Art. 22. - Art. 22: Security Requirements and Control Procedures - Decizia BCE/2007/7/24-iul-2007 privind termenii şi condiţiile TARGET2-ECB

Acte UE

Jurnalul Oficial 237L

Ieşit din vigoare
Versiune de la: 13 Iunie 2022
Art. 22: Security Requirements and Control Procedures
1.Participants shall implement adequate security controls to protect their systems from unauthorised access and use. Participants shall be exclusively responsible for the adequate protection of the confidentiality, integrity and availability of their systems.
2.Participants shall inform the ECB of any security-related incidents in their technical infrastructure and, where appropriate, security-related incidents that occur in the technical infrastructure of the third party providers. The ECB may request further information about the incident and, if necessary, request that the participant take appropriate measures to prevent a recurrence of such an event.
3.The ECB may impose additional security requirements, in particular with regard to cybersecurity or the prevention of fraud, on all participants and/or on participants that are considered critical by the ECB.
4.Participants shall provide the ECB with: (i) permanent access to their attestation of adherence to their chosen network service provider’s endpoint security requirements, and (ii) on an annual basis the TARGET2 self-certification statement as published on the ECB’s website in English.
4a. The ECB shall assess the participant’s self-certification statement(s) on the participants level of compliance with each of the requirements set out in the TARGET2 self-certification requirements. These requirements are listed in Appendix VII, which in addition to the other Appendices listed in Article 2(1), shall form an integral part of these Conditions.
4b. The participant’s level of compliance with the requirements of the TARGET2 self-certification shall be categorised as follows, in increasing order of severity: "full compliance"; "minor non-compliance"; or "major non-compliance". The following criteria apply: full compliance is reached where participants satisfy 100% of the requirements; minor non-compliance is where a participant satisfies less than 100% but at least 66% of the requirements and major non-compliance where a participant satisfies less than 66% of the requirements. If a participant demonstrates that a specific requirement is not applicable to it, it shall be considered as compliant with the respective requirement for the purposes of the categorisation. A participant which fails to reach "full compliance" shall submit an action plan demonstrating how it intends to reach full compliance. The ECB shall inform the relevant supervisory authorities of the status of such participant’s compliance.
4c. If the participant refuses to grant permanent access to its attestation of adherence to their chosen NSPs endpoint security requirements or does not provide the TARGET2 self-certification the participant’s level of compliance shall be categorised as "major non-compliance".
4d. The ECB shall reassess compliance of participants on an annual basis.
4e. The ECB may impose the following measures of redress on participants whose level of compliance was assessed as minor or major non-compliance, in increasing order of severity:
(i)enhanced monitoring: the participant shall provide the ECB with a monthly report, signed by a senior executive, on their progress in addressing the non-compliance. The participant shall additionally incur a monthly penalty charge for each affected account equal to its monthly fee as set out in paragraph 1 of Appendix VI excluding the transaction fees. This measure of redress may be imposed in the event the participant receives a second consecutive assessment of minor non-compliance or an assessment of major non-compliance;
(ii)suspension: participation in TARGET2-ECB may be suspended in the circumstances described in Article 28(2)(b) and (c) of this Annex. By way of derogation from Article 28 of this Annex, the participant shall be given three months" notice of such suspension. The participant shall incur a monthly penalty charge for each suspended account of double its monthly fee as set out in paragraph 1 of Appendix VI, excluding the transaction fees. This measure of redress may be imposed in the event the participant receives a second consecutive assessment of major non-compliance;
(iii)termination: participation in TARGET2-ECB may be terminated in the circumstances described in Article 28(2)(b) and (c) of this Annex. By way of derogation from Article 28 of this Annex, the participant shall be given three months" notice of such termination. The participant shall incur an additional penalty charge of EUR 1000 for each terminated account. This measure of redress may be imposed if the participant has not addressed the major non-compliance to the satisfaction of the ECB following three months of suspension.