Common use of Compliance with Information Security requirements Clause in Contracts

Compliance with Information Security requirements. 1. The Eurosystem shall in accordance with and as described in Schedule 10 (Information Security): (a) implement the Information Security framework for T2S; (b) implement a process to manage Information Security in T2S by: (i) regularly re- viewing the implementation, and (ii) regularly updating the T2S Security Require- ments to keep them in line with technical developments; (c) maintain the T2S Threat Catalogue; (d) perform all activities related to Information Security in accordance with the provi- sions set out in Schedule 10 (Information Security); (e) report the results of Information Security reviews to the Contracting CSD; (f) report Information Security incidents to the Contracting CSD in accordance with the provisions set out in Schedule 10 (Information Security); (g) provide all other relevant information to the Contracting CSD to allow it to fulfil its own risk management obligations. 2. In view of ensuring Information Security for T2S, the Contracting CSD shall: (a) ensure its own compliance with Information Security requirements according to its internal standards, Legal and Regulatory Requirements and/or best practices; (b) report Information Security incidents to the Eurosystem, if T2S or other T2S Actors might be impacted by such incidents; (c) report to the Eurosystem newly identified threats or detected gaps that might threat- en T2S Information Security. 3. The parties shall cooperate according to the following provisions: (a) The Eurosystem shall at least on a yearly basis deliver for review to the Contracting CSD the T2S Information Security Risk Evaluation Table and the T2S Information Security Risk Treatment Plan, as further specified in section 4.2 of Schedule 10 (In- formation Security); (b) The Eurosystem shall maintain a consolidated action plan for all risks appearing in a T2S Information Security Risk Treatment plan, which require follow-up, and shall deliver for review to the Contracting CSD an updated version of the action plan at least on an annual basis, as further specified in section 4.2.2 of Schedule 10 (Infor- mation Security); (c) The Eurosystem shall set up a multilateral coordination substructure, in accordance with the Governance, for the coordination and monitoring of the T2S Information Security Risk Management activities, as further specified in section 4.3 of Schedule 10 (Information Security); (d) If a disagreement arises in the substructure, each Party shall be entitled to escalate the issue to the Steering Level and shall have, if the disagreement persists, the ulti- mate possibility to initiate the dispute resolution procedure specified in Article 42, as further specified in section 4.3 of Schedule 10 (Information Security); (e) If a new Information Security risk is identified, or if an existing Information Securi- ty risk obtains a higher likelihood or impact score, the Eurosystem shall communi- cate such changes to the Contracting CSD in accordance with the incident response times specified in Schedule 6 (Service Level Agreement), as further specified in sec- tion 4.3 of Schedule 10 (Information Security); 4. Any matters related to operational risk, which are not covered by this Article or in Schedule 10 (Information Security), will be managed directly by the Steering Level. 5. The Eurosystem will implement an appropriate risk management framework and inform the CSDs monthly about the risk situation.

Compliance with Information Security requirements. 1. The Eurosystem shall in accordance with and as described in Schedule 10 (Information Security):10: (a) implement the Information Security framework for T2SforT2S; (b) implement a process to manage Information Security in T2S by: (i) regularly re- viewing reviewing the implementation, implementation and (ii) regularly updating aligning the T2S Security Require- ments to keep them in line Requirements with technical tech- nical developments; (c) maintain the T2S Threat Catalogue; (d) perform all activities related to Information Security in accordance with the provi- sions set out in Schedule 10 (Information Security)Schedule10; (e) report the results of Information Security reviews and provide additional information on request to the Contracting CSD[NCB]; (f) report Information Security incidents to the Contracting CSD [NCB] in accordance with the provisions set out in Schedule 10 (Information Security)10; (g) provide all other relevant information to the Contracting CSD [NCB] to allow it the latter to fulfil its own risk management obligationsobligations and in particular inform the [NCB] if the Eurosystem decides to change its Information Securitypolicy. 2. In view of ensuring Information Security for T2S, the Contracting CSD shall[NCB]shall: (a) ensure its own compliance with Information Security requirements according in relation to T2S ac- cording to its internal standards, Legal and Regulatory Requirements and/or best practicesprac- tices; (b) report Information Security incidents to the Eurosystem, if T2S or other T2S Actors might be impacted by such incidents;; and (c) report to the Eurosystem newly identified threats or detected gaps that might threat- en threaten T2S Information Security. 3. The parties Parties shall cooperate according to the following provisionsas follows: (a) The Eurosystem shall at least on a yearly basis deliver for review to the Contracting CSD [NCB] the T2S Information Security Risk Evaluation Table and the T2S Information Security Risk Treatment Planplan, as further specified in section Section 4.2 of Schedule 10 (In- formation Security);10. (b) The Eurosystem shall maintain a consolidated action plan for all risks appearing in a T2S Information Security Risk Treatment plan, plan which require follow-up, and shall deliver for review to the Contracting CSD [NCB] an updated version of the action plan at least on an annual basis, as further specified in section Section 4.2.2 of Schedule 10 (Infor- mation Security);10. (c) The Eurosystem shall set up a multilateral coordination substructure, in accordance with the Governance, for the coordination to coordinate and monitoring of monitor the T2S Information Security Risk Management Manage- ment activities, as further specified in section Section 4.3 of Schedule 10 (Information Security);Schedule10. (d) If a disagreement arises in the substructure, each Party shall be entitled to may escalate the issue to the Steering Steer- ing Level and shall haveand, if the disagreement persists, the ulti- mate possibility to may initiate the dispute resolution procedure specified in Article 42Dispute Resolution and Esca- lation Procedure, as further specified in section Section 4.3 of Schedule 10 (Information Security);10. (e) If a new Information Security risk is identified, or if an existing Information Securi- ty Security risk obtains a higher likelihood or impact score, the Eurosystem shall communi- cate communicate such changes to the Contracting CSD [NCB] in accordance with the incident response times specified in Schedule 6 (Service Level Agreement)Sched- ule 6, as further specified in sec- tion Section 4.3 of Schedule 10 (Information Security);10. 4. Any matters related to operational risk, which are not covered by this Article or in Schedule 10 (Information Security)10, will shall be managed directly by the Steering Level. 5. The Eurosystem will implement an appropriate risk management framework and inform the CSDs [NCB] monthly about the risk situationrisksituation.

Compliance with Information Security requirements. 1. The Eurosystem shall in accordance with and as described in Schedule 10 (Information Security):10: (a) implement the Information Security framework for T2S; (b) implement a process to manage Information Security in T2S by: (i) regularly re- viewing reviewing the implementation, implementation and (ii) regularly updating aligning the T2S Security Require- ments to keep them in line Requirements with technical tech- nical developments; (c) maintain the T2S Threat Catalogue; (d) perform all activities related to Information Security in accordance with the provi- sions set out in Schedule 10 (Information Security)10; (e) report the results of Information Security reviews and provide additional information on request to the Contracting CSD[NCB]; (f) report Information Security incidents to the Contracting CSD [NCB] in accordance with the provisions set out in Schedule 10 (Information Security)10; (g) provide all other relevant information to the Contracting CSD [NCB] to allow it the latter to fulfil its own risk management obligationsobligations and in particular inform the [NCB] if the Eurosystem decides to change its Information Security policy. 2. In view of ensuring Information Security for T2S, the Contracting CSD [NCB] shall: (a) ensure its own compliance with Information Security requirements according in relation to T2S ac- cording to its internal standards, Legal and Regulatory Requirements and/or best practicesprac- tices; (b) report Information Security incidents to the Eurosystem, if T2S or other T2S Actors might be impacted by such incidents;; and (c) report to the Eurosystem newly identified threats or detected gaps that might threat- en threaten T2S Information Security. 3. The parties Parties shall cooperate according to the following provisionsas follows: (a) The Eurosystem shall at least on a yearly basis deliver for review to the Contracting CSD [NCB] the T2S Information Security Risk Evaluation Table and the T2S Information Security Risk Treatment Planplan, as further specified in section Section 4.2 of Schedule 10 (In- formation Security);10. (b) The Eurosystem shall maintain a consolidated action plan for all risks appearing in a T2S Information Security Risk Treatment plan, plan which require follow-up, and shall deliver for review to the Contracting CSD [NCB] an updated version of the action plan at least on an annual basis, as further specified in section Section 4.2.2 of Schedule 10 (Infor- mation Security);10. (c) The Eurosystem shall set up a multilateral coordination substructure, in accordance with the Governance, for the coordination to coordinate and monitoring of monitor the T2S Information Security Risk Management Manage- ment activities, as further specified in section Section 4.3 of Schedule 10 (Information Security);10. (d) If a disagreement arises in the substructure, each Party shall be entitled to may escalate the issue to the Steering Steer- ing Level and shall haveand, if the disagreement persists, the ulti- mate possibility to may initiate the dispute resolution procedure specified in Article 42Dispute Resolution and Esca- lation Procedure, as further specified in section Section 4.3 of Schedule 10 (Information Security);10. (e) If a new Information Security risk is identified, or if an existing Information Securi- ty Security risk obtains a higher likelihood or impact score, the Eurosystem shall communi- cate communicate such changes to the Contracting CSD [NCB] in accordance with the incident response times specified in Schedule 6 (Service Level Agreement)Sched- ule 6, as further specified in sec- tion Section 4.3 of Schedule 10 (Information Security);10. 4. Any matters related to operational risk, which are not covered by this Article or in Schedule 10 (Information Security)10, will shall be managed directly by the Steering Level. 5. The Eurosystem will implement an appropriate risk management framework and inform the CSDs [NCB] monthly about the risk situation.

Compliance with Information Security requirements. ‌ 1. The Eurosystem shall in accordance with and as described in Schedule 10 (Information Security):10: (a) implement the Information Security framework for T2S; (b) implement a process to manage Information Security in T2S by: (i) regularly re- viewing reviewing the implementation, implementation and (ii) regularly updating aligning the T2S Security Require- ments to keep them in line Requirements with technical tech- nical developments; (c) maintain the T2S Threat Catalogue; (d) perform all activities related to Information Security in accordance with the provi- sions set out in Schedule 10 (Information Security)10; (e) report the results of Information Security reviews and provide additional information on request to the Contracting CSD[NCB]; (f) report Information Security incidents to the Contracting CSD [NCB] in accordance with the provisions set out in Schedule 10 (Information Security)10; (g) provide all other relevant information to the Contracting CSD [NCB] to allow it the latter to fulfil its own risk management obligationsobligations and in particular inform the [NCB] if the Eurosystem decides to change its Information Security policy. 2. In view of ensuring Information Security for T2S, the Contracting CSD [NCB] shall: (a) ensure its own compliance with Information Security requirements according in relation to T2S ac- cording to its internal standards, Legal and Regulatory Requirements and/or best practicesprac- tices; (b) report Information Security incidents to the Eurosystem, if T2S or other T2S Actors might be impacted by such incidents;; and (c) report to the Eurosystem newly identified threats or detected gaps that might threat- en threaten T2S Information Security. 3. The parties Parties shall cooperate according to the following provisionsas follows: (a) The Eurosystem shall at least on a yearly basis deliver for review to the Contracting CSD [NCB] the T2S Information Security Risk Evaluation Table and the T2S Information Security Risk Treatment Planplan, as further specified in section Section 4.2 of Schedule 10 (In- formation Security);10. (b) The Eurosystem shall maintain a consolidated action plan for all risks appearing in a T2S Information Security Risk Treatment plan, plan which require follow-up, and shall deliver for review to the Contracting CSD [NCB] an updated version of the action plan at least on an annual basis, as further specified in section Section 4.2.2 of Schedule 10 (Infor- mation Security);10. (c) The Eurosystem shall set up a multilateral coordination substructure, in accordance with the Governance, for the coordination to coordinate and monitoring of monitor the T2S Information Security Risk Management Manage- ment activities, as further specified in section Section 4.3 of Schedule 10 (Information Security);10. (d) If a disagreement arises in the substructure, each Party shall be entitled to may escalate the issue to the Steering Steer- ing Level and shall haveand, if the disagreement persists, the ulti- mate possibility to may initiate the dispute resolution procedure specified in Article 42Dispute Resolution and Esca- lation Procedure, as further specified in section Section 4.3 of Schedule 10 (Information Security);10. (e) If a new Information Security risk is identified, or if an existing Information Securi- ty Security risk obtains a higher likelihood or impact score, the Eurosystem shall communi- cate communicate such changes to the Contracting CSD [NCB] in accordance with the incident response times specified in Schedule 6 (Service Level Agreement)Sched- ule 6, as further specified in sec- tion Section 4.3 of Schedule 10 (Information Security);10. 4. Any matters related to operational risk, which are not covered by this Article or in Schedule 10 (Information Security)10, will shall be managed directly by the Steering Level. 5. The Eurosystem will implement an appropriate risk management framework and inform the CSDs [NCB] monthly about the risk situation.

Compliance with Information Security requirements. 1. The Eurosystem shall in accordance with and as described in Schedule 10 (Information Security):10: (a) implement the Information Security framework for T2S; (b) implement a process to manage Information Security in T2S by: (i) regularly re- viewing reviewing the implementation, implementation and (ii) regularly updating aligning the T2S Security Require- ments to keep them in line Requirements with technical tech- nical developments; (c) maintain the T2S Threat Catalogue; (d) perform all activities related to Information Security in accordance with the provi- sions set out in Schedule 10 (Information Security)Schedule10; (e) report the results of Information Security reviews and provide additional information on request to the Contracting CSD[NCB]; (f) report Information Security incidents to the Contracting CSD [NCB] in accordance with the provisions set out in Schedule 10 (Information Security)10; (g) provide all other relevant information to the Contracting CSD [NCB] to allow it the latter to fulfil its own risk management obligationsobligations and in particular inform the [NCB] if the Eurosystem decides to change its Information Security policy. 2. In view of ensuring Information Security for T2S, the Contracting CSD [NCB] shall: (a) ensure its own compliance with Information Security requirements according in relation to T2S ac- cording to its internal standards, Legal and Regulatory Requirements and/or best practicesprac- tices; (b) report Information Security incidents to the Eurosystem, if T2S or other T2S Actors might be impacted by such incidents;; and (c) report to the Eurosystem newly identified threats or detected gaps that might threat- en threaten T2S Information Security. 3. The parties Parties shall cooperate according to the following provisionsas follows: (a) The Eurosystem shall at least on a yearly basis deliver for review to the Contracting CSD [NCB] the T2S Information Security Risk Evaluation Table and the T2S Information Security Risk Treatment Planplan, as further specified in section Section 4.2 of Schedule 10 (In- formation Security);10. (b) The Eurosystem shall maintain a consolidated action plan for all risks appearing in a T2S Information Security Risk Treatment plan, plan which require follow-up, and shall deliver for review to the Contracting CSD [NCB] an updated version of the action plan at least on an annual basis, as further specified in section Section 4.2.2 of Schedule 10 (Infor- mation Security);10. (c) The Eurosystem shall set up a multilateral coordination substructure, in accordance with the Governance, for the coordination to coordinate and monitoring of monitor the T2S Information Security Risk Management Manage- ment activities, as further specified in section Section 4.3 of Schedule 10 (Information Security);10. (d) If a disagreement arises in the substructure, each Party shall be entitled to may escalate the issue to the Steering Steer- ing Level and shall haveand, if the disagreement persists, the ulti- mate possibility to may initiate the dispute resolution procedure specified in Article 42Dispute Resolution and Esca- lation Procedure, as further specified in section Section 4.3 of Schedule 10 (Information Security);10. (e) If a new Information Security risk is identified, or if an existing Information Securi- ty Security risk obtains a higher likelihood or impact score, the Eurosystem shall communi- cate communicate such changes to the Contracting CSD [NCB] in accordance with the incident response times specified in Schedule 6 (Service Level Agreement)Sched- ule 6, as further specified in sec- tion Section 4.3 of Schedule 10 (Information Security);10. 4. Any matters related to operational risk, which are not covered by this Article or in Schedule 10 (Information Security)10, will shall be managed directly by the Steering Level. 5. The Eurosystem will implement an appropriate risk management framework and inform the CSDs [NCB] monthly about the risk situation.