In essence, the obligations placed on financial entities can be divided into four main categories. The responsibility mainly lays with the "management body", defined as
…the body or bodies of an investment firm, market operator or data reporting services provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include persons who effectively direct the business of the entity.
In Norway and Sweden, this is effectively the board of directors of the financial entity.
The main categories of obligations are summarized in the following:
- Governance and control (Article 4)
The management body are tasked with a number of duties to 'define, approve, oversee and be accountable' for arrangements relating to the ICT management framework outlined. The management body shall, for example
- bear financial responsibility for the entity's ICT risks;
- determine the ICT risk tolerance level;
- approve and periodically review ICT business continuity policy and their ICT disaster recovery plan; and
- be duly informed about ICT-related incidents and their impact.
- Managing of the ICT-risks (Articles 5 to 14)
These provisions impose obligations to have an ICT risk management framework. Article 5 outlines the most important contents of this framework, while Articles 6 to 14 elaborate on the contents and appropriate corresponding procedures.
- Reporting of ICT-incidents (Articles 15 to 20)
The provisions specify the processes necessary to properly manage ICT-related incidents, including detecting, classifying, reviewing, and reporting to the supervisory authorities.
- ICT third party risk (Articles 25 to 39)
The provisions relate to the subject of third party risks. ICT services are often outsourced or contracted to third parties, assessing and mitigating third-party risks is therefore essential. The obligations include implementing a number of specific clauses in contracts with third parties, making assessment of third party risks an integrated part of the ICT-risk management, and prohibiting the supply of ICT services which do not comply with "high, appropriate and the latest information security standards".
Additionally, businesses designated by the government as "significant" (e.g. essential payment service providers) are required to complete performance testing of their operational resilience (Articles 21 to 24).