Decision (EU) 2022/1982 of the European Central Bank of 10 October 2022 on the us... (32022D1982)
EU - Rechtsakte: 01 General, financial and institutional matters

DECISION (EU) 2022/1982 OF THE EUROPEAN CENTRAL BANK

of 10 October 2022

on the use of services of the European System of Central Banks by competent authorities and by cooperating authorities, and amending Decision ECB/2013/1

(ECB/2022/34)

THE GOVERNING COUNCIL OF THE EUROPEAN CENTRAL BANK,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 127 and Article 132(1) thereof,
Having regard to the Statute of the European System of Central Banks and of the European Central Bank, and in particular Article 12.1 in conjunction with Articles 3.1 and 12.3, and Article 34 thereof,
Whereas:
(1) Services of the European System of Central Banks (ESCB) are provided to central banks within the ESCB to indirectly support the performance of their tasks. The ESCB services are developed, run and maintained by one or more central banks (hereinafter the ‘providing central banks’) and steered by an ESCB Committee (hereinafter the ‘System Owner Committee’). The ESCB services are financed by ESCB participating central banks (hereinafter the ‘participating central banks’), whose respective contributions are defined in financial envelopes approved by the Governing Council. The rights and obligations of the participating central banks are set out in European Central Bank (ECB) legal acts, as is the case for the ESCB public key infrastructure (ESCB-PKI), and/or in agreements between the participating central banks.
(2) The legal frameworks for the provision of certain ESCB services currently do not provide for their use by parties that are not central banks within the ESCB.
(3) The Governing Council considers it appropriate to allow competent authorities to use these services for the purpose of cooperating with the ESCB and with each other, in order to carry out their tasks within the Single Supervisory Mechanism (SSM), established pursuant to Council Regulation (EU) No 1024/2013 (1) on the basis of Article 127(6) of the Treaty.
(4) Competent authorities that use the ESCB services for these purposes should comply with the legal framework governing each ESCB service, taking into account that competent authorities are not part of the governance framework of the ESCB. In particular, such competent authorities should contribute to the costs of developing and operating the services according to a defined reimbursement framework, which should be based on a cost allocation key.
(5) The Governing Council also considers it appropriate to allow cooperating authorities to use these services for the purpose of cooperating with the ESCB or the SSM in carrying out their tasks, including the tasks of the ECB under Regulation (EU) No 1024/2013.
(6) Cooperating authorities that decide to use these services should comply with the legal framework governing each ESCB service, taking into account that cooperating authorities are not part of the governance framework of the ESCB. Where relevant, cooperating authorities should contribute to the costs of developing and operating the services according to a defined reimbursement framework, which should be based on a cost allocation key.
(7) Therefore, the ESCB services that should be made available to competent authorities and cooperating authorities should be defined by reference to an exhaustive list including ESCB services that the competent authorities are required to use, as well as those that they may use.
(8) In addition, Decision ECB/2013/1 of the European Central Bank (2) should be amended to allow cooperating authorities to use ESCB-PKI services in order to access and use ESCB services,
HAS ADOPTED THIS DECISION:

Article 1

Definitions

For the purposes of this Decision, the following definitions apply:
(1) ‘competent authority’ means either a national competent authority or the European Central Bank (ECB);
(2) ‘national competent authority’ (NCA) means a national competent authority as defined in point (2) of Article 2 of Regulation (EU) No 1024/2013 and, for the purposes of this Decision, also includes, in respect of the supervisory tasks assigned to them, national central banks that have been assigned certain supervisory tasks under national law and are not designated as NCAs;
(3) ‘participating competent authority’ means a competent authority that uses the ESCB services for the purpose of cooperating with the ESCB and with other competent authorities, in order to carry out its tasks within the Single Supervisory Mechanism (SSM), established pursuant to Regulation (EU) No 1024/2013;
(4) ‘cooperating authority’ means a public authority, other than a central bank within the ESCB or a competent authority, with which the ESCB or the SSM cooperates in carrying out the tasks of the ESCB or of the ECB under Regulation (EU) No 1024/2013;
(5) ‘ESCB services’ means any one or more of the electronic applications, systems, platforms, databases and services listed in Annex I;
(6) ‘providing central bank’ means a central bank developing, running and maintaining an ESCB service;
(7) ‘System Owner Committee’ means an ESCB Committee steering an ESCB service.

Article 2

Use of ESCB services by competent authorities

1.   Competent authorities may use ESCB services for the purpose of cooperating with the ESCB or with each other in carrying out their tasks under Regulation (EU) No 1024/2013.
2.   Competent authorities that use ESCB services shall comply with the requirements set out in Annex II. They shall submit a declaration to the Governing Council by which they confirm their participation and accept compliance with the related obligations, including the obligation to pay their contributions directly to the providing central bank in accordance with Article 4. No such declaration shall be required if the competent authorities are subject to the requirements set out in Annex II by way of a decision of the Governing Council that competent authorities shall use ESCB services.
3.   Competent authorities that use ESCB services shall comply with the legal framework governing each ESCB service, including the agreements between the participating and providing central banks. The agreements between the parties may establish direct contractual relationships between the providing central banks and the competent authorities.
4.   NCAs that use ESCB services may participate in the proceedings of the respective System Owner Committee as observers in a consulting capacity. The System Owner Committee shall ensure that NCAs’ views are sufficiently reflected in the decision-making processes.

Article 3

Use of ESCB services by cooperating authorities

1.   Subject to the approval of the Governing Council, a cooperating authority may use ESCB services for the purpose of cooperating with the ESCB or the SSM in carrying out the tasks of the ESCB and the tasks of the ECB under Regulation (EU) No 1024/2013.
2.   Cooperating authorities that decide to use ESCB services shall submit a declaration to the Governing Council by which they confirm their participation and accept compliance with the related obligations, set out in Annex II, including the obligation to pay their contributions directly to the providing central bank in accordance with Article 4.
3.   Cooperating authorities that decide to use ESCB services shall comply with the legal framework governing each ESCB service, including the agreements between the participating and providing central banks. The agreements between the parties may establish a direct contractual relationship between the providing central banks and the cooperating authorities. Cooperating authorities shall not participate in the proceedings of the respective System Owner Committee.

Article 4

Financial arrangements

Participating central banks and participating competent authorities shall bear the costs of developing and operating the respective ESCB service in accordance with a defined reimbursement framework, which is based on a cost allocation key, as further specified in the respective financial envelopes following the applicable reimbursement rules. Where relevant, cooperating authorities shall contribute to the costs of the respective ESCB service in accordance with a specific reimbursement framework.

Article 5

Amendment of Decision ECB/2013/1

Decision ECB/2013/1 is amended as follows:
(1) in Article 1, the following definitions are added:
‘19.
“competent authority” means either a national competent authority or the ECB;
20.
“national competent authority” (NCA) means a national competent authority as defined in point (2) of Article 2 of Council Regulation (EU) No 1024/2013
 (
*1
)
and, for the purposes of this Decision, also includes, in respect of the supervisory tasks assigned to them, national central banks that have been assigned certain supervisory tasks under national law and are not designated as NCAs;
21.
“cooperating authority” means a public authority, other than a central bank within the ESCB or a competent authority, with which the ESCB or the Single Supervisory Mechanism (SSM) cooperates in carrying out the tasks of the ESCB or of the ECB under Regulation (EU) No 1024/2013;
22.
“participating competent authority” means a competent authority that uses the ESCB services for the purpose of cooperating with the ESCB and with other competent authorities, in order to carry out its tasks within the Single Supervisory Mechanism (SSM), established pursuant to Regulation (EU) No 1024/2013.
(
*1
)
  Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (
OJ L 287, 29.10.2013, p. 63
).’;"
(2) the following Article 9a is inserted:

‘Article 9a

Use of the ESCB-PKI services by cooperating authorities

1.   Subject to the approval of the Governing Council, a cooperating authority may use the ESCB-PKI services in order to access and use ESCB and Eurosystem electronic applications, systems, platforms, databases and services for the purpose of cooperating with the ESCB or with the SSM and may act for that purpose as a registration authority for its internal users.
2.   Cooperating authorities that decide to use the ESCB-PKI services shall submit a declaration to the Governing Council by which they confirm their use of the services and accept compliance with the related obligations.
3.   Cooperating authorities that decide to use the ESCB-PKI services shall comply with the applicable legal framework, including the Level 2 – Level 3 Agreement.’;
(3) Article 14 is replaced by the following:

‘Article 14

Financial arrangements

Participating central banks and participating competent authorities shall bear the costs of developing and operating the ESCB-PKI services according to a defined reimbursement framework, which is based on a cost allocation key, as further specified in the ESCB-PKI financial envelopes following the applicable reimbursement rules. Cooperating authorities shall contribute to the costs in accordance with a specific reimbursement framework.’.

Article 6

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Frankfurt am Main, 10 October 2022.
The President of the ECB
Christine LAGARDE
(1)  Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (
OJ L 287, 29.10.2013, p. 63
).
(2)  Decision ECB/2013/1 of the European Central Bank of 11 January 2013 laying down the framework for a public key infrastructure for the European System of Central Banks (
OJ L 74, 16.3.2013, p. 30
).

ANNEX I

ESCB services to be made available to competent authorities and cooperating authorities

— CoreNet3
— Enterprise Service Bus (ESB)
— ESCB Public Key Infrastructure (ESCB PKI)
— Identity and Access Management Service (IAM)
— Secure ESCB Email (SEE)
— ESCB Teleconference System
— ESCB Performing Survey Initiative LimeSurvey-based Solution (EPSILON)
— ENTM modelling tool and repository (ENTM)

ANNEX II

Requirements for competent authorities’ use of ESCB services

(1) Competent authorities must carry out the tasks and assume the responsibilities corresponding to their role in the relevant ESCB service.
(2) Competent authorities must adjust their internal systems and interfaces to operate seamlessly with the ESCB service.
(3) Competent authorities will be liable for any loss or damage incurred as a result of any deliberate or negligent action and/or omission in performing their obligations. The limitations of liability laid down in the Level 2 – Level 3 Agreement will apply accordingly.
(4) Competent authorities will bear the burden of proof of demonstrating that they have not breached their duty of reasonable care in performing their obligations, including in operating the technical facilities.
(5) Outsourcing, delegation or subcontracting by a competent authority to third parties will be without prejudice to the liability of that competent authority.
Competent authorities may only outsource, delegate or subcontract to a third party tasks that have or may have a material impact on compliance with the requirements set forth in this Annex to the extent that they have obtained the express, prior and written consent (or deemed consent as provided for in paragraph (6)) of the Eurosystem central banks, or the ESCB central banks, as the case may be. No such consent is needed if the third party is a joint affiliate of the relevant competent authority and if that competent authority’s rights and obligations remain materially unchanged.
(6) Competent authorities must give reasonable prior notice of any planned outsourcing, delegation or subcontracting as referred to in paragraph 5 and must provide details of the requirements that are proposed to apply to such outsourcing, delegation or subcontracting.
The competent ESCB Committee must respond to any request for consent under paragraph 5 within two months of it being notified of the planned outsourcing, delegation or subcontracting. Any refusal to grant consent must be accompanied by the reasons for such refusal. If the competent authority receives no response within the two-month deadline, it may notify the competent ESCB Committee of its request once again. The Eurosystem central banks, or ESCB central banks, as the case may be, will have one further month within which to respond to the second notification. If there is no response within that time period, the competent authority will be deemed to have received consent to proceed with the outsourcing, delegation or subcontracting.
(7) Competent authorities must keep confidential all sensitive, secret or confidential information and know-how (whether such information is of a commercial, financial, regulatory, technical or other nature) that is marked as such and belongs to the providing central bank and/or to other ESCB/Eurosystem central banks, and may not disclose such information to any third party without the express, prior and written consent of the central bank(s) concerned.
(8) Competent authorities must restrict access to the information or know-how referred to in paragraph 7 to their relevant technical staff, and such access may only be exercised in cases of clear operational need.
(9) Competent authorities must establish appropriate measures to prevent access to such confidential information or know-how by persons other than the relevant technical staff.
(10) In the exceptional case that the usage of the ESCB service involves the processing of personal data by the competent authority, the competent authority must comply with the applicable data protection legislation. The Eurosystem central banks, or ESCB central banks, as the case may be, must determine the purposes for which and the means by which personal data may be processed. In relation to the processing of personal data the competent authority and the Eurosystem central banks, or ESCB central banks, as the case may be, should seek to conclude a contract that clarifies the necessary aspects of the controller–processor relationship.
The competent authority must declare to the competent data protection authorities, if so required under the data protection legislation applicable to its processing of personal data, the processing of personal data in the context of the relevant ESCB service.
(11) Access to personal data may be granted only to those with a need to know in order to perform their tasks and fulfil their responsibilities in relation to the relevant ESCB service.
Markierungen
Leseansicht