entity shall be classified based on data laid down in financial statements of the current business year and the number of months in business, and the established data shall be used for the current and next business year. (4) The average number of employees referred to in paragraph (1) of this Article shall be calculated by dividing the total number of employees at the end of each month, including employees abroad by the number of months in a business year or the number of months the financial entity is in business. (5) Where, as of the day of drawing up the balance sheet, the deviation from the limit values referred to in paragraph (1) of this Article occurs during two consecutive financial years, the financial entity shall carry out its classification in the appropriate category for the next business year. (6) By way of derogation from paragraph (1) item 1) of this Article, a financial entity that is a trading venue, central counterparty, trading repository or central clearing and depository company and meets the conditions to be classified as micro financial entity, shall be classified as other financial entity. Use of gender-neutral language Article 7 Expressions in this Law used for natural persons in the masculine gender shall include the same expressions in the feminine gender. Definitions Article 8 The terms used in this Law shall have the following meaning:
  2. network and information system mean:

  • an electronic communications network or transmission systems, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed;

  • any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or

  • digital data stored, processed, retrieved or transmitted by elements covered under indents 1 and 2 of this item for the purposes of their operation, use, protection and maintenance: 2)legacy ICT system means an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity; 3)security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; 4)ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; 5)information asset means a collection of information, either tangible or intangible, that is worth protecting; 6)ICT asset means a software or hardware asset in the network and information systems used by the financial entity; 7)ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; 8)operational or security payment-related incident means a single event or a series of linked events unplanned by the financial entity referred to in Article 2 paragraph (1) items 1) to 4) of this Law, whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity; 9)major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;

  1. major operational or security payment-related incident means an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;
  2. cyber threat means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;
  3. significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;
  4. cyber-attack means a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset;
  5. threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations;
  6. vulnerability means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;
  7. threat-led penetration testing (TLPT) means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;
  8. TLPT authority of another Member State means:

  • the single public authority in the financial sector designated in accordance with Article 26(9) of Regulation (EU) 2022/2554;

  • the competent authority with head office in another country to which the exercise of some or all of the tasks in relation to TLPT is delegated in accordance with Article 26(10) of Regulation (EU) 2022/2554;

  • (the competent authority referred to in Article 46 of Regulation (EU) 2022/2554 with head office in another Member State;

  1. joint TLPT means a TLPT, other than a pooled TLPT as referred to in Article 30 paragraph (s) of this Law, involving several financial entities using the same ICT intra-group service provider, or belonging to the same group and sharing ICT systems;
  2. ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;
  3. ICT third-party service provider means a legal or natural person providing ICT services;
  4. ICT intra-group service provider means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent legal persons, dependant legal persons, branches or other entities that are under common ownership or control;
  5. ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;
  6. critical or important function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its licence, or with its other obligations in accordance with regulations governing the provision of financial services;
  7. critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31 of Regulation (EU) 2022/2554;
  8. ICT third-party service provider with head office in a third country means an ICT third-party service provider that is a legal person with head office in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services;
  9. third country means a foreign state other than the Member State and the Member State until Montenegro joins the European Union;
  10. Member State means the European Union Member State and a State signatory to the Agreement on the European Economic Area;
  11. dependant legal person means a legal person controlled by a parent legal person, including any legal person controlled by ultimate parent legal person;
  12. group means a parent legal person and all its dependant legal persons;
  13. parent legal person has the meaning as determined in the law governing the accounting;
  14. ICT subcontractor with head office in a third country means an ICT subcontractor that is a legal person with head office in a third-country and that has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider with head office in a third country;
  15. ICT concentration risk means an exposure to individual or multiple related ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the market as a whole;
  16. management body means:
  • a body or bodies of a financial entity, which are empowered, in accordance with regulations, to set the strategy, objectives and overall direction of the financial entity, and which oversee and monitor management decision-making, and include the persons who effectively direct the business of the financial entity; or
  • equivalent persons who have powers equivalent to powers referred to in indent 1 of this item and who run the financial entity or have key functions in accordance with the regulations;
  1. credit institution has the meaning as defined in the law governing the operations of credit institutions;
  2. payment institution with head office in Montenegro has the meaning as defined in the law governing the payment system operations;
  3. registered account information service provider with head office in Montenegro has the meaning as defined in the law governing the payment system operations;
  4. electronic money institution with head office in Montenegro has the meaning as defined in the law governing the payment system operations;
  5. investment firm has the meaning as defined in the law governing capital market;
  6. small and non-interconnected investment firm has the meaning as defined in the law governing capital market;
  7. central securities depository and clearing company has the meaning as defined in the law governing capital market;
  8. central counterparty has the meaning as defined in the law governing capital market;
  9. trading venue has the meaning as defined in the law governing capital market;
  10. trade repository has the meaning as defined in the law governing capital market;
  11. alternative investment fund management company has the meaning as defined in the law governing the operation of alternative funds;
  12. open-end investment fund management company with a public offering has the meaning as defined in the law governing the operations of open-end investment funds with a public offering;
  13. institution for occupational retirement provision has the meaning as defined in the law governing voluntary pension funds;
  14. small institution for occupational retirement provision means an institution for occupational retirement provision which operates pension schemes which together have less than 100 members in total;
  15. data reporting service provider has the meaning as defined in the law governing capital market;
  16. administrator of key benchmarks has the meaning as defined in the law governing benchmarks;
  17. insurance undertaking has the meaning as defined in the law governing insurance;
  18. reinsurance undertaking has the meaning as defined in the law governing insurance;
  19. branch of foreign insurance undertaking has the meaning as defined in the law governing insurance;
  20. branch of foreign reinsurance undertaking has the meaning as defined in the law governing insurance;
  21. insurance intermediary has the meaning as defined in the law governing insurance;
  22. ancillary insurance intermediary has the meaning as defined in the law governing insurance;
  23. insurance broker - entrepreneur has the meaning as defined in the law governing insurance;
  24. insurance agency has the meaning as defined in the law governing insurance;
  25. ancillary insurance agent has the meaning as defined in the law governing insurance;
  26. insurance agent - entrepreneur has the meaning as defined in the law governing insurance;
  27. agency for providing other insurance services has the meaning as defined in the law governing insurance;
  28. crypto-asset service provider has the meaning as defined in the regulation governing the operations of this financial entity;
  29. issuer of asset-referenced tokens has the meaning as defined in the regulation governing the operations of this financial entity;
  30. public authority means any state administration body, another state body, or a body vested with public powers, including the Central Bank of Montenegro;
  31. ECB means the European Central Bank;
  32. EBA means the European banking Authority;
  33. EIOPA means the European Insurance and Occupational Pensions Authority;
  34. ESCB means the European System of Central Banks;
  35. ESMA means the European Securities and Markets Authority.

II ICT RISK MANAGEMENT Governance and organisation Article 9 (1) The management body of the financial entity shall ensure that the financial entity complies with the provisions of this Law. (2) Financial entity shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in accordance with Article 10 paragraphs (5) and (6) of this Law, in order to achieve a high level of digital operational resilience. (3) The management body of the financial entity shall define, approve and oversee all rules, procedures, processes, mechanisms, measures and resources related to the ICT risk management framework referred to in Article 10 paragraph (1) of this Law, and for that purposes it shall:

  1. put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
  2. set clear powers, roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
  3. put in place digital operational resilience strategy referred to in Article 12 paragraph (1) of this Law, including the determination of the appropriate risk tolerance level of the ICT risk of the financial entity referred to in Article 12 paragraph (2) item 2) of this Law;
  4. approve and periodically review the implementation of the financial entity’s ICT business continuity policy referred to in Article 17 paragraph (1) of this Law and ICT response and recovery plans Article 17 paragraph (4) of this Law, and oversee their implementation;
  5. approve and periodically review the financial entity’s ICT internal audit plans, material modifications to them, and regularly review ICT audit results;
  6. allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 19 paragraph (10) of this Law, and ICT skills for all employees;
  7. approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
  8. put in place, at organisation level, reporting channels enabling it to be duly informed of the following:
  • arrangements concluded with ICT third-party service providers on the use of ICT services;
  • any relevant planned material changes regarding the ICT third-party service providers;
  • the potential impact of changes referred to in indent 2 of this item on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes;
  • ICT incidents, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures. (4) A financial entity, other than micro financial entity, shall determine an organisational unit to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation. (5) Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed. ICT risk management framework Article 10 (1) A financial entity shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT

risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience. (2) The ICT risk management framework referred to in paragraph (1) of this Article shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, servers, and other hardware and the of all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage. (3) In accordance with their ICT risk management framework, a financial entity shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools referred to in paragraph (2) of this Article. (4) A financial entity shall provide complete and updated information on ICT risk and on their ICT risk management framework referred to in paragraph (1) of this Article to the competent authorities upon their request. (5) A financial entity, other than micro financial entity, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. (6) A financial entity shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model. Improvement and audit of ICT risk management framework Article 11 (1) A financial entity shall continuously improve the ICT risk management framework referred to in Article 10 paragraph (1) of this Law on the basis of lessons derived from implementation and monitoring, and it shall review and update such a framework as follows:

  1. at least once a year;

  2. upon the occurrence of major ICT-related incident;

  3. upon the request of competent authority;

  4. in accordance with the digital operational resilience testing results;

  5. in accordance with the audit conclusions. (2) By way of derogation from paragraph (1) item 1) of this Article, a financial entity classified as micro financial entity shall review and update ICT risk management framework referred to in paragraph (1) of this Article periodically. (3) A financial entity shall submit the report on the review and update referred to in paragraphs (1) and (2) of this Article to its competent authority upon its request. (4) A financial entity, other than micro financial entity, shall ensure internal audits on a regular basis of ICT risk management framework referred to in Article 10 paragraph (1) of this Law in line with the audit plan by internal auditors who possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence. (5) The frequency and focus of audits referred to in paragraph (4) of this Article shall be commensurate to the ICT risk of the financial entity. (6) A financial entity shall, based on the conclusions from the internal audit review, establish a formal process that enables the timely removal of key irregularities and deficiencies identified by the audit referred to in paragraph (4) of this Article, as well as adequate verification and follow-up of that process. Digital operational resilience strategy Article 12 (1) A financial entity shall set out, in the digital operational resilience strategy that is an integral part of the ICT risk management framework referred to in Article 10 paragraph (1) of this Law, the manner of implementation of the framework. (2) To strategy referred to in paragraph (1) of this Article shall include criteria and methods to address ICT risk and attain specific ICT objectives, and it shall at least:

  6. describe and explain how the ICT risk management framework supports the financial entity’s business strategy and objectives;

  7. establish the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analyse the impact tolerance for ICT disruptions;

  8. set out clear information security objectives, including key performance indicators and key risk metrics;

  9. explain the ICT reference i.e. targeted architecture and any changes needed to reach specific business objectives;

  10. outline the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it;

  11. evidence the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the efficiency of preventive measures;

  12. implement digital operational resilience testing, in accordance with the provisions of Articles 27 to 32 of this Law;

  13. outline a communication strategy in the event of ICT-related incidents the communication of which is required in accordance with Article 20 of this Law. (3) A financial entity may define a holistic ICT multi-vendor strategy, at group or entity level, showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers. (4) A financial entity may, in accordance with the law, outsource the tasks of verifying compliance with ICT risk management requirements to intra-group or external entities. (5) In case of outsourcing referred to in paragraph (4) of this Article, the financial entity shall remain fully responsible for the compliance with the ICT risk management requirements and for the verification of such a compliance. ICT systems, protocols and tools Article 13 A financial entity shall, for the purpose of addressing and managing ICT risk, use and maintain updated ICT systems, protocols and tools that must be:

  14. appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 5 of this Law;

  15. reliable;

  16. equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;

  17. technologically resilient in order to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations. Identification and assessment of ICT risks, services, framework and assets Article 14 (1) A financial entity shall, within the ICT risk management framework, identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. (2) A financial entity shall review as needed, and at least once a year, the adequacy of this classification referred to in paragraph (1) of this Article and of any relevant documentation. (3) A financial entity shall, on a continuous basis:

  18. identify all sources of ICT risk, in particular the risk exposure to and from other financial entities;

  19. assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. (4) A financial entity shall review on a regular basis, and at least yearly, the risk scenarios impacting the functions and assets referred to in paragraph (3) item 2) of this Article.

(5) A financial entity, other than micro financial entity, shall perform a risk assessment upon each major change in:

  1. the network and information system infrastructure;

  2. the processes or procedures affecting their ICT supported business functions, information assets or ICT assets. (6) A financial entity shall identify all information assets and ICT assets, including those on, network resources, hardware equipment and remote sites and shall map information assets and ICT assets considered critical. (7) A financial entity shall map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets. (8) A financial entity shall identify and document all processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that provide services that support critical or important functions. (9) A financial entity shall, for the purposes of paragraphs (1), (6), (7) and (8) of this Article, maintain relevant inventories and update them regularly and every time any major change as referred to in paragraph (5) of this Article occurs. (10) A financial entity, other than micro financial entity, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems. Protection of ICT system and prevention of ICT incidents Article 15 (1) For the purposes of adequately protecting ICT systems and with a view to organising response measures, a financial entity shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures. (2) A financial entity shall design, create and/or procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit. (3) In order to achieve the objectives referred to in paragraph (2) of this Article, a financial entity shall use ICT solutions and processes that are appropriate within the meaning of Article 5 of this Law and which:

  3. ensure the security of the means of transfer of data;

  4. minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity;

  5. prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data;

  6. ensure that data is protected from risks arising from data management, including poor administration, processing-related risks and human error. (4) A financial entity, within the ICT risk management framework, shall:

  7. develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers, where applicable;

  8. following a risk-based approach, establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols;

  9. establish and implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof;

  10. establish and implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys for data encryption;

  11. establish and implement policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters, that are based on a risk assessment approach and are an integral part of the financial entity’s overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner;

  12. have appropriate and comprehensive policies for patches and updates. (5) A financial entity shall design and implement network and infrastructure management structure referred to in paragraph (4) item 2) of this Article in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes. (6) A network and infrastructure management structure referred to in paragraph (4) item 2) of this Article may include the implementation of automated mechanisms to isolate affected information assets in the event of cyber-attacks (7) The ICT change management process referred to in paragraph (4) item 5) of this Article shall be approved by appropriate lines of management and shall have specific protocols in place. Monitoring, detection and analysis of ICT events and incidents Article 16 (1) A financial entity shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 22 of this Law, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure. (2) A financial entity shall ensure regular testing of mechanisms referred to in paragraph (1) of this Article in the manner prescribed in Article 28 of this Law. (3) The mechanisms referred to in paragraph (1) of this Article shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant persons in charge of ICT-related incident response. (4) A financial entity shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks. (5) Data reporting service providers shall have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports. Business continuity, response on and recovery from ICT incidents Article 17 (1) A financial entity shall, within the ICT risk management framework, based on the identification requirements set out in Article 14 of this Law, put in place a comprehensive ICT business continuity policy. (2) The ICT business continuity policy referred to in paragraph (1) of this Article shall form an integral part of the overall business continuity policy of the financial entity, and may be adopted as a dedicated specific policy. (3) A financial entity shall implement the ICT business continuity policy referred to in paragraph (1) of this Article through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to:

  13. ensure the continuity of the financial entity’s critical or important functions;

  14. quickly, appropriately and effectively respond to, and resolve, all ICT-related incidents in a way that limits damage and prioritises the resumption of activities and recovery actions;

  15. activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored response and recovery procedures referred to in Article 18 of this Law;

  16. estimate preliminary impacts, damages and losses;

  17. set out communication and crisis management actions that ensure that updated information is transmitted to all relevant employees and external stakeholders in accordance with Article 20 of

this Law, and report to the competent authority in accordance with the provisions of Article 24 of this Law. (4) A financial entity shall, within the ICT risk management framework, identify and implement associated ICT response and recovery plans. (5) A financial entity, other than micro financial entity, shall be subject to independent internal audit of the plans referred to in paragraph (4) of this Article. (6) A financial entity shall put in place, maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functions outsourced, contracted or delivered through arrangements with ICT third-party service providers. (7) A financial entity shall, as a part of the overall business continuity policy, conduct a business impact analysis of their exposures to severe business disruptions. (8) A financial entity shall, under the business impact analysis referred to in paragraph (7) of this Article, assess the potential impact of severe business disruptions by means of quantitative and qualitative criteria, using internal and external data and scenario analysis. (9) A financial entity shall, when conducting business impact analysis referred to in paragraph (7) of this Article, consider the criticality of identified and mapped business functions, support processes, information assets, third-party dependencies, and their interdependencies. (10) A financial entity shall design and use ICT assets and ICT services in the manner that is fully aligned with the business impact analysis referred to in paragraph (7) of this Article, in particular with regard to adequately ensuring the redundancy of all critical components. (11) Redundancy, within the meaning of paragraph (10) of this Article, means the presence of one or more additional components that take over the function of the primary component in case its disruption. (12) As a part of their comprehensive ICT risk management, a financial entity shall:

  1. in relation to ICT systems supporting all functions, test the ICT response and recovery plans referred to in paragraph (4) of this Article and the ICT business continuity plans referred to in paragraph (6) of this Article:
  • at least once a year; and
  • in the event of any substantive changes to ICT systems supporting critical or important functions;
  1. test the crisis communication plans established in accordance with Article 20 of this Law. (13) A financial entity, other than micro financial entity, shall include in the testing plans referred to in paragraph (12) item 1) of this Article scenarios of cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 18 of this Law. (14) A financial entity shall regularly review their ICT business continuity policy referred to in paragraph (1) of this Article and ICT response and recovery plans referred to in paragraph (4) of this Article, taking into account the results of tests carried out in accordance with paragraph (12) of this Article, audit recommendations and competent authority requirements. (15) A financial entity, other than micro financial entity, shall designate a responsible person or organisational unit for crisis management, which, in the event of activation of their ICT response and recovery plans referred to in paragraph (4) of this Article and ICT business continuity plans referred to in paragraph (6) of this Article, shall, int particular, set out clear procedures to manage internal and external communications in accordance with Article 20 of this Law. (16) In the case of activation of the ICT response and recovery plans referred to in paragraph (4) of this Article and the ICT business continuity plans referred to in paragraph (6) of this Article, a financial entity shall keep readily accessible records of activities before and during disruption events. (17) A financial entity, other than micro financial entity, shall report to the competent authorities, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidents. (18) Central securities and depository company shall provide the Capital Market Authority with copies of the results of the ICT business continuity tests, or of similar exercises.

Back-up policies and procedures and restoration and recovery procedures and methods Article 18 (1) For the purpose of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss, a financial entity shall, within their ICT risk management framework, develop and adopt:

  1. backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data;

  2. restoration and recovery procedures and methods. (2) A financial entity shall set up backup systems that can be activated in accordance with the backup policies and procedures referred to in paragraph (1) item 1) of this Article, as well as restoration and recovery procedures and methods referred to in paragraph (1) item 2) of this Article. (3) The activation of backup systems referred to in paragraph (2) of this Article shall not jeopardise the security of the network and information systems or the availability, authenticity, integrity or confidentiality of data. (4) A financial entity shall periodically test the backup procedures referred to in paragraph (1) item 1) of this Article and restoration and recovery procedures and methods referred to in paragraph (1) item 2) of this Article. (5) When a financial entity uses own systems for restoring backup data, they shall use ICT systems that are physically and logically segregated from the source ICT system. (6) The ICT systems referred to in paragraph (5) of this Article that are intended for recovery shall be securely protected from any unauthorised access or ICT corruption and allow for the timely restoration of services making use of data and system backups as necessary. (7) A financial entity, other than micro financial entity, shall maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs. (8) A financial entity classified as micro financial entity shall assess the need to maintain such redundant ICT capacities referred to in paragraph (7) of this Article based on their risk profile. (9) A financial entity shall, when determining the recovery time and recovery point objectives for each function, take into account the importance of that function, and in particular, whether it is a critical or important function and the potential overall impact on market efficiency. (10) Such recovery time and recovery point objectives referred to in paragraph (9) of this Article shall ensure that, in extreme scenarios, the agreed service levels are met. (11) When recovering from an ICT-related incident, a financial entity shall perform necessary checks, including any multiple checks and reconciliations, in order to ensure that the highest level of data integrity is maintained. (12) The checks referred to in paragraph (11) of this Article shall also be performed when reconstructing data from external stakeholders, in order to ensure that all data is consistent between systems. (13) The central counterparty shall establish the plans that shall enable the recovery of all transactions at the time of disruption to allow the central counterparty to continue to operate with certainty and to complete settlement on the scheduled date. (14) Data reporting service providers shall additionally maintain adequate resources and have back-up and restoration facilities in place in order to offer and maintain their services at all times. (15) The central securities and depository company shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs. (16) The secondary processing site referred to in paragraph (1) of this Article shall be:

  3. located at a geographical distance from the primary processing site to ensure that it bears a distinct risk profile and to prevent it from being affected by the event which has affected the primary site;

  4. capable of ensuring the continuity of critical or important functions identically to the primary site, or providing the level of services necessary to ensure that the financial entity performs its critical operations within the recovery objectives;

  5. immediately accessible to the financial entity’s staff to ensure continuity of critical or important functions in the event that the primary processing site has become unavailable. Improvements for strengthening digital operational resilience Article 19 (1) A financial entity shall have in place capabilities and designate employees to gather information on vulnerabilities, cyber threats, ICT-related incidents, and in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience. (2) A financial entity shall put in place post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, for the purpose of analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in Article 17 paragraph (1) of this Law. (3) A financial entity, other than micro financial entity, shall, upon request, provide the competent authority, with the information on the changes that were implemented following post ICT-related incident reviews as referred to in paragraph (2) of this Article. (4) The post ICT-related incident review referred to in paragraph (2) of this Article shall determine whether the established procedures were followed and the actions taken were effective, including in relation to the following:

  6. the promptness in responding to security alerts and determining the impact of ICT-related incidents and their severity;

  7. the quality and speed of performing a forensic analysis, where deemed appropriate;

  8. the efficiency of internal incident escalation;

  9. the efficiency of internal and external communication. (5) A financial entity shall ensure that lessons derived from the digital operational resilience testing carried out in accordance with Articles 27 to 32 of this Law, and from real life ICT-related incidents, in particular cyber-attacks, findings on the challenges faced upon the activation of ICT response and recovery plans referred to in Article 17 paragraph (4) of this Law and ICT business continuity plans referred to in Article 17 paragraph (6) of this Law, relevant information obtained from other entities, as well as information in relation to the competent authority requirements are timely, adequately and continuously used within the ICT risk assessment process. (6) A financial entity shall take into consideration lessons, findings and information referred to in paragraph (5) of this Article in an appropriate manner during the review of relevant components of the ICT risk management framework. (7) A financial entity shall monitor the efficiency of the implementation of their digital operational resilience strategy referred to in Article 12 paragraph (1) of this Law. (8) A financial entity shall record and monitor the change of total ICT risk profile over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understanding the level of ICT risk exposure, in particular in relation to critical or important functions, and enhance its cyber maturity and preparedness. (9) A financial entity shall ensure that senior ICT staff shall report at least once a year to the management body on the conclusions derived from the lessons, findings and information referred to in paragraph (5) of this Article and put forward recommendations for further action. (10) A financial entity shall develop and implement the ICT security awareness programmes and digital operational resilience training as compulsory modules in their employee training schemes. (11) The programmes and training referred to in paragraph (10) of this Article shall be applicable to all employees and to senior management, and shall have a level of complexity commensurate to the remit of their functions. (12) Where appropriate, a financial entity shall also include ICT third-party service providers in their relevant training schemes in accordance with Article 38 paragraph (3) item 11) of this Law. (13) A financial entity, other than micro financial entity, shall monitor relevant technological developments on a continuous basis, with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience.

(14) A financial entity, other than micro financial entity, shall keep up-to-date with the latest ICT risk management processes, in order to efficiently combat current or new forms of cyber-attacks. Crisis communication Article 20 (1) A financial entity shall, as part of the ICT risk management framework, have in place crisis communication plans enabling a responsible communication of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropriate. (2) A financial entity shall, as part of the ICT risk management framework, identify and implement communication policies for employees and for external stakeholders. (3) The communication policies referred to ion paragraph (2) of this Article, in the part concerning employees shall take into account the need to differentiate between employees that need to be informed and employees involved in ICT risk management, or employees responsible for response and recovery. (4) At least one person in the financial entity shall be tasked with implementing the communication strategy for ICT- related incidents and fulfil the public and media function for that purpose. Simplified ICT risk management framework Article 21 (1) The provisions of Articles 8 to 19 of this Law shall not apply to small and non-interconnected investment firm and small institution for occupational retirement provision. (2) Financial entities referred to in paragraph (1) of this Article shall:

  1. put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of ICT risk, including for the protection of relevant physical components and infrastructures;
  2. continuously monitor the security and functioning of all ICT systems;
  3. minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools which are appropriate to support the performance of their activities and the provision of services and adequately protect availability, authenticity, integrity and confidentiality of data in the network and information systems;
  4. allow sources of ICT risk and anomalies in the network and information systems to be promptly identified and detected and ICT-related incidents to be swiftly handled;
  5. identify key dependencies on ICT third-party service providers;
  6. ensure the continuity of critical or important functions, through business continuity plans and response and recovery measures, which include, at least, back-up and restoration measures;
  7. test, on a regular basis, the efficiency of the controls implemented in accordance with items
  8. and 3), and plans and measures referred to in item 6) of this paragraph;
  9. use, in accordance with the needs and ICT risk profile, relevant operational conclusions resulting from the tests referred to in item 7) of this paragraph and from post-incident analysis into the ICT risk assessment process and develop, ICT security awareness programmes and digital operational resilience training for employees and management. III ICT-RELATED INCIDENT MANAGEMENT, CLASSIFICATION AND REPORTING ICT-related incident management process Article 22 (1) A financial entity shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. (2) A financial entity shall record all ICT-related incidents and significant cyber threats. (3) A financial entity shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT- related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.

(4) As part of ICT-related incident management process referred to in paragraph (1) of this Article, a financial entity shall:

  1. put in place early warning indicators;
  2. establish procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted, in accordance with the criteria set out in Article 23 paragraph (1) of this Law;
  3. assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios;
  4. set out plans for communication to employees, external stakeholders and media in accordance with Article 20 of this Law and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate;
  5. ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of such ICT-related incidents;
  6. establish ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner. Classification of ICT-related incidents and cyber threats Article 23 (1) A financial entity shall classify ICT-related incidents and shall determine their impact based on the following criteria:
  7. the number and/or relevance of clients affected by the ICT-related incident, or the number and/or relevance of financial entities and institutions as counterparts affected by the ICT-related incident and, where applicable, the amount or number of transactions affected by the ICT￾related incident, and whether the ICT-related incident has caused reputational impact;
  8. the duration of the ICT-related incident, including the service downtime;
  9. the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
  10. the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data;
  11. the criticality of the services affected, including the financial entity’s transactions and operations;
  12. the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms. (2) A financial entity shall classify cyber threats as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients at risk, or the number and/or relevance of financial entities and institutions as counterparts targeted and the geographical spread of the areas at risk. Reporting of major ICT-related incidents and notification of significant cyber threats Article 24 (1) A financial entity shall report a major ICT-related incident to the relevant competent authority. (2) For the purpose of the reporting referred to in paragraph (1) of this Article, the financial entity shall collect and analyse all relevant information regarding a major ICT-related incident, prepare the documentation referred to in paragraph (3) of this Article and submit it to competent authority in the manner and within the time limit set out by a separate regulation of the competent authority. (3) A financial entity shall submit the following to the competent authority:
  13. an initial notification;
  14. an intermediate report after the initial notification referred to in item 1) of this paragraph, as soon as the status of the reported major ICT-related incident has changed significantly or the handling of that incident has changed based on new information available, followed, as

appropriate, by updated intermediate reports every time the incident status changes, as well as upon a specific request of the competent authority; 3) a final report, when the root cause analysis has been completed, regardless of whether mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates. (4) The documentation referred to in paragraph (3) of this Article shall include all information necessary for the competent authority to determine the significance of the major ICT-related incident and assess its possible cross-border impacts. (5) Notwithstanding paragraph (2) of this Article, in the event that a technical impossibility prevents the financial entity to submit the initial notification referred to in paragraph (3) of this Article in the manner set out in a separate regulation of the competent authority, the submission may be carried out in alternative appropriate manner. (6) A financial entity may notify a significant cyber threat to the competent authority when it deems the threat to be of relevance to the financial system, service users or clients. (7) The competent authority may provide information regarding a significant cyber threat referred to in paragraph (6) of this Article to other competent authorities referred to in paragraph (11) of this Article. (8) Where a major ICT-related incident occurs and has an impact on a financial interest of clients, the financial entity shall, without delay as soon as it becomes aware of such incident, inform its clients about the incident and about the measures that have been taken to mitigate the adverse effects of such incident. (9) In the case of a significant cyber threat, a financial entity shall, where applicable, inform its clients that are potentially affected of any appropriate protection measures which the latter may consider taking. (10) A financial entity may outsource, in accordance with the law, the reporting obligations under this Article to a third-party, and in that case, the financial entity remains fully responsible for compliance with the provisions of this Article. (11) Upon receipt of the initial notification and of each report referred to in paragraph (3) of this Article, the competent authority shall, in a timely manner, provide details of the major ICT-related incident to the following recipients based, as applicable, on their respective competences:

  1. EBA, ESMA or EIOPA;
  2. the ECB, in the case of financial entities referred to in Article 2 paragraph (1), items 1), 2) and 3) of this Law;
  3. the authority which is, in accordance with the law governing information security, competent for the protection against cyber threats and incidents;
  4. the authority which is, in accordance with the law governing the resolution of credit institutions, competent for the resolution of that financial entity, if such details concern an incident that pose a risk to performing critical functions within the meaning of that law.
  5. the authority which is, in accordance with the law governing the resolution of investment firms, competent for the resolution of that financial entity, if such details concern an incident that poses a risk to performing critical functions within the meaning of that law;
  6. another relevant public authority in accordance with the law. (12) The competent authority shall cooperate with the EBA, ESMA, EIOPA, and/or the ECB during the procedure referred to in Article 19 paragraph 7 of the Regulation (EU) 2022/2554, that those authorities carry out to assess whether the major ICT-related incident is relevant for competent authorities in other Member States, in accordance with the criteria set out in Article 11 of Regulation (EU) 2024/1772. (13) In the case where the Central Bank, in accordance with Article 19 paragraph 7 of the Regulation (EU) 2022/2554 receives notification from the ECB regarding the issues of relevance to the payment system, it shall, for the financial entity referred to in Article 2 paragraph (1) items 1), 2) and 4) of this Law, where applicable, take all of the necessary measures to protect the stability of the financial system. (14) The Capital Market Authority shall notify the relevant competent authority of the host Member State of the major ICT-related incident where the Central Securities Depository and Clearing Company has significant cross-border activity in the host Member State, the major ICT-related

incident is likely to have severe consequences for the financial markets of the host Member State and where there are cooperation arrangements among competent authorities related to the supervision of financial entities. Competent authority feedback Article 25 (1) The competent authority shall, upon receipt of the initial notification and of each report as referred to in Article 24 paragraph (3) of this Law, acknowledge the receipt to the financial entity. (2) Upon receipt of the initial notification and of each report as referred to in Article 24 paragraph (3) of this Law, the competent authority may, where feasible, provide in a timely manner relevant and proportionate feedback or high-level guidance to the financial entity, in particular by making available any relevant anonymised information and intelligence on similar threats, and may discuss with that financial entity corrective measures applied and ways to mitigate and minimise adverse impact of the major ICT-related incident across the financial sector. (3) The activities of the competent authority referred to in paragraph (2) of this Article shall be without prejudice to the technical input, guidelines or corrective measures and subsequent follow-up which may be provided, in accordance with the law governing information security, by the authorities governed by that law. (4) In the case referred to in paragraph (2) of this Article, the financial entity shall remain fully responsible for the handling and for consequences of a major ICT-related incident. Operational or security payment-related incidents Article 26 In the case of operational and security payment-related incidents including major operational and security payment-related incidents, the financial entities referred to in Article 2 paragraph (1) items

  1. to 4) of this Law shall apply accordingly the provisions of Articles 22 to 25 of this Law. IV DIGITAL OPERATIONAL RESILIENCE TESTING General requirements for the performance of digital operational resilience testing Article 27 (1) For the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures, a financial entity, other than a financial entity classified as a micro financial entity, shall, in accordance with the proportionality principle referred to in Article 5 of this Law, establish, maintain and regularly review a digital operational resilience testing programme. (2) The digital operational resilience testing programme referred to in paragraph (1) of this Article, as a part of the ICT risk-management framework must be efficient and comprehensive and include a range of assessments, tests, methodologies, practices and tools to be implemented and applied in accordance with Articles 28 to 31 of this Law. (3) The financial entity referred to in paragraph (1) of this Article shall conduct the digital operational resilience testing programme by applying a risk-based approach, wherein duly considering the evolving landscape of ICT risk, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assets and of services, as well as any other relevant factor. (4) The financial entity shall ensure that the digital operational resilience testing referred to in paragraph (1) of this Article is undertaken by independent internal or external persons. (5) Where the digital operational resilience testing is undertaken by an internal person, the financial entity shall dedicate sufficient resources and take measuresto avoid conflicts of interest throughout the design and execution phases of the test. (6) The financial entity referred to in paragraph (1) of this Article shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the digital operational resilience tests, and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.

(7) The financial entity referred to in paragraph (1) of this Article shall, at least yearly, conduct appropriate tests on all ICT systems and applications supporting critical or important functions of that financial entity. Testing of ICT tools and systems Article 28 (1) The digital operational resilience testing programme referred to in Article 27 paragraph (1) of this Law must provide, in accordance with the proportionality principle referred to in Article 5 of this Law, for the execution of appropriate tests, such as:

  1. vulnerability assessments and scans;
  2. open-source analyses;
  3. network security assessments;
  4. gap analyses;
  5. physical security reviews;
  6. questionnaires and scanning software solutions;
  7. source code reviews where feasible;
  8. scenario-based tests;
  9. compatibility testing;
  10. performance testing;
  11. end-to-end testing;
  12. penetration testing. (2) The financial entity classified as a micro financial entity shall perform the tests referred to in paragraph (1) of this Article by applying a risk-based approach in accordance with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing, on the one hand, and the urgency, type of risk, criticality of information assets and of services, as well as other relevant factors, including the financial entity’s ability to take calculated risks, on the other hand. (3) The Central Securities Depository and Clearing Company and the Central Counterparty shall perform vulnerability assessments before any deployment or redeployment of new or existing applications, infrastructure components, and ICT services supporting critical or important functions of the financial entity. Advanced testing of ICT tools, systems and processes based on TLPT Article 29 (1) The financial entity referred to in paragraph (4) of this Article shall, at least every three years, carry out advanced testing by means of the threat-led penetration testing (hereinafter: the TLPT). (2) Notwithstanding paragraph (1) of this Article, the competent authority may, taking into account the risk profile of the financial entity and operational circumstances, establish an obligation for the financial entity to reduce or increase the frequency of advanced testing. (3) The TLPT referred to in paragraph (1) of this Article test shall cover several or all critical or important functions of a financial entity, and shall be performed on live production systems supporting such functions. (4) The competent authority shall identify financial entities, other than those classified as micro financial entities or entities referred to in Article 21 paragraph (1) of this Law, that are required to perform TLPT referred to in paragraph (1) of this Article, taking into account the criteria set out in Article 5 of this Law, based on an assessment of the following:
  13. impact of the activities and services of the financial entity on the financial sector;
  14. possible risks to financial stability, taking into the account the systemic character of the financial entity at:
  • national level;
  • European Union level, where applicable.
  1. financial entity’s ICT risk profile, level of its ICT maturity or technology features it uses. (5) Without prejudice to the power to identify the financial entities that are required to perform TLPT, the competent authority may delegate the exercise of some or all of the tasks related to performing

TLPT referred to in this Article and Articles 30 to 32 to another competent authority in the financial sector. (6) For the purpose of planning and performing the TLPT referred to in paragraph (1) of this Article, a financial entity shall:

  1. identify all relevant ICT systems, processes and technologies supporting ICT services and critical or important functions, including those supporting the critical or important functions which have been outsourced or contracted to ICT third-party service providers;
  2. assess which critical or important functions need to be covered by the TLPT; and
  3. in accordance with the assessment referred to in item 2) of this paragraph, determine the precise scope of TLPT, and submit the results of the assessment to the competent authority. (7) The competent authority shall monitor all stages of preparation and performing of TLPT, and approve its key elements, including the planned scope of TLPT referred to in paragraph (6) item
  4. of this Article, where it assesses that the conditions for performing appropriate and efficient testing have been met. Participation of an ICT third-party service provider in the TLPT Article 30 (1) Where an ICT third-party service provider is included in the scope of TLPT, the financial entity shall take the necessary measures and safeguards to ensure the participation of such ICT third￾party service providers in the TLPT and shall retain at all times full responsibility for ensuring compliance with this Law. (2) Where the participation of an ICT third-party service provider in the TLPT, in accordance with paragraph (1) of this Article, is reasonably expected to have an adverse impact on the quality or security of services delivered by the ICT third-party service provider to customers that are not financial entities referred to in Article 2 of this Law, or on the confidentiality of the data related to such services, the financial entity and the ICT third-party service provider may conclude an agreement with that ICT third-party service provider which would enable that third party to directly enter into contractual arrangements with an external tester, for the purpose of conducting, under the direction of one designated financial entity, a pooled TLPT involving several financial entities (hereinafter: the pooled TLPT) to which the ICT third-party service provider provides ICT services. (3) That pooled TLPT must cover the relevant range of ICT services supporting critical or important functions contracted to the respective ICT third-party service provider by the financial entities. (4) Without prejudice to the requirements set out in Article 29 paragraphs (3) and (6) of this Law, the pooled TLPT shall, within the meaning of Article 29 paragraph (1) of this Law, be considered TLPT carried out by the financial entity covered by such testing. (5) The number of financial entities participating in the pooled TLPT shall be duly calibrated taking into account the complexity and types of services covered by such testing. (6) The financial entity shall, with the cooperation of ICT third-party service providers, the other parties involved, and the testers, but excluding the competent authority, apply efficient risk management controls to mitigate the risks of any potential impact on data, damage to assets, and disruption to critical or important functions, services or operations at the financial entity itself, other financial entities with which it has business cooperation, and to the financial sector. TLPT reporting and competent authorities’ cooperation in TLPT Article 31 (1) At the end of the testing, after reports and remediation plans have been agreed, the financial entity and, where applicable, the external testers shall provide to the competent authority, or the competent authority to which the tasks have been delegated in accordance with Article 29 paragraph (5) of this Law, a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with the requirements of this Law.

(2) The competent authority referred to in paragraph (1) of this Article shall provide the financial entity with an attestation confirming that the TLPT was performed in accordance with the requirements of this Law, where it may be evidenced in the documentation provided. (3) Notwithstanding paragraph (2) of this Article, the attestation that the TLPT has been performed in accordance with the requirements of this Law shall be issued by:

  1. the competent authority that has lead the TLPT, where several competent authorities has participated in the testing;
  2. the TLPT authority of another Member State, where the TLPT has been led by that authority; (4) For the purposes of conducting a TLPT in relation to a financial entity providing services in more than one Member State, including through a branch, and for the purposes of conducting joint TLPT and pooled TLPT in the case where the ICT third-party service provider provides ICT services to financial entities in more than one Member State, the competent authority shall cooperate with the TLPT authorities of other Member States in accordance with the provisions of Article 16 of Regulation (EU) 2025/1190. (5) In the case where the attestation confirming that the testing was performed was issued by an authority that is not responsible for the supervision of the financial entity, that financial entity shall notify its competent authority of the receipt of such attestation, and along with the notification submit the summary of the relevant findings and the remediation plans. (6) After receiving the attestation confirming that the testing was performed the financial entity shall still remain fully responsible for the impact of the pooled TLPT referred to in Article 30 paragraph (2) of this Law. Requirements for testers for the carrying out of TLPT Article 32 (1) For the purposes of performing TLPT referred to in Article 29 of this Law, a financial entity shall engage internal or external testers. (2) The financial entity using internal testers for the purposes of undertaking TLPT shall contract external testers every three tests. (3) The testers used for the carrying out of TLPT, must:
  3. meet the highest suitability and reputability standards;
  4. possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
  5. possess accreditation certificate issued by an accreditation body in accordance with the law governing the accreditation procedure, or adhere to formal codes of conduct or ethical frameworks;
  6. possess accreditation certificate issued by an accreditation body of another Member State;
  7. provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
  8. be duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence. (4) When using internal testers, the financial entity shall ensure that, in addition to the requirements set out in paragraph (3) of this Article, the following conditions are met:
  9. such use has been approved by the competent authority or by the competent authority to which the tasks have been delegated in accordance with Article 29 paragraph (5) of this Law;
  10. the competent authority has verified that the financial entity has sufficient dedicated resources and undertaken measures to ensure that conflicts of interest are avoided throughout the design and execution phases of the test; and
  11. the threat intelligence provider is external to the financial entity. (5) The financial entity shall ensure that contract concluded with an external TLPT tester ensures a sound management of the TLPT results and that any data processing thereof, including any generation, draft, aggregation, store, report, communication or destruction, do not create risks to the financial entity.

V MANAGING OF ICT THIRD-PARTY RISK Key principles for a sound management of ICT third-party risk Article 33 (1) A financial entity shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework as referred to in Article 10 of this Law, in accordance with the following principles:

  1. a financial entity that has in place contractual arrangements for the use of ICT services to run its business operations shall, at all times, remain fully responsible for compliance with this Law and regulations governing the operations of that financial entity;
  2. a financial entity shall manage the ICT third-party risk in accordance with the principle of proportionality, taking into account:
  • the nature, scale, complexity and importance of ICT-related dependencies;
  • the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level. (2) A financial entity, other than that classified as a micro financial entity, and other than an entity referred to in Article 21 paragraph (1) of this Law, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the ICT multi-vendor strategy referred to in Article 12 paragraph (3) of this Law, where applicable. (3) The strategy referred to in paragraph (2) of this Article shall include a policy on the use of ICT services supporting critical or important functions of a financial entity provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. (4) The management body of a financial entity shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions. (5) Before entering into a contractual arrangement on the use of ICT services, a financial entity shall:
  1. assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function;
  2. assess if the competent authority’s requirements for contracting are met;
  3. identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to increasing ICT concentration risk as referred to in Article 37 of this Law;
  4. undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable;
  5. identify and assess conflicts of interest that the contractual arrangement may cause. Registry of information in relation to contractual arrangements on the use of ICT services and reporting to the competent authority Article 34 (1) As part of its ICT risk management framework, a financial entity shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a registry of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. (2) Information on contractual arrangements referred to in paragraph (1) of this Article shall be recorded in such a manner as to distinguish between contractual arrangements that cover ICT services supporting critical or important functions and those that do not. (3) A financial entity shall at least yearly submit to the competent authority a report on the number of new contractual arrangements on the use of ICT services, the categories of ICT third-party service

providers, the type of contractual arrangements and the ICT services and functions which are being provided. (4) A financial entity shall make available to the competent authority, upon its request, specified sections or the full registry of information referred to in paragraph (1) of this Article, along with other information necessary for the competent authority to exercise supervision. (5) A financial entity shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function supported by a contractual arrangement on the use of ICT services has become critical or important. Security and audit standards of an ICT third-party service provider Article 35 (1) A financial entity may enter into a contractual arrangement with an ICT third-party service provider where such third party complies with appropriate information security standards. (2) When the contractual arrangement referred to in paragraph (1) of this Article concerns services supporting critical or important functions, a financial entity shall, prior to concluding such arrangement, determine that the ICT third-party service provider applies the most up-to-date and highest quality information security standards. (3) For the purpose of exercising access, review and audit rights over the ICT third-party service provider, a financial entity shall, by applying a risk-based approach, pre-determine the frequency of reviews and audits as well as the areas to be audited through adhering to commonly accepted audit standards, and, where applicable, in line with any competent authority requirement regarding the use of such standards. (4) Where a contractual arrangement concluded with an ICT third-party service provider referred to in paragraph (1) of this Article covers the use of ICT services that entail high technical complexity, the financial entity shall verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge to effectively perform the relevant audits and assessments. Termination of contractual agreements and exit strategies Article 36 (1) A financial entity shall ensure that a contractual arrangement on the use of ICT services may be terminated in any of the following circumstances:

  1. significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms;
  2. circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider;
  3. ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data;
  4. where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement. (2) For ICT services supporting critical or important functions, a financial entity shall put in place exit strategies. (3) The exit strategies referred to in paragraph (2) of this Article must take into account risks that may emerge at the level of ICT third-party service providers, in particular a possible failure on their part, a deterioration of the quality of the ICT services provided, any business disruption due to inappropriate or failed provision of ICT services, any significant risk arising in relation to the appropriate and continuous deployment of the respective ICT service, as well as the possible termination of contractual arrangements with an ICT third-party service provider under any of the circumstances listed in paragraph (1) of this Article.

(4) A financial entity shall ensure that they are able to terminate a contractual arrangement on the use of ICT services without:

  1. disruption to the business activities of that financial entity;
  2. limiting compliance with regulatory requirements;
  3. detriment to the continuity and quality of services provided to clients. (5) A financial entity shall ensure that plans to terminate contractual arrangements referred to in paragraph (1) of this Article are comprehensive, documented and, in accordance with the proportionality principle referred to in Article 5 of this Law, are sufficiently tested and reviewed periodically. (6) A financial entity shall identify alternative solutions and develop transition plans enabling it to securely and integrally transfer the contracted ICT services and the relevant data from the ICT third-party service provider to alternative service providers or reincorporate them in-house, as well as to ensure their removal from the third-party that has provided the ICT services. (7) A financial entity shall have appropriate contingency measures in place to maintain business continuity in the event of the circumstances referred to in paragraph (3) of this Article. Assessment of ICT concentration risk at financial entity level Article 37 (1) When performing the identification and assessment of risks referred to in Article 33 paragraph (5) item 3) of this Law, a financial entity shall also take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT services supporting critical or important functions would lead to any of the following:
  4. contracting an ICT third-party service provider that is not easily substitutable; or
  5. having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers. (2) A financial entity shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in the digital resilience strategy of that financial entity. (3) Where the contractual arrangement on the use of ICT services supporting critical or important functions envisages that an ICT third-party service provider may, for the purpose of providing such services, further subcontract other ICT third-party service providers, the financial entity shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country. (4) Where a contractual arrangement on the use of ICT services concern services supporting critical or important functions, a financial entity shall consider the regulations that would apply in the event of the ICT third-party service provider’s insolvency, as well as any constraint that may arise in respect to the need for the urgent recovery of the financial entity’s data. (5) Where a contractual arrangement on the use of ICT services supporting critical or important functions is concluded with an ICT third-party service provider established in a third country, a financial entity shall, in addition to the considerations referred to in paragraph (4) of this Article, also consider the compliance with the provisions of regulations governing data protection, as well as the enforceability of the law in that third country. (6) Where a contractual arrangement on the use of ICT services supporting critical or important functions provides for a possibility of subcontracting, a financial entity shall assess whether and how potentially long or complex chains of subcontracting may impact its ability to fully monitor the contracted functions and the ability of the competent authority to efficiently supervise that financial entity. Key contractual provisions Article 38 (1) The rights and obligations of the financial entity and of the ICT third-party service provider must be regulated by a contract.

(2) The contract referred to in paragraph (1) of this Article shall include the service level agreements and must be available to the parties in paper, or electronic form which shall be downloadable in accessible and durable format. (3) The contractual arrangement on the use of ICT services must include:

  1. a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider;
  2. provisions on whether an ICT third-party service provider may subcontract an ICT service supporting a critical or important function, or material parts thereof, and under what conditions;
  3. the locations, namely the regions or countries, where the contracted and, where applicable, subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location;
  4. the requirement for the ICT third-party service provider to notify the financial entity in advance on its intention to change the locations referred to in item 3) of this paragraph;
  5. provisions on the protection of availability, authenticity, integrity and confidentiality of data, including personal data;
  6. provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangement;
  7. service level descriptions, including updates and revisions thereof;
  8. the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
  9. the obligation of the ICT third-party service provider to cooperate with the competent authority and the resolution authority of the financial entity in accordance with the law governing the resolution of a financial entity, including persons authorised by those authorities;
  10. termination rights and conditions along with related minimum notice periods for the termination of the contractual arrangement, in accordance with the requirements of authorities referred to in item 9) of this paragraph;
  11. the conditions for the participation of an ICT third-party service provider in the financial entity’s ICT security awareness programmes and digital operational resilience trainings in accordance with the provisions of Article 19 paragraph (12) of this Law. (4) The contractual arrangement on the use of ICT services supporting critical or important functions must also include, in addition to the elements referred to in paragraph (3) of this Article, the following:
  12. detailed service level description, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective measures to be taken, without undue delay, when agreed service levels are not met;
  13. the obligation of the ICT third-party service provider to deliver notifications and reports to the financial entity, with deadlines for their delivery, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;
  14. requirements for the ICT third-party service provider with regard to implementation and testing of business contingency plans as well as the application of ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with the law;
  15. the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT, in accordance with the provisions of Articles 29 to 32 of this Law;
  16. the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following:
  • unrestricted rights of the financial entity, a third party authorised by the financial entity, and of the competent authority to access, perform reviews and audit, or supervision of the ICT third￾party service provider, as well as the right to take copies of relevant documentation of the ICT

third-party service provider, so that the exercise of those rights is not impeded or limited by other contractual arrangements or policies;

  • the right, in the event that exercising the right under indent 1 of this item could jeopardize the rights of other clients of the ICT third-party service provider, to agree on alternative ways of verifying the performance of the ICT third-party service provider, which ensure a reasonable level of assurance regarding the quality and security of the provided services;
  • the obligation of the ICT third-party service provider to fully cooperate during the onsite reviews, audits and supervision performed by the competent authority, financial entity or a third party authorised by the financial entity;
  • the obligation of the ICT third-party service provider to cooperate with the Lead Overseer, appointed in accordance with Article 31 paragraph 1 point b) of the Regulation (EU) 2022/2554, during the oversight performed by that authority;
  • the obligation to provide information required to determine the scope, procedures to be followed and frequency of reviews, audit and oversight referred to in indents 3 and 4 of this item;
  1. provisions required to implement the exit strategy, in particular the mandatory and adequate transition period:
  • during which the ICT third-party service provider will continue providing the respective functions and ICT services, with a view to mitigating the risk of disruption at the financial entity or to ensure its efficient resolution and restructuring;
  • during which the financial entity may replace the ICT third-party service provider or reincorporate them in-house, in accordance with the complexity of the service provided. (5) By way of derogation from paragraph (4) item 5) of this Article, the financial entity that is classified as a micro financial entity may agree with the ICT third-party service provider that the financial entity’s rights of access, review and audit of the ICT third-party service provider can be delegated to an independent third party, appointed by the ICT third-party service provider, and that in that case the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the independent third party at any time. (6) When negotiating contractual provisions with the ICT third-party service provider, the financial entity shall consider the use of standard contractual clauses developed by public authorities for specific services. VI INFORMATION EXCHANGE Cyber threat information and intelligence sharing Article 39 (1) Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing:
  1. aims to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, enhancing defence capabilities, threat detection techniques, mitigation strategies or response and recovery stages;
  2. takes places within a trusted community of financial entities;
  3. is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct providing full protection of business data confidentiality, protection of personal data in accordance with regulation governing personal data protection and the application of rules in the area of competition protection. (2) The information-sharing arrangements referred to in paragraph (1) item 3) of this Article must set out the conditions for participation and, where appropriate, the involvement and role of public authorities which they may be included in arrangements, the involvement of ICT third-party service providers, as well as operational elements, including the use of dedicated IT platforms.

(3) A financial entity shall, without delay, notify the competent authority of its participation in an information-sharing arrangement as referred to in paragraph (1) item 3) of this Article, or of the cessation of its participation in such arrangement. VII SUPERVISION OF THE IMPLEMENTATION OF THE PROVISIONS OF THIS LAW AND SUPERVISORY MEASURES Scope of competences Article 40 (1) The competent authority shall supervise the implementation of this Law. (2) In carrying out the supervision referred to in paragraph (1) of this Article, the supervisory authority shall:

  1. impose measures on the financial entity;
  2. submit proposals for the initiation of misdemeanour proceedings for violation of the provisions of this Law. (3) Supervision referred to in paragraph (2) item 1) of this Article shall be carried out in accordance with this Law and the law governing the establishment and operation of a financial entity. (4) In carrying out the supervision referred to in paragraph (1) of this Article, the competent authority may, in particular: 1)access any documents or data, held in any form, that the competent authority considers relevant to the exercise of its powers, and obtain copies of such documents or data; 2)carry out on-site supervision or examination, including but not limited to: -the power to require the financial entity and persons employed in the financial entity to provide written and oral explanations on facts related to the subject matter and purpose of supervision or examination; -conducting interviews with any natural or legal person whom it considers to have relevant information, with the explicit consent of that person, for the purpose of gathering information related to the subject of examination;
  3. require the implementation of corrective measures for breaches of the provisions of this Law. (5) In addition to the measures that the competent authority is authorised to impose in accordance with the law governing the establishment and operation of a financial entity, the competent authority shall also be authorised, when performing supervision in accordance with this Law, to:
  4. order the financial entity and the responsible person in the financial entity to cease the conduct that is in breach of this Law and the regulations adopted on the basis of this Law;
  5. order the financial entity to temporarily or permanently cease the conduct that the competent authority considers to be in breach of this Law and the regulations adopted on the basis of this Law and to desist from the repetition of that conduct;
  6. issue a penalty, including a pecuniary penalty, in order to ensure that the financial entity continues to fulfil the requirements of this Law and the regulations adopted pursuant to this Law;
  7. submit a request, in accordance with the law, for the provision of the data traffic records held by a telecommunications operator that are relevant for determining the breach of this Law and the regulations adopted on the basis of this Law, where there is a reasonable suspicion of such a breach;
  8. issues a public notice on the breach of the law, in which it may indicate the identity of the financial entity that was subject to supervision, that is examination, the persons in that financial entity responsible for the breach of the laws and regulations adopted on the basis of this Law, as well as the nature of that breach. (6) The competent authority may order a financial entity to dismiss a member of the board of directors or another person from a management position in that financial entity when it determines that person's responsibility for breaching this Law. (7) The financial entity to which the measure referred to in paragraphs (5) or (6) of this Article has been imposed, shall implement that measure in the manner and within the time limit determined by the order to impose the measure. (8) A financial entity shall fully cooperate with the competent authority during the supervision and submit, at the request of the competent authority, for the purpose of carrying out supervision,

required written or oral explanation of the facts pertaining the subject and purpose of the supervision. Method of determining measures Article 41 (1) The competent authority shall exercise the power to impose measures referred to in Article 40 of this Law, in accordance with by the law governing the establishment and operation of a financial entity, as follows:

  1. directly;
  2. in collaboration with competent and other authorities;
  3. by delegating certain tasks to other bodies, under their responsibility; or
  4. by application to the competent judicial authority. (2) When determining the type and level of the measure referred to in Article 40 paragraph (4) of this Law, the competent authority shall take into account the extent to which the breach of this Law and the regulations adopted on the basis of this Law is intentional or results from negligence, as well as all other relevant circumstances, in particular: 1)the materiality, gravity and duration of the breach, i.e. the repetition or frequency of the breach; 2)the degree of responsibility of the financial entity, that is, the natural person responsible for the breach; 3)the financial strength of the financial entity, that is, the natural person responsible for the breach; 4)the amount of profits gained or losses avoided by the financial entity, that is, the natural person responsible for the breach, insofar as they can be determined; 5)losses for third parties caused by the breach, insofar as they can be determined; 6)the cooperation of the financial entity, that is, the natural person responsible for the breach, with the competent authority, without prejudice to the need to ensure disgorgement of profits gained or losses avoided;
  5. previous breaches and measures imposed on the financial entity, that is, the natural person responsible for the breach. (3) The measures of the competent authority imposed in accordance with the provisions of this Law must be effective, proportionate and dissuasive. Cooperation in case of a criminal offense Article 42 The competent authority shall cooperate, within its jurisdiction with judicial authorities and authorities responsible for the enforcement of criminal sanctions for the purpose of exchanging information necessary for conducting investigations and proceedings related to the implementation of sanctions for criminal offenses in the field of digital operational resilience prescribed by law. Publication of data on imposed pecuniary penalties and misdemeanours of financial entities and responsible persons in financial entities Article 43 (1) The competent authority shall, without undue delay, publish on its website information on pecuniary penalties imposed by a final order referred to in Article 40 paragraph (4) item 3) of this Law and final penalties to a financial entity and a responsible person in a financial entity imposed in misdemeanour proceedings for violating the provisions of this Law or regulations adopted pursuant to this Law. (2) The data referred to in paragraph (1) of this Article shall contain information on the type and nature of the violation, the name of the financial entity and the name and surname of the responsible persons in the financial entity to whom the penalty was imposed. (3) Notwithstanding paragraphs (1) and (2) of this Article, where the competent authority, following a case-by-case assessment, considers that the publication of the identity of the financial entity or the personal data of the responsible persons in the financial entity would be disproportionate to the

established breach, or the publication would threaten the stability of the financial market, ongoing investigative actions in criminal proceedings, or the publication would cause disproportionate damage to the financial entity or the responsible persons, where such damage could be determined, the competent authority may:

  1. defer the publication of data referred to in paragraphs (1) and (2) of this Article until the reason for non-publication cease to exist;
  2. publish it in a way that does not reveal the data referred to in paragraphs (1) and (2) of this Article, whereby such publication may also be postponed;
  3. refrain from publishing the data referred to in paragraphs (1) and (2) of this Article if it determines that the options under items 1) and 2) of this paragraph cannot sufficiently ensure the stability of the financial market or that this publication would not be proportionate to the severity of the imposed penalty. (4) Data referred to in paragraphs (1), (2) and (3) of this Article shall remain on the website of the competent authority for the period of five years from the date of publication. VIII COOPERATION OF COMPETENT AUTHORITIES WITH OTHER AUTHORITIES Cooperation with authorities from the law governing information security Article 44 (1) In implementing this Law, the competent authority, may communicate and exchange information with the authority designated as the single national contact point for information security in accordance with the law governing information security. (2) In implementing this Law, the competent authority, may communicate and exchange information with the authority which, in accordance with the law governing information security, is responsible for the protection of financial entities against cyber threats and incidents and may request relevant assistance from that authority. (3) The cooperation referred to in paragraph (2) of this Article shall be regulated by agreements between competent authorities and that authority. Cooperation with the authorities of the European Union and authorities of third countries Article 45 (1) The competent authority may, in order to strengthen cooperation in the field of ICT risk management related to the engagement of third parties, conclude agreements with supervisory and regulatory authorities of the European Union and third countries. (2) The agreements referred to in paragraph (1) of this Article may include the exchange of experiences and good practices, cooperation in reviewing the ICT risk management framework, mitigation measures, as well as the exchange of information related to the handling of ICT-related incidents. (3) Competent authorities shall cooperate with EBA, ESMA and EIOPA in conducting supervisory activities of critical ICT third-party service provider for the purpose of exchanging data, information on incidents, measures and risks, in the manner and to the extent laid down in Regulation (EU) no. 2022/2554. (4) The competent authority shall inform the EBA, ESMA and EIOPA of consolidated data on the dependence of financial entities in Montenegro on critical ICT third-party service providers, for the purpose of alignment with practices at the European Union level and participating in joint supervisory mechanisms. (5) The data referred to in paragraph (4) of this Article shall be collected and submitted from the contract registers maintained by the financial entity in accordance with this Law. (6) The competent authority shall cooperate with the Lead Overseer, designated in accordance with Article 31 paragraph (1) item b) of Regulation (EU) no. 2022/2554, in the manner and to the extent determined by the Regulation, aimed at timely exchanging all relevant information about critical ICT third-party service providers, necessary for the implementation of their competences in

accordance with the Regulation, especially in relation to risks, approaches and measures taken within the scope of the authority of the lead overseer for the purpose of conducting oversight. (7) The competent authority shall cooperate with the EBA, ESMA and EIOPA and other relevant authorities, in relation to the participation in the establishment of a mechanism for the exchange of good practices in order to improve cross-sector awareness of the state and identification of common vulnerabilities and risks in the area of cyber security, including participation in the development and implementation of the crisis and contingency management exercises, cyber-attack scenarios and other activities contributing to the establishment of an efficient and coordinated response at the level of the European Union in the event of significant cross-border ICT-related incidents or related threats with a systemic impact on the financial sector, in the manner and to the extent determined by Regulation (EU) no. 2022/2554. (8) The competent authority shall notify the European Commission, EBA, ESMA and EIOPA about: 1)regulations that regulate the requirements laid down in this Law in more detail, as well as any amendments to those regulations within the deadlines set out in Regulation (EU) 2022/2554; 2)information exchanged with judicial authorities and authorities responsible for the implementation of criminal sanctions in accordance with Article 42 of this Law. IX BUSINESS SECRECY AND PERSONAL DATA PROTECTION Keeping a business secret Article 46 (1) Any confidential information that the competent authority receives, exchanges or transmits in connection with the implementation of this Law shall be considered secret in accordance with the law and shall be subject to the obligation of secrecy. (2) The obligation to keep business secrets referred to in paragraph (1) of this Article applies to all persons employed or engaged by the competent authority, as well as all other legal or natural persons to whom the competent authority, in accordance with the law, delegates the performance of certain tasks or authorisations, including auditors and external experts. (3) Information that constitutes a business secret may not be disclosed to third parties, unless this is prescribed by this Law or another regulation. (4) All information exchanged between the competent authorities in accordance with this Law, that concerns business or operational conditions of the financial entity, and other economic or personal affairs shall be considered confidential, except where the competent authority expressly states, when submitting the information, that such information may be disclosed or where such disclosure is necessary for the conducting legal proceedings. (5) Notification and exchange of information between competent authorities, that is, between competent authorities and other authorities in accordance with this Law, shall not constitute a breach of the obligation to maintain the confidentiality of information established by a separate law. Personal data processing and protection Article 47 (1) The competent authority shall process personal data only to the extent necessary for the exercise of its powers in accordance with this Law, in particular when performing supervision and examination, requests for information, communication, publication of information, evaluation, verification, assessment and preparation of supervision plans. (2) The processing of personal data referred to in paragraph (1) of this Article shall be carried out in accordance with the law governing personal data protection. (3) Personal data referred to in paragraph (1) of this Article shall be retained only as long as necessary for the exercise of powers in connection with the supervision of a financial entity, and for a maximum period of 15 years. (4) By way of derogation from paragraph (3) of this Article, personal data may be retained for a longer period in the event of legal proceedings, i.e. until the end of the proceedings.

X REGULATIONS ON DIGITAL OPERATIONAL RESILIENCE Central Bank regulations on digital operational resilience Article 48 (1) The Central Bank shall, for the financial entities referred to in Article 2 paragraph (1) items 1) to 4) of this Law, prescribe the method of conducting the assessment and submitting the data referred to in Article 17 paragraph (17) of this Law. (2) The Central Bank shall, for financial entities referred to in Article 2 paragraph (1) items 1) to 4) of this Law, prescribe in more detail:

  1. the content and the method of submitting the report on the review of the ICT risk management framework referred to in Article 11 paragraph (3) of this Law;
  2. the requirements for ICT security policies, procedures, protocols and tools referred to in Article 15 paragraph (2) of this Law;
  3. the requirements for access rights management and access control referred to in Article 15 paragraph (4) item 3) of this Law;
  4. the requirements for mechanisms for prompt detection of anomalous activities referred to in Article 16 paragraph (1) of this Law and the criteria for detecting incidents and triggering the response process referred to in Article 16 paragraph (3) of this Law;
  5. the content and implementation of the ICT business continuity policy referred to in Article 17 paragraph (1) of this Law;
  6. the content and implementation of the ICT response and recovery plans referred to in Article 17 paragraph (4) of this Law;
  7. the requirements for testing ICT business continuity plans referred to in Article 17 paragraph (12) of this Law. (3) The Central Bank shall prescribe in more detail:
  8. for financial entities referred to in Article 2 paragraph (1) items 1) to 4) of this Law: − the criteria referred to in Article 23 paragraph (1) of this Law and the materiality thresholds for determining major ICT-related incidents; − the criteria referred to in Article 23 paragraph (2) of this Law and materiality thresholds for determining significant cyber threats;
  9. data from reports on major ICT-related incidents and significant operational or security incidents related to payment that it forwards to other authorities, in accordance with the provisions of Article 24 paragraph (11) of this Law. (4) The Central Bank shall, for financial entities referred to in Article 2 paragraph (1) items 1) to 4) of this Law prescribe:
  10. the content of notifications and reports on a major ICT-related incident referred to in Article 24 paragraph (3) of this Law, in accordance with the criteria referred to in Article 23 paragraph (1) of this Law;
  11. the deadlines for submitting notifications and reports on a major ICT-related incident referred to in Article 24 paragraph (3) of this Law;
  12. the content of the notification about a significant cyber threat referred to in Article 24 paragraph (6) of this Law;
  13. forms and procedures for notification of a major ICT-related incident referred to in Article 24 paragraph (3) of this Law and of a significant cyber threat referred to in Article 24 paragraph (6) of this Law. (5) The Central Bank shall, for financial entities referred to in Article 2 paragraph (1) items 1) to 4) of this Law prescribe in more detail:
  14. the criteria referred to in Article 29 paragraph (4) of this Law for determining the entities that are required to carry out TLPT;
  15. requirements and standards that apply to the engagement of internal persons for the purposes of carrying out TLPT;
  16. requirements relating to:

  • the scope of TLPT referred to in Article 29 paragraphs (3) and (6) of this Law;

  • the methodology for carrying out TLPT and the procedures applied in each individual phase of testing;

  • TLPT results, completion of testing, elimination of identified deficiencies and the confirmation of conducted testing. (6) The Central Bank shall, for financial entities referred to in Article 2 paragraph (1) items 1) to 4) of this Law, prescribe more closely the content of the policy referred to in Article 33 paragraph (3) of this Law on the use of ICT services provided by third-party service providers, which support critical or important functions. (7) The Central Bank shall, for financial entities referred to in Article 2 paragraph (1) items 1) to 4) of this Law, prescribe the manner of keeping and the templates for keeping the register of information on contracts on the use of ICT services referred to in Article 34 paragraph (1) of this Law. (8) The Central Bank shall, for financial entities referred to in Article 2 paragraph (1) items 1) to 4) of this Law, prescribe in more detail the conditions for engaging subcontractors referred to in Article 38 paragraph (3) item 2) of this Law. (9) A financial entity referred to in Article 2 paragraph (1) items 1) to 4) of this Law shall act in accordance with the regulations of the Central Bank referred to in paragraphs (1) to (8) of this Article. Regulations of the Capital Market Authority on digital operational resilience Article 49 (1) The Capital Market Authority shall, for financial entities referred to in Article 2 paragraph (1) items

  1. to 14) of this Law, prescribe the manner of conducting the assessment and submitting the data referred to in Article 17 paragraph (17) of this Law. (2) The Capital Market Authority shall, for financial entities referred to in Article 2 paragraph (1) items

  2. to 14) of this Law, prescribe in more detail:

  3. the content and the manner of submitting the report on the review of the ICT risk management framework referred to in Article 11 paragraph (3) of this Law;

  4. the requirements for ICT security policies, procedures, protocols and tools referred to in Article 15 paragraph (2) of this Law;

  5. the requirements for access rights management and access control referred to in Article 15 paragraph (4) item 3) of this Law;

  6. the requirements for prompt detection mechanisms for unusual activities referred to in Article 16 paragraph (1) of this Law and the criteria for detecting incidents and activating the response process referred to in Article 16 paragraph (3) of this Law;

  7. the content and implementation of the ICT business continuity policy referred to in Article 17 paragraph (1) of this Law;

  8. the content and the implementation of ICT response and recovery plans referred to in Article 17 paragraph (4) of this Law;

  9. the requirements for testing ICT business continuity plans referred to in Article 17 paragraph (12) of this Law. (3) The Capital Market Authority shall prescribe in more detail:

  10. for financial entities referred to in Article 2 paragraph (1) items 5) to 14) of this Law: − criteria referred to in Article 23 paragraph (1) of this Law and materiality thresholds for determining major ICT-related incidents; − the criteria referred to in Article 23 paragraph (2) of this Law and materiality thresholds for determining significant cyber threats;

  11. data from reports on major ICT-related incidents and significant operational or security incidents related to payments forwarded to other authorities, in accordance with the provisions of Article 24 paragraph (11) of this Law. (4) The Capital Market Authority shall, for financial entities referred to in Article 2 paragraph (1) items

  12. to 14) of this Law prescribe:

  13. the content of the notification and report on a major ICT-related incident referred to in Article 24 paragraph (3) of this Law, in accordance with the criteria referred to in Article 23 paragraph (1) of this Law;

  14. the deadlines for submitting notifications and reports on a major ICT-related incident referred to in Article 24 paragraph (3) of this Law;

  15. the content of the notification about a significant cyber threat referred to in Article 24 paragraph (6) of this Law;

  16. forms and procedures for notification of a major ICT-related incident referred to in Article 24 paragraph (3) of this Law and of a significant cyber threat referred to in Article 24 paragraph (6) of this Law. (5) The Capital Market Authority shall, for financial entities referred to in Article 2 paragraph (1) items

  17. to 14) of this Law, prescribe in more detail:

  18. the criteria referred to in Article 29 paragraph (4) of this Law for determining entities required to carry out TLPT;

  19. the requirements and standards that apply to the engagement of internal persons for the purposes of carrying out TLPT;

  20. the requirements relating to:

  • the scope of TLPT referred to in Article 29 paragraphs (3) and (6) of this Law;
  • the methodology for carrying out TLPT and the procedures applied in each individual testing phase;
  • the TLPT results, completion of testing, elimination of identified deficiencies and confirmation of conducted testing. (6) The Capital Market Authority shall, for financial entities referred to in Article 2 paragraph (1) items

  1. to 14) of this Law, more closely prescribe the content of the policy referred to in Article 33 paragraph (3) of this Law on the use of ICT services provided by third-party service providers, supporting critical or important functions. (7) The Capital Market Authority shall, for financial entities referred to in Article 2 paragraph (1) items

  2. to 14) of this Law, prescribe the manner of keeping and the templates for keeping the register of information on contracts on the use of ICT services referred to in Article 34 paragraph (1) of this Law. (8) The Capital Market Authority shall, for financial entities referred to in Article 2 paragraph (1) items

  3. to 14) of this Law, more closely prescribe the conditions for engaging subcontractors referred to in Article 38 paragraph (3) item 2) of this Law. (9) The Capital Market Authority shall prescribe in more detail the criteria for the simplified ICT risk management framework referred to in Article 21 of this Law. (10) Financial entities referred to in Article 2 paragraph (1) items 5) to 14) of this Law shall act in accordance with the regulations of the Capital Market Authority referred to in paragraphs (1) to (9) of this Article Regulations of the Agency on digital operational resilience Article 50 (1) The Agency shall, for financial entities referred to in Article 2 paragraph (1) items 15) to 25) of this Law, prescribe the manner of conducting the assessment and submitting data referred to in Article 17 paragraph (17) of this Law. (2) The Agency shall, for financial entities referred to in Article 2 paragraph (1) items 15) to 25) of this Law, prescribe in more detail:

  4. the content and the manner of submitting the report on the review of the ICT risk management framework referred to in Article 11 paragraph (3) of this Law;

  5. the requirements for ICT security policies, procedures, protocols and tools referred to in Article 15 paragraph (2) of this Law;

  6. the requirements for access rights management and access control referred to in Article 15 paragraph (4) item 3) of this Law;

  7. the requirements for prompt detection mechanisms for unusual activities referred to in Article 16 paragraph (1) of this Law and the criteria for detecting incidents and activating the response process referred to in Article 16 paragraph (3) of this Law;

  8. the content and implementation of the ICT business continuity policy referred to in Article 17 paragraph (1) of this Law;

  9. the content and implementation of ICT response and recovery plans referred to in Article 17 paragraph (4) of this Law;

  10. the requirements for testing ICT business continuity plans referred to in Article 17 paragraph (12) of this Law. (3) The Agency shall prescribe in more detail:

  11. for financial entities referred to in Article 2 paragraph (1) items 15) to 25) of this Law: −criteria referred to in Article 23 paragraph (1) of this Law and materiality thresholds for determining major ICT-related incidents; −the criteria referred to in Article 23 paragraph (2) of this Law and materiality thresholds for determining significant cyber threats;

  12. data from reports on major ICT-related incidents and significant operational or security incidents related to payments forwarded to other authorities, in accordance with the provisions of Article 24 paragraph (11) of this Law. (4) The Agency shall, for financial entities referred to in Article 2 paragraph (1) items 15) to 25) of this Law prescribe:

  13. the content of notifications and reports on a major ICT-related incident referred to in Article 24 paragraph (3) of this Law, in accordance with the criteria referred to in Article 23 paragraph (1) of this Law;

  14. the deadlines for submitting notifications and reports on a major ICT-related incident referred to in Article 24 paragraph (3) of this Law;

  15. the content of the notification about a significant cyber threat referred to in Article 24 paragraph (6) of this Law;

  16. forms and procedures for notification of a major ICT-related incident referred to in Article 24 paragraph (3) of this Law and of a significant cyber threat referred to in Article 24 paragraph (6) of this Law. (5) The Agency shall, for financial entities referred to in Article 2 paragraph (1) items 15) to 25) of this Law, prescribe in more detail:

  17. the criteria referred to in Article 29 paragraph (4) of this Law for determining entities required to carry out TLPT;

  18. the requirements and standards that apply to the engagement of internal persons for the purposes of carrying out TLPT;

  19. the requirements relating to:

  • the scope of TLPT referred to in Article 29 paragraphs (3) and (6) of this Law;
  • the methodology for carrying out TLPT and the procedures applied in each individual testing phase;
  • the TLPT results, completion of testing, elimination of identified deficiencies and confirmation of conducted testing. (6) The Agency shall, for financial entities referred to in Article 2 paragraph (1) items 15) to 25) of this Law, more closely prescribe the content of the policy referred to in Article 33 paragraph (3) of this Law on the use of ICT services provided by third-party service providers, supporting critical or important functions. (7) The Agency shall, for financial entities referred to in Article 2 paragraph (1) items 15) to 25) of this Law, prescribe the manner of keeping and templates for keeping the register of information on contracts on the use of ICT services referred to in Article 34 paragraph (1) of this Law. (8) The Agency shall, for financial entities referred to in Article 2 paragraph (1) items 15) to 25) of this Law, more closely prescribe the conditions for engaging subcontractors referred to in Article 38 paragraph (3) item 2) of this Law. (9) A financial entity referred to in Article 2 paragraph (1) items 15) to 25) of this Law shall act in accordance with the regulations of the Agency referred to in paragraphs (1) to (8) of this Article.

Regulations of other competent authorities Article 51 (1) The regulations referred to in Article 48 of this Law, for the financial entities referred to in Article 2 paragraph (1) items 26) and 27), shall be adopted by the competent authority referred to in Article 3 paragraph (1) item 4) of this Law. (2) A financial entity referred to in Article 2 paragraph (1) items 26) and 27) of this Law shall act in accordance with the regulations referred to in paragraph (1) of this Article. XI PENALTY PROVISIONS Article 52 (1) A pecuniary penalty ranging between EUR 5,000 and EUR 40,000 shall be imposed on a legal person for a misdemeanour, where: 1)it does not have in place an internal governance and control framework that ensures an effective and prudent management of ICT risks, in accordance with Article 10 paragraphs (5) and (6) of this Law, for the purpose of reaching high level of digital operational resilience (Article 9 paragraph (2)); 2)it fails to determine an organisational unit to monitor the carrying out of arrangements concluded with ICT third-party service providers or fails to designate a member of senior management as responsible for overseeing the related risk exposure and related documentation (Article 9 paragraph (4)); 3)it does not have a sound, comprehensive and well-documented ICT risk management framework as a part of overall risk management system, which enables addressing the ICT risk quickly, efficiently and comprehensively and ensures a high level of digital operational resilience (Article 10 paragraphs (1) and (2)); 4)it fails to minimize the impact of ICT risks, in accordance with their ICT risk management framework, by deploying appropriate strategies, policies, procedures, ICT protocols and tools referred to in Article 10 paragraph (2) of this Law (Article 10 paragraph (3)); 5)it fails to provide to the competent authority, upon their request, complete and updated information on ICT risks and on their ICT risk management framework referred to in Article 10 paragraph (1) of this Law (Article 10 paragraph (4)); 6)it fails to assign the responsibility for managing and overseeing ICT risk to a control function or fails to ensure an appropriate level of independence of such control function in order to avoid conflicts of interest and segregation of functions in which ICT risk arises, control functions and internal audit functions, according to the three lines of defence model, or an internal risk management and control model (Article 10 paragraphs (5) and (6)); 7)it fails to continuously improve the ICT risk management framework referred to in Article 10 paragraph (1) of this Law on the basis of lessons derived from implementation and monitoring, and fails to review and update such a framework in accordance with Article 11 paragraph of this Law (Article 11 paragraphs (1) and (2)); 8)it fails to submit to the competent authority, upon its request, a report on the review and update of the ICT risk management framework (Article 11 paragraph (3)); 9)it fails to provide regular internal audits of the ICT risk management framework in line with the audit plan by internal auditors who possess sufficient knowledge, skills and expertise in ICT risk, in accordance with Article 11 paragraphs (4) and (5); 10) it fails to establish a formal process that enables the timely removal of key irregularities and deficiencies identified by the audit referred to in Article 11 paragraph (4) of this Law, as well as adequate verification and follow-up of that process (Article 11 paragraph (6)); 11) it fails to set out, in the digital operational resilience strategy that is an integral part of the ICT risk management framework referred to in Article 10 paragraph (1) of this Law, the manner of implementation of the framework (Article 12 paragraphs (1) and (2)); 12) it does not use or fails to keep updated ICT systems, protocols and tools, in the manner prescribed by Article 13 of this Law (Article 13);

  1. it fails to identify, classify or adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions or their roles and dependencies in relation to ICT risks (Article 14 paragraph (1));

  2. it fails to review as needed, and at least once a year, the adequacy of the classification referred to in Article 14 paragraph (1) of this Law and of any relevant documentation (Article 14 paragraph (2));

  3. it fails to identify, on a continuous basis, all sources of ICT risk, in particular the risk exposure to and from other financial entities, or fails to assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets (Article 14 paragraph (3));

  4. it fails to review on a regular basis the risk scenarios impacting ICT-supported business functions, information assets and ICT assets (Article 14 paragraph (4));

  5. it failed to perform a risk assessment upon each major change in the network and information system infrastructure and the processes or procedures affecting their ICT supported business functions, information assets or ICT assets (Article 14 paragraph (5));

  6. it fails to identify all information assets and ICT assets, including those on, network resources, hardware equipment and remote sites or fails to map information assets and ICT assets considered critical (Article 14 paragraph (6));

  7. it fails to map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets (Article 14 paragraph (7));

  8. it fails to identify and document all processes that are dependent on ICT third-party service providers, and fails to identify interconnections with ICT third-party service providers that provide services that support critical or important functions (Article 14 paragraph (8));

  9. it fails to maintain, for the purposes of Article 14 paragraphs (1), (6), (7) and (8) of this Law, relevant inventories, that must be updated regularly and every time any major change as referred to in Article 14 paragraph (5) of this Law occurs (Article 14 paragraph (9));

  10. fails to conduct, on a regular basis, and at least yearly, a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems (Article 14 paragraph (10));

  11. it fails to continuously monitor or control the security and functioning of ICT systems and tools and minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures (Article 15 paragraph (1));

  12. it fails to design, create and/or procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit (Article 15 paragraph (2));

  13. it does not use, in order to achieve the objectives referred to in Article 15 paragraph (2) of this Law, ICT solutions and processes that are appropriate within the meaning of Article 5 of this Law in the manner laid down in Article 15 paragraph (3) of this Law;

  14. it fails to act, within the ICT risk management framework, in the manner laid down in Article 15 paragraph (4) of this Law;

  15. it fails to design and implement network and infrastructure management structure referred to in Article 15 paragraph (4) item 2) of this Law in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes (Article 16 paragraph (5));

  16. the ICT change management process referred to in Article 15 paragraph (4) item 5) of this Law has not been approved by appropriate lines of management and does not have specific protocols in place as established by financial entity’s protocols (Article 15 paragraph (7);

  17. it does not have in place mechanisms to promptly detect anomalous activities, in accordance with Article 22 of this Law, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure (Article 16 paragraphs (1) and (3));

  18. fails to ensure regular testing of mechanisms to promptly detect anomalous activities in the manner prescribed in Article 28 of this Law (Article 16 paragraph (2));

  19. it fails to devote sufficient resources and capabilities to monitor user activity or to detect ICT anomalies and ICT-related incidents, in particular cyber-attacks (Article 16 paragraph (4));

  20. it failed to have in place, as data reporting service provider, systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports (Article 16 paragraph (5));

  21. it fails to put in place, within the ICT risk management framework, based on the identification requirements set out in Article 14 of this Law, a comprehensive ICT business continuity policy (Article 17 paragraphs (1) and (2));

  22. it fails to implement the ICT business continuity policy referred to in Article 17 paragraph (1) of this Law through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to meet the requirements referred to in Article 17 paragraph (3) of this Law;

  23. it fails to identify and implement associated ICT response and recovery plans within the ICT risk management framework (Article 17 paragraph (4));

  24. fails to ensure independent internal audit of the response and recovery plans within the ICT framework (Article 17 paragraph (5));

  25. it fails to put in place, maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functions outsourced, contracted or delivered through arrangements with ICT third-party service providers (Article 17 paragraph (6));

  26. it fails to conduct, as a part of the overall business continuity policy, a business impact analysis of their exposures to severe business disruptions (Article 17 paragraph (7));

  27. it fails to assess, under the business impact analysis referred to in Article 17 paragraph (7) of this Law, the potential impact of severe business disruptions by means of quantitative and qualitative criteria, using internal and external data and scenario analysis (Article 17 paragraph (8));

  28. it fails to consider, when conducting business impact analysis referred to in Article 17 paragraph (7) of this Law, the criticality of identified and mapped business functions, support processes, information assets, third-party dependencies, and their interdependencies (Article 17 paragraph (9));

  29. it fails to design and use ICT assets and ICT services in the manner that is fully aligned with the business impact analysis referred to in Article 17 paragraph (7) of this Law, in particular with regard to adequately ensuring the redundancy of all critical components (Article 17 paragraphs (10) and (11));

  30. it fails to test the ICT response and recovery plans referred to in Article 17 paragraph (4) of this Law and the ICT business continuity plans referred to in Article 17 paragraph (6) of this Law in the manner laid down in Article 17 paragraphs (12) and (13) of this Law or fails to test the crisis communication plans established in accordance with Article 20 of this Law (Article 17 paragraphs (12) and (13));

  31. it fails to regularly review their ICT business continuity policy referred to in Article 17 paragraph (1) of this Law or ICT response and recovery plans referred to in Article 17 paragraph (4) of this Law, taking into account the results of tests carried out in accordance with Article 17 paragraph (12) of this Law, audit recommendations and competent authority requirements (Article 17 paragraph (14));

  32. it fails to designate a responsible person or organisational unit for crisis management (Article 17 paragraph (15));

  33. it fails to keep, in the case of activation of the ICT response and recovery plans referred to in Article 17 paragraph (4) of this Law or the ICT business continuity plans referred to in Article 17 paragraph (6) of this Law, readily accessible records of activities before and during disruption events (Article 17 paragraph (16));

  34. it fails to report to the competent authorities, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidents (Article 17 paragraph (17));

  35. it fails to provide, as central securities and depository company, the Capital Market Authority with copies of the results of the ICT business continuity tests, or of similar exercises (Article 17 paragraph (18));

  36. it fails to develop and adopt, within the ICT risk management framework, backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum

frequency of the backup, based on the criticality of information or the confidentiality level of the data or fails to develop and adopt restoration and recovery procedures and methods (Article 18 paragraph (1)); 49) it fails to set up backup systems that can be activated in accordance with the backup policies and procedures referred to in Article 18 paragraph (1) item 1) of this Law, as well as restoration and recovery procedures and methods referred to in Article 18 paragraph (1) item 2) of this Law (Article 18 paragraph (2)); 50) it jeopardises the security of the network and information systems or the availability, authenticity, integrity or confidentiality of data by using the backup systems referred to in Article 18 paragraph (2) of this Law (Article 18 paragraph (3)); 51) fails to test periodically the backup procedures referred to in Article 18 paragraph (1) item 1) of this Law or fails to test restoration and recovery procedures and methods referred to in Article 18 paragraph (1) item 2) of this Law (Article 18 paragraph (4)); 52) it uses own systems for restoring backup data, and fails to ensure the use of ICT systems that are physically and logically segregated from the source ICT system (Article 18 paragraph (5)); 53) the ICT systems referred to in Article 18 paragraph (5) of this Law that are intended for recovery are not securely protected from any unauthorised access or ICT corruption and do not allow for the timely restoration of services making use of data and system backups as necessary (Article 18 paragraph (6)); 54) it fails to maintain the redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs (Article 18 paragraph (7)); 55) it fails to assess, as a financial entity, other than micro financial entity, the need to maintain such redundant ICT capacities referred to in Article 18 paragraph (7) of this Law based on their risk profile (Article 18 paragraph (8)); 56) it fails to take into account, when determining the recovery time and recovery point objectives for each function, the importance of that function, and in particular, whether it is a critical or important function and the potential overall impact on market efficiency (Article 18 paragraphs (9) and (10)); 57) fails to perform, when recovering from an ICT-related incident, the necessary checks, including any multiple checks and reconciliations, in order to ensure that the highest level of data integrity is maintained (Article 18 paragraphs (11) and (12)); 58) it does not establish plan, as a central counterparty, that enables the recovery of all transactions at the time of disruption to allow the central counterparty to continue to operate with certainty and to complete settlement on the scheduled date (Article 18 paragraph (13)); 59) it fails to maintain, as data reporting service provider, adequate resources and back-up and restoration facilities in order to offer and maintain their services at all times (Article 18 paragraph (14)); 60) it fails to maintain, as a central securities and depository company, at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs (Article 18 paragraphs (15) and (16)); 61) it does not have in place capabilities or fails to designate employees to gather information on vulnerabilities, cyber threats, ICT-related incidents, and in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience (Article 19 paragraph (1)); 62) it does not put in place or fails to carry out post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, for the purpose of analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in Article 17 paragraph (1) of this Law (Article 19 paragraphs (2) and (4)); 63) it fails to provide the competent authority, upon request, with the information on the changes that were implemented following post ICT-related incident reviews as referred to in Article 19 paragraph (2) of this Law (Article 19 paragraph (3)); 64) it fails to ensure that lessons derived from the digital operational resilience testing carried out in accordance with Articles 27 to 32 of this Law, and from real life ICT-related incidents, in particular cyber-attacks, findings on the challenges faced upon the activation of ICT response and recovery plans referred to in Article 17 paragraph (4) of this Law and ICT business continuity

plans referred to in Article 17 paragraph (6) of this Law, relevant information obtained from other entities, as well as information in relation to the competent authority requirements are timely, adequately and continuously used within the ICT risk assessment process (Article 19 paragraph (5)); 65) it does not take into consideration lessons, findings and information referred to in Article 19 paragraph (5) of this Law in an appropriate manner during the review of relevant components of the ICT risk management framework (Article 19 paragraph (6)); 66) it fails to monitor the efficiency of the implementation of their digital operational resilience strategy referred to in Article 12 paragraph (1) of this Law (Article 19 paragraph (7)); 67) it fails to record or monitor the change of total ICT risk profile over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understanding the level of ICT risk exposure, in particular in relation to critical or important functions, and enhance its cyber maturity and preparedness (Article 19 paragraph (8)); 68) it fails to develop or implement the ICT security awareness programmes and digital operational resilience training as compulsory modules in their employee training schemes (Article 19 paragraphs (10) and (11)); 69) it fails to include, where appropriate, ICT third-party service providers in their relevant training schemes in accordance with Article 38 paragraph (3) item 11) of this Law (Article 19 paragraph (12)); 70) it fails to monitor technological developments on a continuous basis, with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience (Article 19 paragraph (13)); 71) it does not keep up-to-date with the latest ICT risk management processes, in order to efficiently combat current or new forms of cyber-attacks (Article 19 paragraph (14)); 72) it does not have in place, as part of the ICT risk management framework, crisis communication plans enabling a responsible communication of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropriate (Article 20 paragraph (1)); 73) it fails to identify or implement, as part of the ICT risk management framework, communication policies for employees and for external stakeholders (Article 20 paragraph (2)); 74) it fails to ensure, by way of communication policies referred to in Article 20 paragraph (2) of this Law, in the part concerning employees, the need to differentiate between employees that need to be informed and employees involved in ICT risk management, or employees responsible for response and recovery stakeholders (Article 20 paragraph (3)); 75) it fails to task at least one person in the financial entity with implementing the communication strategy for ICT- related incidents and fulfil the public and media function for that purpose (Article 20 paragraph (4)); 76) it fails to meet the requirements laid down in Article 21 paragraph (2) of this Law, as a financial entity that applies the simplified ICT risk management framework in accordance with Article 21 paragraph (1) of this Law; 77) it fails to define or establish or implement an ICT-related incident management process to detect, manage and notify ICT-related incidents (Article 22 paragraph (1)); 78) it fails to record all ICT-related incidents and significant cyber threats (Article 22 paragraph (2)); 79) it fails to establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT- related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents (Article 22 paragraph (3)); 80) as part of ICT-related incident management process referred to in Article 22 paragraph (1) of this Law, it fails to act in the manner laid down in Article 22 paragraph (4) of this Law; 81) it fails to classification of ICT-related incidents or fails to determine their impact based on the criteria laid down in Article 23 paragraph (1) of this Law; 82) it fails to classify cyber threats as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients at

risk, or the number and/or relevance of financial entities and institutions as counterparts targeted and the geographical spread of the areas at risk (Article 23 paragraph (2)); 83) it fails to report the competent authority of major ICT-related incidents (Article 24 paragraphs (1) to (5)); 84) it fails to inform the clients, without delay, of major ICT-related incident that has an impact on their financial interests or about the measures that have been taken to mitigate the adverse effects of such incident (Article 24 paragraph (8)); 85) it fails to inform the clients, where applicable, affected of any appropriate protection measures which the latter may consider taking (Article 24 paragraph (9)); 86) fails to establish, maintain or regularly review a digital operational resilience testing programme in accordance with the proportionality principle referred to in Article 5 of this Law and for the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures (Article 27 paragraph (1)); 87) the digital operational resilience testing programme referred to in Article 27 paragraph (1) of this Law, as a part of the ICT risk-management framework is not efficient or comprehensive or does not include a range of assessments, tests, methodologies, practices and tools to be implemented and applied in accordance with Articles 28 to 31 of this Law (Article 27 paragraph (2)); 88) it fails to conduct the digital operational resilience testing programme by applying a risk-based approach, or fails to duly consider the evolving landscape of ICT risk, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assets and of services, as well as any other relevant factors (Article 27 paragraph (3)); 89) it fails to ensure that the digital operational resilience testing referred to in Article 27 paragraph (1) of this Law is undertaken by independent internal or external persons (Article 27 paragraph (4)); 90) where the digital operational resilience testing referred to in Article 28 paragraph (1) of this Law is undertaken by an internal person, fails to dedicate sufficient resources or fails to take measures to avoid conflicts of interest throughout the design and execution phases of the test (Article 27 paragraph (5)); 91) it fails to establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the digital operational resilience tests, or fails to establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed (Article 27 paragraph (6)); 92) it fails to conduct, at least yearly, appropriate tests on all ICT systems and applications supporting critical or important functions of that financial entity (Article 27 paragraph (7)); 93) the digital operational resilience testing programme referred to in Article 27 paragraph (1) of this Law fails to provide, in accordance with the proportionality principle referred to in Article 5 of this Law, for the execution of appropriate tests laid down in Article 28 paragraph (1) of this Law; 94) the financial entity classified as a micro financial entity fails to perform the tests referred to in Article 28 paragraph (1) of this Law in the manner prescribed in Article 28 paragraph (2) of this Law; 95) it fails to perform, as a central securities depository and clearing company or the central counterparty, vulnerability assessments before any deployment or redeployment of new or existing applications, infrastructure components, and ICT services supporting critical or important functions of the financial entity (Article 28 paragraph (3)); 96) it fails to carry out, as the financial entity referred to in Article 29 paragraph (4) of this Law, at least every three years, advanced testing by means of the threat-led penetration testing (Article 29 paragraph (1)); 97) fails to act, as a financial entity referred to in Article 29 paragraph (4) of this Law, under the established obligation to change the frequency of advanced testing (Article 29 paragraph (2)); 98) it fails to cover, as a financial entity referred to in Article 29 paragraph (4) of this Law, by way of the TLPT, several or all critical or important functions of a financial entity, or fails to carry out the TLPT on production systems supporting such functions (Article 29 paragraph (3));

  1. it fails to carry out, as a financial entity referred to in Article 29 paragraph (4) of this Law, all actions needed to plan and perform TLPT laid down in Article 29 paragraph (6) of this Law;
  2. where an ICT third-party service provider is included in the scope of TLPT, it fails to take the necessary measures and safeguards to ensure the participation of such ICT third-party service providers in the TLPT (Article 30 paragraph (1));
  3. it does not apply, in cooperation with ICT third-party service providers, the other parties involved and the testers, the efficient risk management controls to mitigate the risks of any potential impact on data, or damage to assets, and disruption to critical or important functions, services or operations (Article 30 paragraph (6));
  4. fails to provide, upon the completion of the TLPT, after reports and remediation plans have been agreed, to the competent authority, or the competent authority to which the tasks have been delegated in accordance with Article 29 paragraph (5) of this Law, a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with the requirements of this Law (Article 31 paragraph (1));
  5. it fails to notify, in the case where the attestation confirming that the testing was performed was issued by an authority that is not responsible for their supervision, its competent authority of the receipt of such attestation, and along with the notification submit the summary of the relevant findings and the remediation plans (Article 31 paragraph (5));
  6. it fails to contract the external testers for every three TLPT tests (Article 32 paragraph (2));
  7. it fails to ensure that the testers used for the carrying out of TLPT meet the conditions laid down in Article 32 paragraph (3) of this Law;
  8. it fails to ensure, when using internal testers, that, in addition to the requirements set out in Article 32 paragraph (3) of this Law, the additional conditions prescribed in Article 32 paragraph (4) have been met;
  9. it fails to ensure that contract concluded with an external TLPT tester ensures a sound management of the TLPT results and that any data processing thereof, including any generation, draft, aggregation, store, report, communication or destruction, do not create risks to the financial entity (Article 32 paragraph (5));
  10. it fails to manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework as referred to in Article 10 of this Law, in accordance with the principles laid down in Article 33 paragraph (1) of this Law;
  11. it fails to adopt, or regularly review, a strategy on ICT third-party risk, taking into account the ICT multi-vendor strategy referred to in Article 12 paragraph (3) of this Law, where applicable (Article 33 paragraph (2));
  12. it fails to include in the strategy referred to in Article 33 paragraph (2) of this Law a policy on the use of ICT services supporting critical or important functions of a financial entity provided by ICT third-party service providers and fails to apply such policy on an individual basis and, where relevant, on a sub-consolidated and consolidated basis (Article 33 paragraph (3));
  13. it fails to carry out all assessments reviews and analyses prescribed in Article 33 paragraph (5) of this Law before entering into a contractual arrangement on the use of ICT services (Article 33 paragraph (5) and Article 37 paragraph (1));
  14. it fails to maintain or update, as part of its ICT risk management framework, at entity level, and at sub-consolidated and consolidated levels, a registry of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers (Article 34 paragraph (1));
  15. the information on contractual arrangements referred to in Article 34 paragraph (1) of this Law are not recorded in such a manner as to distinguish between contractual arrangements that cover ICT services supporting critical or important functions and those that do not (Article 34 paragraph (2));
  16. it fails to submit to the competent authority, at least yearly, a report on the number of new contractual arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided (Article 34 paragraph (3));
  17. it fails to make available to the competent authority, upon its request, specified sections or the full registry of information referred to in Article 34 paragraph (1) of this Law, along with other

information necessary for the competent authority to exercise supervision (Article 34 paragraph (4)); 116) it fails to inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function supported by a contractual arrangement on the use of ICT services has become critical or important (Article 34 paragraph (5)); 117) it does not enter into a contractual arrangement with an ICT third-party service provider where such third party complies with appropriate information security standards (Article 35 paragraphs (1) and (2)); 118) it fails to pre-determine, for the purpose of exercising access, review and audit rights over the ICT third-party service provider, the frequency of reviews and audits as well as the areas to be audited through adhering to commonly accepted audit standards, and, where applicable, in line with any competent authority requirement regarding the use of such standards (Article 35 paragraph (3)); 119) it fails to verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge to effectively perform the relevant audits and assessments, in the case a contractual arrangement concluded with an ICT third-party service provider referred to in Article 35 paragraph (1) of this Law covers the use of ICT services that entail high technical complexity (Article 35 paragraph (4)); 120) it fails to ensure that a contractual arrangement on the use of ICT services may be terminated in the circumstances prescribed in Article 36 paragraph (1) of this Law; 121) it fails to put in place exit strategies for ICT services supporting critical or important functions (Article 36 paragraphs (2) and (3)); 122) it fails to ensure that the termination of a contractual arrangement with third party on the use of ICT services does not lead to the consequences laid down in Article 36 paragraph (4) of this Law; 123) it fails to ensure that plans to terminate contractual arrangements referred to in Article 36 paragraph (1) of this Law are comprehensive, documented or fails to ensure that, in accordance with the proportionality principle referred to in Article 5 of this Law, are sufficiently tested and reviewed periodically (Article 36 paragraph (5)); 124) it fails to identify alternative solutions or develop transition plans enabling it to securely and integrally transfer the contracted ICT services and the relevant data from the ICT third-party service provider to alternative service providers or reincorporate them in-house, as well as to ensure their removal from the third-party that has provided the ICT services (Article 36 paragraph (6)); 125) it does not have appropriate contingency measures in place to maintain business continuity in the event of the circumstances referred to in Article 36 paragraph (3) of this Law (Article 36 paragraph (7)); 126) it does not weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in the digital resilience strategy of that financial entity (Article 37 paragraph (2)); 127) it does not weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country, in the case where the contractual arrangement on the use of ICT services supporting critical or important functions envisages that an ICT third-party service provider may, for the purpose of providing such services, further subcontract other ICT third-party service providers (Article 37 paragraph (3)); 128) it fails to consider the regulations that would apply in the event of the ICT third-party service provider’s insolvency, as well as any constraint that may arise in respect to the need for the urgent recovery of the financial entity’s data, in the case where a contractual arrangement on the use of ICT services concern services supporting critical or important functions (Article 37 paragraph (4)); 129) it fails to consider the compliance with the provisions of regulations governing data protection, as well as the enforceability of the law in that third country, in the case where, in addition to the considerations referred to in Article 37 paragraph (4) of this Law, a contractual

arrangement on the use of ICT services supporting critical or important functions is concluded with an ICT third-party service provider established in a third country (Article 37 paragraph (5)); 130) it fails to assess whether and how potentially long or complex chains of subcontracting may impact its ability to fully monitor the contracted functions and the ability of the competent authority to efficiently supervise that financial entity, in the case where a contractual arrangement on the use of ICT services supporting critical or important functions provides for a possibility of subcontracting (Article 37 paragraph (6)); 131) it failed to regulate the rights and obligations by a contract (Article 38 paragraph (1)); 132) the contractual arrangement on the use of ICT services is not available to the parties in paper, or electronic form which may be downloadable in accessible and durable format (Article 38 paragraph (2)); 133) the contractual arrangement on the use of ICT services does not include the elements specified in Article 38 paragraph (3) of this Law; 134) the contractual arrangement on the use of ICT services supporting critical or important functions, in addition to the elements referred to in Article 38 paragraph (3) of this Law, does not include additional elements specified in Article 38 paragraph (4) of this Law (Article 38 paragraphs (4) and (5)); 135) it fails to notify, without delay, the competent authority of its participation in an information-sharing arrangement as referred to in Article 39 paragraph (1) item 3) of this Law, or of the cessation of its participation in such arrangement (Article 39 paragraph (3)); 136) it fails to act, as a financial entity referred to in Article 2 paragraph (1) items 1) to 4) of this Law in accordance with the regulations of the Central Bank referred to in Article 48 of this Law (Article 48 paragraph (9)); 137) it fails to act, as a financial entity referred to in Article 2 paragraph (1) items 5) to 14) of this Law in accordance with the regulations of the Capital Market Authority referred to in Article 49 of this Law (Article 49 paragraph (10)); 138) it fails to act, as a financial entity referred to in Article 2 paragraph (1) items 15) to 25) of this Law in accordance with the regulations of the Agency referred to in Article 50 of this Law (Article 50 paragraph (9)); 139) it fails to act, as a financial entity referred to in Article 2 paragraph (1) items 26) and 27) of this Law in accordance with the regulations that the competent authority referred to in Article 3 paragraph (1) item 4) of this Law has passed in accordance with Article 51 of this Law (Article 51 paragraph (2)); 140) it fails to implement the measure that the competent authority imposed in accordance with Article 40 paragraphs (5) or (6) of this Law in the manner and within the time limit determined by the order to impose the measure (Article 40 paragraph (7); 141) it fails to fully cooperate with the competent authority during the supervision and fails to submit, at the request of the competent authority, for the purpose of carrying out supervision, required written or oral explanation of the facts pertaining the subject and purpose of the supervision (Article 40 paragraph (8)). (2) A pecuniary penalty ranging between EUR 2,000 and EUR 4,000 shall be imposed on a responsible person in a legal person for a misdemeanour referred to in paragraph (1) of this Article. (3) A pecuniary penalty ranging between EUR 2,000 and EUR 4,000 shall be imposed on a member in the management body of a financial entity for a misdemeanour, where it: 1)fails to define, approve or oversee all rules, procedures, processes, mechanisms, measures and resources related to the ICT risk management framework referred to in Article 10 paragraph (1) of this Law and fails to ensure their implementation, and to that end, in particular, fails to meet the requirements specified in Article 9 paragraph (3); 2) does not keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed (Article 9 paragraph (5)); 3)fails to ensure that senior ICT staff reports at least once a year to the management body on the conclusions derived from the lessons, findings and information referred to in paragraph (5) of this Article and put forward recommendations for further action (Article 19 paragraph (9));

4)fails to regularly review, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions. (Article 33 paragraph (4)). XII TRANSITIONAL AND FINAL PROVISIONS Deadline for adoption of regulations Article 53 The competent authorities shall adopt, within 18 months following the day of entry into force of this Law, the regulations for which adoption they are authorised to in accordance with Article 48 to 51 of this Law. Compliance with the provisions of this Law Article 54 A financial entity shall comply with the provisions of this Law within 24 months following the day of entry into force of this Law. Deferred application Article 55 The provisions of Article 23 paragraph (1) item 3), Article 24 paragraph (11) items 1) and 2) and paragraphs (12), (13) and (14), Article 29 paragraph (4) item 2) indent 2, Article 31 paragraph (3) item 2) and paragraph (4), Article 32 paragraph (3) item 4), Article 38 paragraph (4) item 5) indent 4, Article 45 paragraphs (3) to (8) of this Law shall be applied as of the Montenegro’s European Union accession date. Entry into force Article 56 This Law shall enter into force on the eighth day following that of its publication in the “Official Gazette of Montenegro”. Number: 10-1/26-1/4 EPA 848 XXVIII Podgorica, 2 February 2026 Parliament of Montenegro of the 28th Convocation The Speaker of the Parliament, Andrija Mandić, m.p.

∗ This Law transposes the provisions of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulation (EC) no. 1060/2009, (EU) no. 648/2012, (EU) no. 600/2014, (EU) no. 909/2014 and (EU) 2016/1011 (text with EEA relevance).

Share