0004014
JC 2024 54, Final Report Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554
European Banking Authority
Regulations
Free
Joint draft Regulatory Technical Standards on the criteria for determining the composition of the joint examination team (JET)
JC 2024 54, Final Report Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554
2024-07-17
The document as a whole was last reviewed and released on 2024-12-10T00:00:00-0800.
0004014
Free
European Banking Authority
Regulations
Joint draft Regulatory Technical Standards on the criteria for determining the composition of the joint examination team (JET)
JC 2024 54, Final Report Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554
2024-07-17
The document as a whole was last reviewed and released on 2024-12-10T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within JC 2024 54, Final Report Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for JC 2024 54, Final Report Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When nominating the members of the joint examination teams, the authorities shall assess their technical expertise, qualifications and skills in y-noun">B2E2E3;" class="term_secondary-noun">pan style="background-color:#F0ound-color:#F0BBBC;" class="term_primary-noun">BBBC;" class="term_primary-noun">n">ICT and relevant areas, including communication and collaboration skills, as well as audit and supervision skills. Article 2 6. {take appropriate action} {be adequate} The Lead Overseer and the authorities shall take all appropriate and possible measures to ensure the joint examination team is or:#B2E2E3;" class="term_secondary-noun">ary-noun">le="background-color:#B7D8ED;" class="term_primary-verb">D;" class="term_primary-verb">staffed adequately in accordance with the annual individual oversight plan. Article 2 8.] | Testing | Detective | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Communicate | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [{if} {be appropriate} Periodically, or in cases where the appointed Lead Overseer changes, or in cases where material changes as defined in Article 2(2) occur, the Lead Overseer, after consulting the members of the joint examination team, shall r:#B7D8ED;" class="term_primary-verb">assess> the | Establish/Maintain Documentation | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Monitor and Evaluate Occurrences | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
| Include resource management in the quality management system. CC ID 15026 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a public oversight system. CC ID 17284 | Business Processes | Preventive | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 [In case the individual annual oversight plan is significantly revised during the year by the Lead Overseer, the Lead Overseer shall involve the joint examination team in the E2E3;" class="term_secondary-noun">process of the revision and span style="background-color:#F0BBBC;" class="term_primary-noun">noun">execution of the individual annual oversight plan according to point (a) of paragraph 2. Article 1 3. The Lead Overseer and the nominating authorities shall establish arrangements to implement the requirements in this Regulation, including arrangements on the time spent and estimated costs related to the oversight activities -color:#CB:#B7D8ED;" class="term_primary-verb">s="t {oversight activities} {examination team} The Lead Overseer and the nominating authorities shall ensure that the arrangements referred to in paragraph 4 are timely implemented, erm_primary-background-color:#B2E2E3;" class="term_secondam_primary-noun">ry-noun">d-color:#B7D8ED;" class="term_primary-verb">verb">reviewed and kept up to date. Article 5 5.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Communicate | Preventive | |
| Establish, implement, and maintain an oversight team. CC ID 17303 [{be critical} {be responsible} After the first designation of the ICT third-party service provider as critical in accordance with Article 31(1) of Regulation (EU) 2022/2554, the Lead Overseer, in agreement with the joint oversight network, shall estang-term">blish :#B2E2E3;" class="term_secondary-noun">e="background-color:#F0BBBC;" class="term_primary-noun">the joint examination team responsible to nd-color:#B7D8ED;" class="term_primary-verb">carry out the oversight activities concerning the assigned critical ICT third-party service provider. Article 2 1. The Lead Overseer shall define the number of members of the joint examination team and its composition in agreement with the Joint Oversight Network and in consultation with the Oversight Forum, as part of the process of establishment of the<span style="background-color:#B2E2E3;" class="term_secondary-noun"> joint examination team, and as required over time, taking into account the tasks included in the individual annual oversight plans drafted for each ass="term_secondary-noun">critical ICT third-party service provider overseen by the joint examination team. To define the number and the composition of members in the joint examination team, the Lead Overseer shall consider at least the following: Article 3 1. {be responsible} When material changes regarding the critical ICT third-party service provider occur, the Lead Overseer may consider to "term_secondary-verb">erb">update the composition of the joint examination team responsible to ng-term">roun</span>d-color:#F0BBBC;" class="term_primary-noun">kground-color:#B7D8ED;" class="term_primary-verb">carry out the oversight activities concerning the assigned critical ICT third-party service provider. Article 2 2. ¶ 1 The Lead Overseer may require the nominating authorities to ED;" class="term_primar class="term_secondary-noun">y-verb">modify their BBC;" class="term_primary-noun">nominations only in justified circumstances and when the profiles of the nominated individuals do not match the profile of the resources needed. Article 2 7. {if} {be appropriate} Periodically, or in cases where the appointed Lead Overseer changes, or in cases where material changes as defined in Article 2(2) occur, the Lead Overseer, after consulting the members of the joint examination team, shall assess the achievements of the joint examination team. The results of this assessment shall be used by both the nominating authorities and Lead Overseer to te"background-color:#F0BBBC;" class="term_primary-noun">rm_primary-verb">decide whether it is appropriate to renew the n style="background-color:#B7D8ED;" class="term_primary-verb">n">membership of the joint examination team. Article 4 ¶ 1 The Lead Overseer shall appoint the nominated individuals as " class="term_secondary-noun">y-noun">members of the joint examination team either on a full-time or on a part-time basis depending on their availability, the specific needs of the Lead Overseer, and the agreement between the nominating authority and the Lead Overseer. Article 2 5. {multiple} The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall nominate one or more individuals from their staff to be appointed as members of the joint examination team. An individual may be nominated and b">appointed as #B2E2E3;" class="term_secondary-noun">member of one or more joint examination teams. Article 2 4. {multiple} The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall nominate one or more individuals from their staff to be appointed as condary-noun">or:#B2E2E3;" class="term_secondary-noun">members of the joint examination team. An individual may be nominated and appointed as member of one or more joint examination teams. Article 2 4. The Lead Overseer shall identify the number of members of the joint examination team and its m_secondary-noun">composition according to Article 3(1), and depending on the envisaged level of intensity of oversight activities to be performed in relation to all critical ICT third-party service providers. Article 2 3.] | Process or Activity | Preventive | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 [{be capable} {ICT third-party service provider} {manage} {risk} The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in performing the stylen">="background-color:#B2E2E3;" class="term_secondar The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: collecting and " class="term_primarss="term_primary-verb">y-verb">assessing the information erb">submitted by the critical ICT thirdparty service provider according to Article 37 of Regulation (EU) 2022/2554 and Chapter II of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. c) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">conducting general investigations on the critical ICT third-party service providers according to Article 38 of Regulation (EU) 2022/2554; Article 1 2. d) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">conducting inspections of the critical ICT third-party service providers according to Article 39 of Regulation (EU) 2022/2554; Article 1 2. e) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: drafting the recommendations The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: e="background-color:#B7D8ED;" class="term_primary-verb">ss="term_primary-verb">assessing the remediation plan and the progress reports as defined in Article 4 of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. g) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">assessing the remediation plan and the progress reports as defined in Article 4 of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. g) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: preparing and drafting the e="background-color:#B7D8ED;" class="term_primary-verb">kground-color:#F0BBBC;" class="term_primary-noun">requestsspan> and term_primary-noun">decisions to the critical ICT third-party service provider referred to in Article 35(6), Article 37(1), Article 38(4), and Article 39(6) of Regulation (EU) 2022/2554; Article 1 2. h) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: ensuring that the relevant information relae="background-color:#B7D8ED;" class="term_primary-verb">ting to financial entities making use of the services provided by the critical ICT third-party service providers are <class="term_primary-pan>noun">C;" class="term_primary-noun">span style="background-color:#B7D8ED;" class="term_primary-verb">shared with the Lead Overseer; Article 1 2. j) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in the preparation and drafting of the individual annual oversight plan describing the annual oversight objectives and the main oversight activitiee="background-color:#CBD0E5;" class="term_secondary-verb">s yle="background-color:2E3;" class="term_secondary-noun">#CBD0E5;" class="term_secondary-verb">plannen>d for each critical ICT third-party service provider that are to be carried out by the Lead Overseer and the joint examination team; Article 1 2. a) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in its contribution to horizontal oversight activities, including in the development of round-color:#B2E2E3;" class="term_n>secondarstyry-noun">le="background-color:#CBD0E5;" class="term_secondary-verb">y-noun">benchmarking, as referred to in Article 32(3) of Regulation (EU) 2022/2554; Article 1 2. i) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in unplanned ad hoc activities deemed necessary by the Lead Overseer for the ry-noun">purpose of D8ED;" class="term_primary-verb">kground-color:#F0BBBC;" class="term_primary-noun">oversight. Article 1 2. k) The members of the joint examination team shall be involved either in the execution of specific _primary-noun">tasks, or in the ongoing support of the activities :#F0BBBC;" class="term_primary-noun">rm_secondary-ve;" class="term_primary-noun">rb">carried out by the Lead Overseer, considering the tasks defined in Article 1(2) of this Regulation. Article 3 3. The joint examination team shall assist the Lead Overseer in conducting oversight activities, ackground-color:3;" class="term_secondary-noun">#CBD0E5;" class="term_secondary-verb">including the individual oversight plan adopted annually according to Article 33(4) of Regulation (EU) 2022/2554. Article 1 1. The members of the joint examination team shall carry out their tasks identified in the individual annual oversight plan wi:#B7D8ED;" class="term_primary-verb">th due | Establish/Maintain Documentation | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [When carrying out oversight tasks, the members of the joint examination team shall follow oversight procedures drafted jointly by the European ss="term_primary-noun">condary-verb">lass="term_primary-noun">Supervisory Authorities in relation to the conduct of oversight activities and any relevant operational area, including but not limited to specifications relating to the use of IT tools and equipment, and time management. Article 5 2. The members of the joint examination team shall follow the information and data handling specifications and instructions as provided by the Lead Overseer coordinator and shall ="background-color:#B7D8ED;" class="term_primary-verb">comply with the confidentiality regime of the European Supervisory Authorities. Article 5 3.] | Establish/Maintain Documentation | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [The members of the joint examination team shall follow the information and data handling specifications and instructions as | Establish/Maintain Documentation | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
| Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a public oversight system. CC ID 17284 | Leadership and high level objectives | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Preventive | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [{if} {be appropriate} Periodically, or in cases where the appointed Lead Overseer changes, or in cases where material changes as defined in Article 2(2) occur, the Lead Overseer, after consulting the members of the joint examination team, shall r:#B7D8ED;" class="term_primary-verb">assess> the | Leadership and high level objectives | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 [In case the individual annual oversight plan is significantly revised during the year by the Lead Overseer, the Lead Overseer shall involve the joint examination team in the E2E3;" class="term_secondary-noun">process of the revision and span style="background-color:#F0BBBC;" class="term_primary-noun">noun">execution of the individual annual oversight plan according to point (a) of paragraph 2. Article 1 3. The Lead Overseer and the nominating authorities shall establish arrangements to implement the requirements in this Regulation, including arrangements on the time spent and estimated costs related to the oversight activities -color:#CB:#B7D8ED;" class="term_primary-verb">s="t {oversight activities} {examination team} The Lead Overseer and the nominating authorities shall ensure that the arrangements referred to in paragraph 4 are timely implemented, erm_primary-background-color:#B2E2E3;" class="term_secondam_primary-noun">ry-noun">d-color:#B7D8ED;" class="term_primary-verb">verb">reviewed and kept up to date. Article 5 5.] | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 [{be capable} {ICT third-party service provider} {manage} {risk} The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in performing the stylen">="background-color:#B2E2E3;" class="term_secondar The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: collecting and " class="term_primarss="term_primary-verb">y-verb">assessing the information erb">submitted by the critical ICT thirdparty service provider according to Article 37 of Regulation (EU) 2022/2554 and Chapter II of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. c) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">conducting general investigations on the critical ICT third-party service providers according to Article 38 of Regulation (EU) 2022/2554; Article 1 2. d) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">conducting inspections of the critical ICT third-party service providers according to Article 39 of Regulation (EU) 2022/2554; Article 1 2. e) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: drafting the recommendations The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: e="background-color:#B7D8ED;" class="term_primary-verb">ss="term_primary-verb">assessing the remediation plan and the progress reports as defined in Article 4 of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. g) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">assessing the remediation plan and the progress reports as defined in Article 4 of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. g) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: preparing and drafting the e="background-color:#B7D8ED;" class="term_primary-verb">kground-color:#F0BBBC;" class="term_primary-noun">requestsspan> and term_primary-noun">decisions to the critical ICT third-party service provider referred to in Article 35(6), Article 37(1), Article 38(4), and Article 39(6) of Regulation (EU) 2022/2554; Article 1 2. h) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: ensuring that the relevant information relae="background-color:#B7D8ED;" class="term_primary-verb">ting to financial entities making use of the services provided by the critical ICT third-party service providers are <class="term_primary-pan>noun">C;" class="term_primary-noun">span style="background-color:#B7D8ED;" class="term_primary-verb">shared with the Lead Overseer; Article 1 2. j) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in the preparation and drafting of the individual annual oversight plan describing the annual oversight objectives and the main oversight activitiee="background-color:#CBD0E5;" class="term_secondary-verb">s yle="background-color:2E3;" class="term_secondary-noun">#CBD0E5;" class="term_secondary-verb">plannen>d for each critical ICT third-party service provider that are to be carried out by the Lead Overseer and the joint examination team; Article 1 2. a) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in its contribution to horizontal oversight activities, including in the development of round-color:#B2E2E3;" class="term_n>secondarstyry-noun">le="background-color:#CBD0E5;" class="term_secondary-verb">y-noun">benchmarking, as referred to in Article 32(3) of Regulation (EU) 2022/2554; Article 1 2. i) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in unplanned ad hoc activities deemed necessary by the Lead Overseer for the ry-noun">purpose of D8ED;" class="term_primary-verb">kground-color:#F0BBBC;" class="term_primary-noun">oversight. Article 1 2. k) The members of the joint examination team shall be involved either in the execution of specific _primary-noun">tasks, or in the ongoing support of the activities :#F0BBBC;" class="term_primary-noun">rm_secondary-ve;" class="term_primary-noun">rb">carried out by the Lead Overseer, considering the tasks defined in Article 1(2) of this Regulation. Article 3 3. The joint examination team shall assist the Lead Overseer in conducting oversight activities, ackground-color:3;" class="term_secondary-noun">#CBD0E5;" class="term_secondary-verb">including the individual oversight plan adopted annually according to Article 33(4) of Regulation (EU) 2022/2554. Article 1 1. The members of the joint examination team shall carry out their tasks identified in the individual annual oversight plan wi:#B7D8ED;" class="term_primary-verb">th due | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [When carrying out oversight tasks, the members of the joint examination team shall follow oversight procedures drafted jointly by the European ss="term_primary-noun">condary-verb">lass="term_primary-noun">Supervisory Authorities in relation to the conduct of oversight activities and any relevant operational area, including but not limited to specifications relating to the use of IT tools and equipment, and time management. Article 5 2. The members of the joint examination team shall follow the information and data handling specifications and instructions as provided by the Lead Overseer coordinator and shall ="background-color:#B7D8ED;" class="term_primary-verb">comply with the confidentiality regime of the European Supervisory Authorities. Article 5 3.] | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [The members of the joint examination team shall follow the information and data handling specifications and instructions as | Privacy protection for information and data | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Preventive | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an oversight team. CC ID 17303 [{be critical} {be responsible} After the first designation of the ICT third-party service provider as critical in accordance with Article 31(1) of Regulation (EU) 2022/2554, the Lead Overseer, in agreement with the joint oversight network, shall estang-term">blish :#B2E2E3;" class="term_secondary-noun">e="background-color:#F0BBBC;" class="term_primary-noun">the joint examination team responsible to nd-color:#B7D8ED;" class="term_primary-verb">carry out the oversight activities concerning the assigned critical ICT third-party service provider. Article 2 1. The Lead Overseer shall define the number of members of the joint examination team and its composition in agreement with the Joint Oversight Network and in consultation with the Oversight Forum, as part of the process of establishment of the<span style="background-color:#B2E2E3;" class="term_secondary-noun"> joint examination team, and as required over time, taking into account the tasks included in the individual annual oversight plans drafted for each ass="term_secondary-noun">critical ICT third-party service provider overseen by the joint examination team. To define the number and the composition of members in the joint examination team, the Lead Overseer shall consider at least the following: Article 3 1. {be responsible} When material changes regarding the critical ICT third-party service provider occur, the Lead Overseer may consider to "term_secondary-verb">erb">update the composition of the joint examination team responsible to ng-term">roun</span>d-color:#F0BBBC;" class="term_primary-noun">kground-color:#B7D8ED;" class="term_primary-verb">carry out the oversight activities concerning the assigned critical ICT third-party service provider. Article 2 2. ¶ 1 The Lead Overseer may require the nominating authorities to ED;" class="term_primar class="term_secondary-noun">y-verb">modify their BBC;" class="term_primary-noun">nominations only in justified circumstances and when the profiles of the nominated individuals do not match the profile of the resources needed. Article 2 7. {if} {be appropriate} Periodically, or in cases where the appointed Lead Overseer changes, or in cases where material changes as defined in Article 2(2) occur, the Lead Overseer, after consulting the members of the joint examination team, shall assess the achievements of the joint examination team. The results of this assessment shall be used by both the nominating authorities and Lead Overseer to te"background-color:#F0BBBC;" class="term_primary-noun">rm_primary-verb">decide whether it is appropriate to renew the n style="background-color:#B7D8ED;" class="term_primary-verb">n">membership of the joint examination team. Article 4 ¶ 1 The Lead Overseer shall appoint the nominated individuals as " class="term_secondary-noun">y-noun">members of the joint examination team either on a full-time or on a part-time basis depending on their availability, the specific needs of the Lead Overseer, and the agreement between the nominating authority and the Lead Overseer. Article 2 5. {multiple} The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall nominate one or more individuals from their staff to be appointed as members of the joint examination team. An individual may be nominated and b">appointed as #B2E2E3;" class="term_secondary-noun">member of one or more joint examination teams. Article 2 4. {multiple} The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall nominate one or more individuals from their staff to be appointed as condary-noun">or:#B2E2E3;" class="term_secondary-noun">members of the joint examination team. An individual may be nominated and appointed as member of one or more joint examination teams. Article 2 4. The Lead Overseer shall identify the number of members of the joint examination team and its m_secondary-noun">composition according to Article 3(1), and depending on the envisaged level of intensity of oversight activities to be performed in relation to all critical ICT third-party service providers. Article 2 3.] | Leadership and high level objectives | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When nominating the members of the joint examination teams, the authorities shall assess their technical expertise, qualifications and skills in y-noun">B2E2E3;" class="term_secondary-noun">pan style="background-color:#F0ound-color:#F0BBBC;" class="term_primary-noun">BBBC;" class="term_primary-noun">n">ICT and relevant areas, including communication and collaboration skills, as well as audit and supervision skills. Article 2 6. {take appropriate action} {be adequate} The Lead Overseer and the authorities shall take all appropriate and possible measures to ensure the joint examination team is or:#B2E2E3;" class="term_secondary-noun">ary-noun">le="background-color:#B7D8ED;" class="term_primary-verb">D;" class="term_primary-verb">staffed adequately in accordance with the annual individual oversight plan. Article 2 8.] | Human Resources management | Detective | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When nominating the members of the joint examination teams, the authorities shall assess their technical expertise, qualifications and skills in y-noun">B2E2E3;" class="term_secondary-noun">pan style="background-color:#F0ound-color:#F0BBBC;" class="term_primary-noun">BBBC;" class="term_primary-noun">n">ICT and relevant areas, including communication and collaboration skills, as well as audit and supervision skills. Article 2 6. {take appropriate action} {be adequate} The Lead Overseer and the authorities shall take all appropriate and possible measures to ensure the joint examination team is or:#B2E2E3;" class="term_secondary-noun">ary-noun">le="background-color:#B7D8ED;" class="term_primary-verb">D;" class="term_primary-verb">staffed adequately in accordance with the annual individual oversight plan. Article 2 8.] | Human Resources management | Testing | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [{if} {be appropriate} Periodically, or in cases where the appointed Lead Overseer changes, or in cases where material changes as defined in Article 2(2) occur, the Lead Overseer, after consulting the members of the joint examination team, shall r:#B7D8ED;" class="term_primary-verb">assess> the | Leadership and high level objectives | Establish/Maintain Documentation | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a public oversight system. CC ID 17284 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 [In case the individual annual oversight plan is significantly revised during the year by the Lead Overseer, the Lead Overseer shall involve the joint examination team in the E2E3;" class="term_secondary-noun">process of the revision and span style="background-color:#F0BBBC;" class="term_primary-noun">noun">execution of the individual annual oversight plan according to point (a) of paragraph 2. Article 1 3. The Lead Overseer and the nominating authorities shall establish arrangements to implement the requirements in this Regulation, including arrangements on the time spent and estimated costs related to the oversight activities -color:#CB:#B7D8ED;" class="term_primary-verb">s="t {oversight activities} {examination team} The Lead Overseer and the nominating authorities shall ensure that the arrangements referred to in paragraph 4 are timely implemented, erm_primary-background-color:#B2E2E3;" class="term_secondam_primary-noun">ry-noun">d-color:#B7D8ED;" class="term_primary-verb">verb">reviewed and kept up to date. Article 5 5.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain an oversight team. CC ID 17303 [{be critical} {be responsible} After the first designation of the ICT third-party service provider as critical in accordance with Article 31(1) of Regulation (EU) 2022/2554, the Lead Overseer, in agreement with the joint oversight network, shall estang-term">blish :#B2E2E3;" class="term_secondary-noun">e="background-color:#F0BBBC;" class="term_primary-noun">the joint examination team responsible to nd-color:#B7D8ED;" class="term_primary-verb">carry out the oversight activities concerning the assigned critical ICT third-party service provider. Article 2 1. The Lead Overseer shall define the number of members of the joint examination team and its composition in agreement with the Joint Oversight Network and in consultation with the Oversight Forum, as part of the process of establishment of the<span style="background-color:#B2E2E3;" class="term_secondary-noun"> joint examination team, and as required over time, taking into account the tasks included in the individual annual oversight plans drafted for each ass="term_secondary-noun">critical ICT third-party service provider overseen by the joint examination team. To define the number and the composition of members in the joint examination team, the Lead Overseer shall consider at least the following: Article 3 1. {be responsible} When material changes regarding the critical ICT third-party service provider occur, the Lead Overseer may consider to "term_secondary-verb">erb">update the composition of the joint examination team responsible to ng-term">roun</span>d-color:#F0BBBC;" class="term_primary-noun">kground-color:#B7D8ED;" class="term_primary-verb">carry out the oversight activities concerning the assigned critical ICT third-party service provider. Article 2 2. ¶ 1 The Lead Overseer may require the nominating authorities to ED;" class="term_primar class="term_secondary-noun">y-verb">modify their BBC;" class="term_primary-noun">nominations only in justified circumstances and when the profiles of the nominated individuals do not match the profile of the resources needed. Article 2 7. {if} {be appropriate} Periodically, or in cases where the appointed Lead Overseer changes, or in cases where material changes as defined in Article 2(2) occur, the Lead Overseer, after consulting the members of the joint examination team, shall assess the achievements of the joint examination team. The results of this assessment shall be used by both the nominating authorities and Lead Overseer to te"background-color:#F0BBBC;" class="term_primary-noun">rm_primary-verb">decide whether it is appropriate to renew the n style="background-color:#B7D8ED;" class="term_primary-verb">n">membership of the joint examination team. Article 4 ¶ 1 The Lead Overseer shall appoint the nominated individuals as " class="term_secondary-noun">y-noun">members of the joint examination team either on a full-time or on a part-time basis depending on their availability, the specific needs of the Lead Overseer, and the agreement between the nominating authority and the Lead Overseer. Article 2 5. {multiple} The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall nominate one or more individuals from their staff to be appointed as members of the joint examination team. An individual may be nominated and b">appointed as #B2E2E3;" class="term_secondary-noun">member of one or more joint examination teams. Article 2 4. {multiple} The authorities referred to in Article 40(2) of Regulation (EU) 2022/2554 shall nominate one or more individuals from their staff to be appointed as condary-noun">or:#B2E2E3;" class="term_secondary-noun">members of the joint examination team. An individual may be nominated and appointed as member of one or more joint examination teams. Article 2 4. The Lead Overseer shall identify the number of members of the joint examination team and its m_secondary-noun">composition according to Article 3(1), and depending on the envisaged level of intensity of oversight activities to be performed in relation to all critical ICT third-party service providers. Article 2 3.] | Leadership and high level objectives | Process or Activity | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 [{be capable} {ICT third-party service provider} {manage} {risk} The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in performing the stylen">="background-color:#B2E2E3;" class="term_secondar The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: collecting and " class="term_primarss="term_primary-verb">y-verb">assessing the information erb">submitted by the critical ICT thirdparty service provider according to Article 37 of Regulation (EU) 2022/2554 and Chapter II of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. c) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">conducting general investigations on the critical ICT third-party service providers according to Article 38 of Regulation (EU) 2022/2554; Article 1 2. d) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">conducting inspections of the critical ICT third-party service providers according to Article 39 of Regulation (EU) 2022/2554; Article 1 2. e) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: drafting the recommendations The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: e="background-color:#B7D8ED;" class="term_primary-verb">ss="term_primary-verb">assessing the remediation plan and the progress reports as defined in Article 4 of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. g) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: s="term_primary-verb">ss="term_primary-verb">assessing the remediation plan and the progress reports as defined in Article 4 of Commission Delegated Regulation xxx [RTS on harmonisation of the conditions of oversight conduct]; Article 1 2. g) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: preparing and drafting the e="background-color:#B7D8ED;" class="term_primary-verb">kground-color:#F0BBBC;" class="term_primary-noun">requestsspan> and term_primary-noun">decisions to the critical ICT third-party service provider referred to in Article 35(6), Article 37(1), Article 38(4), and Article 39(6) of Regulation (EU) 2022/2554; Article 1 2. h) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: ensuring that the relevant information relae="background-color:#B7D8ED;" class="term_primary-verb">ting to financial entities making use of the services provided by the critical ICT third-party service providers are <class="term_primary-pan>noun">C;" class="term_primary-noun">span style="background-color:#B7D8ED;" class="term_primary-verb">shared with the Lead Overseer; Article 1 2. j) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in the preparation and drafting of the individual annual oversight plan describing the annual oversight objectives and the main oversight activitiee="background-color:#CBD0E5;" class="term_secondary-verb">s yle="background-color:2E3;" class="term_secondary-noun">#CBD0E5;" class="term_secondary-verb">plannen>d for each critical ICT third-party service provider that are to be carried out by the Lead Overseer and the joint examination team; Article 1 2. a) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in its contribution to horizontal oversight activities, including in the development of round-color:#B2E2E3;" class="term_n>secondarstyry-noun">le="background-color:#CBD0E5;" class="term_secondary-verb">y-noun">benchmarking, as referred to in Article 32(3) of Regulation (EU) 2022/2554; Article 1 2. i) The tasks of the members of the joint examination team shall be performed under the coordination of the Lead Overseer coordinator and shall include any of the following: assisting the Lead Overseer in unplanned ad hoc activities deemed necessary by the Lead Overseer for the ry-noun">purpose of D8ED;" class="term_primary-verb">kground-color:#F0BBBC;" class="term_primary-noun">oversight. Article 1 2. k) The members of the joint examination team shall be involved either in the execution of specific _primary-noun">tasks, or in the ongoing support of the activities :#F0BBBC;" class="term_primary-noun">rm_secondary-ve;" class="term_primary-noun">rb">carried out by the Lead Overseer, considering the tasks defined in Article 1(2) of this Regulation. Article 3 3. The joint examination team shall assist the Lead Overseer in conducting oversight activities, ackground-color:3;" class="term_secondary-noun">#CBD0E5;" class="term_secondary-verb">including the individual oversight plan adopted annually according to Article 33(4) of Regulation (EU) 2022/2554. Article 1 1. The members of the joint examination team shall carry out their tasks identified in the individual annual oversight plan wi:#B7D8ED;" class="term_primary-verb">th due | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Communicate | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [When carrying out oversight tasks, the members of the joint examination team shall follow oversight procedures drafted jointly by the European ss="term_primary-noun">condary-verb">lass="term_primary-noun">Supervisory Authorities in relation to the conduct of oversight activities and any relevant operational area, including but not limited to specifications relating to the use of IT tools and equipment, and time management. Article 5 2. The members of the joint examination team shall follow the information and data handling specifications and instructions as provided by the Lead Overseer coordinator and shall ="background-color:#B7D8ED;" class="term_primary-verb">comply with the confidentiality regime of the European Supervisory Authorities. Article 5 3.] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [The members of the joint examination team shall follow the information and data handling specifications and instructions as | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |