Laws and regulations

Acts and directly applicable EU regulations

• Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 (external link) on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

EU Level 2 EU regulations

• Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
• Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
• Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
• Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid
• Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities