ART 1 Subject matter

ART 2 Scope

ART 3 Definitions

ART 4 Proportionality principle

ART 5 Governance and organisation

ART 6 ICT risk management framework

ART 7 ICT systems, protocols and tools

ART 8 Identification

ART 9 Protection and prevention

ART 10 Detection

ART 11 Response and recovery

ART 12 Backup policies and procedures, restoration and recovery procedures and methods

ART 13 Learning and evolving

ART 14 Communication

ART 15 Further harmonisation of ICT risk management tools, methods, processes and policies

ART 16 Simplified ICT risk management framework

ART 17 ICT-related incident management process

ART 18 Classification of ICT-related incidents and cyber threats

ART 19 Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

ART 20 Harmonisation of reporting content and templates

ART 21 Centralisation of reporting of major ICT-related incidents

ART 22 Supervisory feedback

ART 23 Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions

ART 24 General requirements for the performance of digital operational resilience testing

ART 25 Testing of ICT tools and systems

ART 26 Advanced testing of ICT tools, systems and processes based on TLPT

ART 27 Requirements for testers for the carrying out of TLPT

ART 28 General principles

ART 29 Preliminary assessment of ICT concentration risk at entity level

ART 30 Key contractual provisions

ART 31 Designation of critical ICT third-party service providers

ART 32 Structure of the Oversight Framework

ART 33 Tasks of the Lead Overseer

ART 34 Operational coordination between Lead Overseers

ART 35 Powers of the Lead Overseer

ART 36 Exercise of the powers of the Lead Overseer outside the Union

ART 37 Request for information

ART 38 General investigations

ART 39 Inspections

ART 40 Ongoing oversight

ART 41 Harmonisation of conditions enabling the conduct of the oversight activities

ART 42 Follow-up by competent authorities

ART 43 Oversight fees

ART 44 International cooperation

ART 45 Information-sharing arrangements on cyber threat information and intelligence

ART 46 Competent authorities

ART 47 Cooperation with structures and authorities established by Directive (EU) 2022/2555

ART 48 Cooperation between authorities

ART 49 Financial cross-sector exercises, communication and cooperation

ART 50 Administrative penalties and remedial measures

ART 51 Exercise of the power to impose administrative penalties and remedial measures

ART 52 Criminal penalties

ART 53 Notification duties

ART 54 Publication of administrative penalties

ART 55 Professional secrecy

ART 56 Data Protection

ART 57 Exercise of the delegation

ART 58 Review clause

ART 59 Amendments to Regulation (EC) No 1060/2009

ART 60 Amendments to Regulation (EU) No 648/2012

ART 61 Amendments to Regulation (EU) No 909/2014

ART 62 Amendments to Regulation (EU) No 600/2014

ART 63 Amendment to Regulation (EU) 2016/1011

ART 64 Entry into force and application