Article 2 -Identification of financial entities required to perform TLPT
1)
TLPT authorities shall require all of the following financial entities to perform TLPT:
a)
Credit institutions identified as global systemically important institutions (G-SIIs) in accordance with Article 131 of Directive 2013/36/EU of the European Parliament and of the Council 15 or as other systemically important institutions (O-SIIs) or that are part of a G-SIIs or O-SIIs.
b)
Payment institutions, exceeding in each of the previous two financial years EUR 150 billion of total value of payment transactions as defined in point (5) of Article 4 of Directive (EU) 2015/2366 of the European Parliament and of the Council16.
c)
Electronic money institutions, exceeding in each of the previous two financial years EUR 150 billion of total value of payment transactions as defined in point (5) of Article 4 of Directive (EU) 2015/2366 or EUR 40 billion of total value of the amount of outstanding electronic money.
d)
(d) Central securities depositories;
e)
(e) Central counterparties;
f)
Trading venues with an electronic trading system that meet at least one of the following criteria:
(i) the trading venue with the highest market share in terms of turnover at national level in each of the preceding two financial years in one or more of the following:
—transferable securities as defined in point (44)(a) of Article 4(1) of Directive 2014/65/EU of the European Parliament and of the Council17;
—transferable securities as defined in point (44)(b) of Article 4(1) of Directive 2014/65/EU;
—derivatives as defined in Article 2(1)(29) of Regulation (EU) No 600/2014 of the European Parliament and of the Council18;
—structured finance products as defined in Article 2(1)(28) of Regulation (EU) No 600/2014 ;
- emission allowances as defined in point (11) of Section C of Annex I to Directive 2014/65/EU;
(ii) the trading venue whose market share in terms of turnover at Union level exceeds 5% in each of the preceding two financial years in one or more of the following:
—transferable securities as defined in point (44)(a) of Article 4(1) of Directive 2014/65/EU19,
—transferable securities as defined in point (44)(b) of Article 4(1) of directive Directive 2014/65/EU,
—derivatives as defined in Article 2(1)(29) of Regulation (EU) No 600/2014,
—structured finance products as defined in Article 2(1)(28) of Regulation (EU) No 600/2014;
- emission allowances as defined in point (11) of Section C of Annex I to Directive 2014/65/EU;
For the purposes of point (ii) of this point (f), where the trading venue is part of a group using common ICT systems or the same ICT intra-group service provider, the turnover of the securities and derivatives contracts on all trading venues pertaining to the same group and established in the Union shall be considered.
(i) the trading venue with the highest market share in terms of turnover at national level in each of the preceding two financial years in one or more of the following:
—transferable securities as defined in point (44)(a) of Article 4(1) of Directive 2014/65/EU of the European Parliament and of the Council17;
—transferable securities as defined in point (44)(b) of Article 4(1) of Directive 2014/65/EU;
—derivatives as defined in Article 2(1)(29) of Regulation (EU) No 600/2014 of the European Parliament and of the Council18;
—structured finance products as defined in Article 2(1)(28) of Regulation (EU) No 600/2014 ;
- emission allowances as defined in point (11) of Section C of Annex I to Directive 2014/65/EU;
(ii) the trading venue whose market share in terms of turnover at Union level exceeds 5% in each of the preceding two financial years in one or more of the following:
—transferable securities as defined in point (44)(a) of Article 4(1) of Directive 2014/65/EU19,
—transferable securities as defined in point (44)(b) of Article 4(1) of directive Directive 2014/65/EU,
—derivatives as defined in Article 2(1)(29) of Regulation (EU) No 600/2014,
—structured finance products as defined in Article 2(1)(28) of Regulation (EU) No 600/2014;
- emission allowances as defined in point (11) of Section C of Annex I to Directive 2014/65/EU;
For the purposes of point (ii) of this point (f), where the trading venue is part of a group using common ICT systems or the same ICT intra-group service provider, the turnover of the securities and derivatives contracts on all trading venues pertaining to the same group and established in the Union shall be considered.
g)
Insurance and reinsurance undertakings that meet all the following criteria:
(i) gross written premium (GWP) exceeding EUR 1 500 000 000;
(ii) technical provisions exceeding EUR 10 000 000 000;
(iii) in case of life insurance undertakings, as referred to in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council20, and of insurance undertakings pursuing both life and non-life activities, total assets exceeding 3.5% of the sum of the total assets valuated according to Article 75 of Directive 2009/138/EC of the insurance and reinsurance undertakings established in the Member State.
(i) gross written premium (GWP) exceeding EUR 1 500 000 000;
(ii) technical provisions exceeding EUR 10 000 000 000;
(iii) in case of life insurance undertakings, as referred to in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council20, and of insurance undertakings pursuing both life and non-life activities, total assets exceeding 3.5% of the sum of the total assets valuated according to Article 75 of Directive 2009/138/EC of the insurance and reinsurance undertakings established in the Member State.
2)
Financial entities referred to in points (a) to (g) of paragraph 1 shall not be required to carry out TLPT where the assessment of the criteria listed in paragraph 4 indicates that the impact of the financial entity, financial stability concerns relating to it or its ICT risk profile do not justify the performance of the TLPT.
3)
Where more than one financial entity belonging to the same group and using common ICT systems, or where more than one financial entity using the same ICT intra-group service provider meet the criteria set out in points (a) to (g) of paragraph 1, the TLPT authorities of these financial entities shall decide if the requirement to perform TLPT on an individual basis is relevant for these financial entities, in accordance with Article 14(2). Where the TLPT authority of the parent undertaking of such group is different from the TLPT authority(ies) of the financial entities referred to in the first subparagraph, it shall be consulted.
4)
TLPT authorities shall assess whether any financial entities other than those referred to in paragraph 1 shall be required to perform TLPT, taking into account their impact, systemic character and ICT risk profile, assessed on the basis of all of the following criteria:
a)
impact-related and systemic character related factors:
(i) the size of the financial entity, determined taking into account whether the financial entity provides financial services in the national or Union market and by comparing the activities of the financial entity to those of other financial entities providing similar services. Where possible, the TLPT authority shall consider the market share position at national and EU level, the range of activities offered by the financial entity and the market share of the services provided or of the activities undertaken at national and at Union level;
(ii) the extent and nature of the interconnectedness of the financial entity with other financial entities in the financial sector at national and Union level;
(iii)the criticality or importance of the services provided to the financial sector;
(iv) the substitutability of the services provided by the financial entity;
(v) the complexity of the business model of the financial entity and the related services and processes. Where possible, the TLPT authority shall consider whether the financial entity operates more than one business models and the interconnectedness of different business processes and the related services;
(vi) whether the financial entity is part of a group of systemic character at Union or national level in the financial sector and using common ICT systems;
(i) the size of the financial entity, determined taking into account whether the financial entity provides financial services in the national or Union market and by comparing the activities of the financial entity to those of other financial entities providing similar services. Where possible, the TLPT authority shall consider the market share position at national and EU level, the range of activities offered by the financial entity and the market share of the services provided or of the activities undertaken at national and at Union level;
(ii) the extent and nature of the interconnectedness of the financial entity with other financial entities in the financial sector at national and Union level;
(iii)the criticality or importance of the services provided to the financial sector;
(iv) the substitutability of the services provided by the financial entity;
(v) the complexity of the business model of the financial entity and the related services and processes. Where possible, the TLPT authority shall consider whether the financial entity operates more than one business models and the interconnectedness of different business processes and the related services;
(vi) whether the financial entity is part of a group of systemic character at Union or national level in the financial sector and using common ICT systems;
b)
ICT risk related factors:
(i) the risk profile of the financial entity;
(ii) the threat landscape of the financial entity;
(iii) the degree of dependence of critical or important functions or their supporting functions of the financial entity on ICT systems and processes;
(iv) the complexity of the ICT architecture of the financial entity;
(v) the ICT services and functions supported by ICT third-party service providers, the quantity and type of contractual arrangements with ICT third-party service providers or ICT intra-group service providers;
(vi) outcomes of any supervisory reviews relevant for the assessment of the ICT maturity of the financial entity;
(vii) the maturity of ICT business continuity plans and ICT response and recovery plans;
(viii) the maturity of the operational ICT security detection and mitigation measures including the ability to monitor the financial entity’s ICT infrastructure on a permanent basis, to detect ICT-related events in real time, to analyse events, to respond to them in a timely and effective manner;
(ix) whether the financial entity is part of a group active in the financial sector at Union or national level and using common ICT systems.
(i) the risk profile of the financial entity;
(ii) the threat landscape of the financial entity;
(iii) the degree of dependence of critical or important functions or their supporting functions of the financial entity on ICT systems and processes;
(iv) the complexity of the ICT architecture of the financial entity;
(v) the ICT services and functions supported by ICT third-party service providers, the quantity and type of contractual arrangements with ICT third-party service providers or ICT intra-group service providers;
(vi) outcomes of any supervisory reviews relevant for the assessment of the ICT maturity of the financial entity;
(vii) the maturity of ICT business continuity plans and ICT response and recovery plans;
(viii) the maturity of the operational ICT security detection and mitigation measures including the ability to monitor the financial entity’s ICT infrastructure on a permanent basis, to detect ICT-related events in real time, to analyse events, to respond to them in a timely and effective manner;
(ix) whether the financial entity is part of a group active in the financial sector at Union or national level and using common ICT systems.