The Standard Formula: A Guide to Solvency II – Chapter 10: Governance Models | Insights

See all chapters of A Guide to Solvency II.

Introduction

Solvency II is organised around three core pillars of prudential regulation, which ensure the safety and soundness of (re)insurers, in line with the scale, nature and complexity of their business:

Pillar I focuses on quantitative measures and regulatory capital requirements, detailed through the capital requirements, technical provisions, the MA and IMs, as detailed in Chapter 1: Own Funds, Chapter 5: Matching Adjustment, Chapter 7: Technical Provisions, Chapter 8: Capital Requirements and Chapter 9: Internal Models.
Pillar II addresses governance and risk management. It obligates (re)insurers to conduct a thorough ORSA and mandates the establishment of robust internal governance frameworks.⁵²⁷
Pillar III sets out transparency requirements for (re)insurers to regularly disclose pertinent financial information to regulators and the public.

This chapter focuses on Pillar II, which sets out a system of governance requirements for (re)insurers under the Solvency II framework. This governance framework must integrate sound management practices, effective risk management strategies and clearly defined lines of responsibility. The Solvency II Directive requires the governance system to not only be comprehensive but also dynamic, including regular evaluations to address any significant shifts in the (re)insurer’s risk profile or operating conditions.

The EIOPA has supplemented such requirements with detailed guidance, emphasising the necessity of a well-integrated system that aligns with the broader organisational structure.⁵²⁸ (Re)insurers are expected to ensure that governance practices are not only robust but also adaptive to changes, ensuring that they remain compliant with regulatory expectations.

Central to this governance system are the requirements for regular and systematic reviews. These reviews must be conducted at least annually or whenever there are material changes in the (re)insurer’s risk environment. The aim is to ensure that governance structures remain effective and relevant in the face of evolving risks and operational challenges.

In the context of UK (re)insurers, under the SMCR the PRA supplements the governance requirements under Solvency II.⁵²⁹ Although the SMCR operates independently from Solvency II, it is designed with Solvency II in mind.

Skadden | The Standard Formula Podcast - Click Here to Listen

1. Own Risk and Solvency Assessment

The ORSA is a fundamental aspect of the Solvency II framework, representing a (re)insurer’s own perspective on its risk profile, and the capital and other resources needed to address these risks.⁵³⁰ This assessment must cover each part of a (re)insurer’s business and operations. The EIOPA suggests that such processes should be tailored to and independently developed by a (re)insurer, tailored to its organisational structure, risk management framework and proportionate to its business.⁵³¹ According to Guideline 1, Paragraph 1.13 of the EIOPA Guidelines on own risk and solvency assessment (EIOPA-BoS-14/259 EN), each (re)insurer must develop its own processes tailored to its organisational structure and risk management system, reflecting the nature, scale and complexity of the risks inherent in its business.

The ORSA must be comprehensive, involving input from across the organisation and going beyond merely producing a report or completing a template. The assessment should:

Reflect all material risks, including those arising from assets, liabilities and intragroup and off-balance sheet arrangements.
Incorporate the firm’s management practices, systems and controls, including risk mitigation techniques.
Evaluate the quality of processes and inputs, particularly the adequacy of the governance system.
Connect business planning with solvency needs, factoring in the specific risk profile, approved risk tolerance and strategic business objectives of the firm.
Identify possible future scenarios.
Address external stress factors.
Use a consistent valuation basis throughout the solvency needs assessment.

The ORSA should be forward-looking and encompass medium and long-term perspectives to capture all material risks adequately. The PRA expects firms to consider risks over the “ultimate time horizon” — the period until all obligations to policyholders have run off — as part of their ORSA.⁵³²

The ORSA must also ensure continuous compliance with the firm’s capital requirements. This includes assessing deviations from the assumptions underlying the SCR. While firms have some flexibility in conducting this assessment, the PRA has specific expectations regarding compliance with regulatory capital and technical provisions, as well as the assessment of any significant changes in the risk profile. The calculation of technical provisions must be validated annually, particularly through comparison against experience.

The board of a (re)insurer holds ultimate responsibility for the firm’s compliance with applicable laws and regulations under Solvency II⁵³³ The board must interact effectively with any committees, senior management and key function holders, taking an active role in the ORSA process. This includes challenging the assumptions behind SCR calculations to ensure they align with the firm’s risk profile. The board should leverage insights from the ORSA when approving the firm’s short- and long-term capital plans, and the ORSA should be a standing agenda item in relevant board and committee meetings, with discussions recorded in the minutes.

In addition to maintaining a formal ORSA policy, (re)insurers must keep a record of each ORSA, prepare internal and supervisory reports and assess any deviations from the assumptions underlying SCR calculations. The results and conclusions of the ORSA should be communicated to all relevant staff after board approval.

Firms must also document specific processes involved in the ORSA, such as data collection, quality analysis and the selection of assumptions used in technical provisions calculations.

The PRA states that the ORSA should be a dynamic, iterative process, continuously refined as the business environment and risk landscape evolve.⁵³⁴ (Re)insurers are expected to establish a “feedback loop” where ORSA outcomes directly influence the firm’s risk management framework, strategic decisions and capital planning. This ensures that the ORSA is iteratively improved and remains an integral part of risk management and strategic planning, rather than a mere annual compliance task.

Moreover, the PRA mandates that the board of a (re)insurer must actively engage in the ORSA process.⁵³⁵ This involves setting the risk appetite, reviewing the ORSA’s outcomes and ensuring they are fully integrated within the broader risk management framework. The PRA emphasises that the ORSA should generate meaningful management information, supporting informed decision-making and fostering an organisation-wide culture of risk awareness and strategic alignment regarding the (re)insurer.

Climate Change

In April 2021, the EIOPA issued an opinion on climate risk scenarios.⁵³⁶ This opinion outlines the EIOPA’s expectations for how EU National Competent Authorities should oversee the integration of climate change risk scenarios by undertakings in their ORSA.

Key points from the opinion include that (a) firms should identify material climate change risks relevant to their business, or, if they conclude that climate change is not a material risk, they should provide a rationale for this conclusion; and (b) both physical and transition risks should be considered, mapping these to traditional prudential risk categories such as underwriting and market risk.

The EIOPA expects firms to assess both short-term and long-term climate change risks and to adjust their time horizons for stress testing and scenario analysis accordingly.

Note that this opinion was published after the Brexit transition period and is not directly applicable to UK firms, however, it covers similar topics to those addressed in PRA SS3/19.

2. Risk Management, Compliance and Audit Functions

Solvency II mandates various key governance functions that are critical to ensuring robust risk management within (re)insurers. These functions include risk management, compliance, internal audit and actuarial, each with specific delineated roles and responsibilities defined by the Solvency II Directive:

Risk Management: (Re)insurers must establish an effective risk management system. This system should include strategies, processes and reporting procedures designed to identify, measure, monitor, manage and report risks on a continuous basis. The scope of this function encompasses underwriting, asset-liability management, investment, liquidity, concentration risk, operational risk and reinsurance (or other risk mitigation techniques).⁵³⁷
Compliance Function: The compliance function is responsible for ensuring that the (re)insurer adheres to applicable laws, regulations and administrative provisions. It must also assess the potential impact of legal and regulatory changes on the (re)insurer’s operations, often referred to as “horizon scanning”.⁵³⁸ The function is also responsible for developing and updating internal compliance policies and ensuring that all staff receive adequate training on regulatory changes and compliance requirements.
Internal Audit Function: The internal audit function must be independent from operational activities within the (re)insurer. This function provides the board and senior management with assurance about the adequacy and effectiveness of the internal control system and other governance elements, and must report directly to the board without influence from operational management. The internal audit function must regularly evaluate the firm’s governance practices, identify weaknesses and recommend necessary improvements. Its independence ensures objective insights into the firm’s operations, free from undue influence.⁵³⁹
Actuarial Function: The actuarial function is tasked with the accurate calculation of technical provisions, ensuring the appropriateness of methodologies, models and assumptions. It also assesses the sufficiency and quality of data, compares best estimates against actual experience and reports to the board on the reliability of these calculations. The actuarial function is critical for maintaining sufficient reserves to meet obligations, thereby securing the (re)insurer’s solvency and protecting policyholders.⁵⁴⁰

Additional Key Functions

The PRA recognises that additional functions may be classified as key, depending on the specific nature of the (re)insurer’s business. These may include the investment function, claims management, information and communication technology (ICT) and (re)insurance. The classification of these functions as key depends on their criticality to the firm’s operations, the complexity and materiality of the risks they manage and the potential impact of their failure on the firm’s solvency and policyholders.

3. Senior Managers and Certification Regime

Overview

The PRA has introduced the principle of individual responsibility and accountability on the basis that regulation will be more effective if senior individuals at (re)insurers are personally responsible for certain areas.

PRA Fundamental Rules and FCA Principles for Business

A number of high-level principles are imposed on UK (re)insurers, which they are expected to meet at all times, and the breach of which could give rise to enforcement action against the firm by the regulators — the PRA’s high level principles are known as “Fundamental Rules”, while the FCA has “Principles for Businesses”. It is vital that the boards and senior management understand these rules and establish within their firms a culture that supports adherence to them.

The PRA Fundamental Rules are:

A firm must conduct its business with integrity (FR1).
A firm must conduct its business with due skill, care and diligence (FR2).
A firm must act in a prudent manner (FR3).
A firm must at all times maintain adequate financial resources (FR4).
A firm must have effective risk strategies and risk management systems (FR5).
A firm must organise and control its affairs responsibly and effectively (FR6).
A firm must deal with its regulators in an open and cooperative way and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice (FR7).
A firm must prepare for resolution so, if the need arises, it can be resolved in an orderly manner with a minimum disruption of critical services (FR8).

The FCA’s Principles for Business are:

A firm must observe proper standards of market conduct (PRIN 5).
A firm must pay due regard to the interests of its customers and treat them fairly (PRIN 6).
A firm must pay due regard to the information needs of its clients, and communicate information to them in a way that is clear, fair and not misleading (PRIN 7).
A firm must manage conflicts of interest fairly, both between itself and its customers and between a customer and another client (PRIN 8).
A firm must take reasonable care to ensure the suitability of its advice and discretionary decisions for any customer who is entitled to rely upon its judgement (PRIN 9).
A firm must arrange adequate protection for clients’ assets when it is responsible for them (PRIN 10).
A firm must act to deliver good outcomes for retail customers (PRIN 12).

Note also that the FCA has rules under its Principles for Business overlapping with the PRA’s Fundamental Rules set out above — PRIN 1 to 4 and PRIN 11.

Senior Management Functions

Officers, directors and persons who exercise senior management functions (SMFs) or “controlled functions” under FSMA (for example, the director function, chief executive function, actuary function or systems and controls function) must be approved by the FCA or the PRA (or both) before performing such functions.⁵⁴¹

Once approved to perform such functions, the person in question becomes subject to the SMCR and accompanying conduct rules that impose several significant responsibilities on the individual, including a duty to comply with regulatory requirements, general principles and expectations on an ongoing basis.

In connection with the Risk Management, Compliance and Audit Functions required under Solvency II, the SMCR assigns the responsibility for key governance functions to senior management of (re)insurers, in alignment with Solvency II’s broader regulatory framework, reinforcing individual accountability at the highest levels.

These SMFs are the (a) chief compliance officer, (b) chief risk officer, (c) chief internal auditor and (d) chief actuary.

SMFs must be approved by the PRA before assuming their roles. The PRA expects firms only to put forward suitable individuals for SMF appointments, assessing their fitness and propriety, experience and qualifications. The PRA will not merely accept any appointments and will challenge appointments that it considers inappropriate or unsuitable, particularly for (re)insurers of certain sizes and systemic importance to the UK (or global) financial system.

The Conduct Rules

Several more detailed requirements are imposed on both firms and individuals in relation to particular areas, including governance.

Further, the conduct rules for senior managers include (in both the FCA Handbook and the PRA Rulebook):

You must act with integrity (Individual Conduct Rule 1).
You must act with due skill, care and diligence (Individual Conduct Rule 2).
You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively (Senior Manager Conduct Standard 1).
You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with relevant requirements and standards of the regulatory system (Senior Manager Conduct Standard 2).
You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively (Senior Manager Conduct Standard 3).
You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice (Senior Manager Conduct Standard 4).
When exercising your responsibilities, you must pay due regard to the interests of current and potential future policyholders in ensuring the provision by the firm of an appropriate degree of protection for their insured benefits (Senior Manager Conduct Standard 5).

Management Responsibilities Map

Further, (re)insurers are required to put in place a management responsibilities map.⁵⁴² The responsibilities map must provide a comprehensive overview of the firm’s management and governance arrangements, detailing how responsibilities are allocated among senior managers, and indicating whether these responsibilities are shared or divided.

The map must clearly delineate the roles and responsibilities of each SMF holder. It should specify the individual accountabilities for key areas of the business, ensuring that there is no ambiguity about who is responsible for what.

The map must outline the firm’s overall governance structure, including the reporting lines and the interaction between different governance functions. This should encompass the roles of the board, senior management and key functions such as risk management, compliance, internal audit and actuarial. The map should also detail any committees established by the board, including their membership and how they relate to the broader governance framework.

The responsibilities map must be documented comprehensively and kept up to date. It should be readily accessible to the PRA upon request, demonstrating the firm’s commitment to transparency and regulatory compliance. Regular updates are necessary to reflect any changes in the governance structure, such as new appointments, reassignments or changes in responsibilities. The map must also integrate with the firm’s risk management framework, ensuring that all key risks are appropriately managed by designated individuals or functions.

Ultimately, the board holds responsibility for ensuring that the management responsibilities map is accurate and effective. The board must review the map regularly, particularly when there are significant changes to the firm’s structure or operations. The map should be used as a tool to facilitate board oversight, enabling the board to ensure that all responsibilities are appropriately allocated and that senior managers are held accountable for their areas of responsibility.

4. Outsourcing

Outsourcing is a critical consideration for global financial groups and regulators, including (re)insurers operating across multiple jurisdictions with dependencies outside their home state. Outsourcing encompasses any function that a (re)insurer could perform internally, such as claims administration, claims management and investment management.

Solvency II mandates that outsourcing must not compromise the quality of a (re)insurer’s governance system.⁵⁴³ (Re)insurers are required to maintain ultimate responsibility for outsourced functions and ensure effective oversight. This involves rigorous due diligence, clear contractual arrangements with robust enforcement and monitoring mechanisms and continuous monitoring of outsourced activities.

European Banking Authority Outsourcing Guidelines

In addition to the rules under Solvency II, (re)insurers are also subject to certain guidelines from the European Banking Authority (EBA) on outsourcing (Outsourcing Guidelines).⁵⁴⁴ Note that these apply broadly across the financial services sector (and not just to (re)insurers), including to banks, investment firms, payment institutions and electronic money institutions. The Outsourcing Guidelines set out detailed expectations for how financial institutions should manage outsourcing arrangements, particularly for critical or important functions. The principles established by the EBA are designed to ensure that outsourcing does not compromise the firm’s operational resilience, governance or regulatory compliance, making them highly relevant for (re)insurers operating under Solvency II.

The requirements are:

Critical and Important Functions: The Outsourcing Guidelines place significant emphasis on the identification and management of critical or important functions. (Re)insurers must ensure that any outsourced activities deemed critical or important do not adversely affect their overall risk management capabilities or their ability to comply with regulatory obligations. This includes comprehensive risk assessments prior to outsourcing, ensuring that the service provider has the necessary ability and capacity to deliver the services effectively without compromising the (re)insurer’s governance or operational resilience.
Risk Management and Operational Resilience: The Outsourcing Guidelines stress that outsourcing arrangements should not diminish a firm’s control over critical operations. (Re)insurers must establish robust mechanisms to manage outsourcing risks and maintain operational resilience. This includes the implementation of contingency plans and exit strategies to mitigate the risk of service disruptions. Continuous oversight is essential, with (re)insurers required regularly to review and test their resilience against various risk scenarios, particularly those related to critical outsourced functions.
Sub-Outsourcing and Oversight: The Outsourcing Guidelines introduce specific considerations for sub-outsourcing, where a service provider may further outsource a portion of the services it is contracted to deliver. (Re)insurers must ensure that they retain adequate oversight and control over the entire outsourcing chain, including sub-outsourcing arrangements. This involves ensuring that the original service provider remains accountable and that all sub-outsourcing agreements meet the same rigorous standards of governance, risk management and operational resilience as the primary outsourcing agreement.
Data Security and Confidentiality: Another key aspect of the Outsourcing Guidelines is the protection of data. (Re)insurers must ensure that outsourced services, particularly those involving the processing of sensitive or personal data, adhere to stringent data security and confidentiality standards. This includes ensuring compliance with relevant data protection regulations, such as the GDPR, and establishing clear protocols for data access, storage and transfer within the outsourcing arrangements.
Governance and Board Accountability: The Outsourcing Guidelines reinforce the need for governance structures that ensure senior management and the board retain full accountability for outsourced activities. This aligns closely with Solvency II’s requirements, where the board must oversee outsourcing arrangements, ensuring they do not dilute the firm’s governance framework. Boards are required to approve outsourcing policies, oversee the selection of service providers and ensure that any outsourcing arrangement does not impede the firm’s ability to meet its regulatory obligations.⁵⁴⁵
Documentation and Reporting: Comprehensive documentation is crucial under the Outsourcing Guidelines. (Re)insurers must maintain detailed records of all outsourcing arrangements, including the rationale for outsourcing, due diligence processes, risk assessments and ongoing monitoring activities. These records must be readily available for regulatory review, demonstrating that the (re)insurer maintains effective oversight of all outsourced functions. Regular reporting to the board on the performance and risks associated with outsourcing arrangements is also essential, ensuring that the board remains informed and engaged in overseeing these critical aspects of the firm’s operations.

In the UK, these requirements remain applicable post-Brexit, by way of PRA SS2/21.⁵⁴⁶ Importantly, the PRA and the FCA take the view that an intragroup outsourcing is still considered outsourcing (notably, even within the same entity, e.g., a (re)insurance branch and its head office), and requires such outsourcing to be subject to the same requirements as outsourcing to third-party providers. The regulators caution against assuming that intragroup arrangements carry less risk. Therefore, (re)insurers must approach intragroup outsourcing with the same level of scrutiny and control as external outsourcing. The PRA acknowledges that compliance can be proportional, depending on the level of control and influence the (re)insurer has over the entity providing the outsourced service.

Connection With the Senior Managers and Certification Regime

Importantly, boards and senior management, especially those in SMFs, cannot delegate their accountability. They remain responsible for the monitoring and supervision of outsourced functions, ensuring that the (re)insurer’s governance framework remains robust.

5. Board and Governance Structures

Responsibility for the aforementioned requirements is with the board of a Solvency II (re)insurer, which is ultimately responsible for ensuring that the firm adheres to all regulatory requirements, including the establishment and maintenance of robust governance structures. The board must set the tone at the top, ensuring a culture of risk awareness and regulatory compliance permeates throughout the organisation.⁵⁴⁷

The board must oversee key governance functions set out above (including risk management, compliance, internal audit and actuarial functions), ensuring that these areas operate independently and effectively.

The board must ensure that the governance framework remains effective and is regularly reviewed to adapt to changes in the business environment or regulatory landscape, including setting up appropriate committees, such as audit, risk and compliance committees, to focus on specific areas of governance and provide detailed oversight.

The board is also responsible for ensuring that the firm’s governance framework includes measures to ensure operational resilience, particularly in the face of external shocks or disruptions. This involves overseeing the implementation of business continuity plans and ensuring that critical functions can continue to operate effectively under stress conditions.

6. Operational Resilience

Overview

Lastly, operational resilience is a critical component of a (re)insurer’s governance framework under Solvency II and the PRA’s supervisory expectations. It is also an area of increasing regulatory scrutiny across all financial services sectors. It encompasses a range of strategies and measures designed to ensure that a firm can continue to operate and serve its policyholders, even in the face of significant disruptions.⁵⁴⁸

A foundational element of operational resilience is the identification of critical business services that, if disrupted, could have severe consequences for policyholders and the broader market. This step requires a thorough analysis of the services most essential to the firm’s operations and their potential impact if disrupted.

(Re)insurers must develop tailored mitigation and recovery plans that address specific operational risks. These plans should be robust and adaptable, designed to manage and recover from disruptions swiftly, and should include establishing comprehensive business continuity plans, incident response strategies and frameworks to manage risks associated with outsourcing critical functions.

To assess a firm’s ability to withstand various risks, (re)insurers must conduct scenario analysis and stress testing. These exercises help identify vulnerabilities and gauge the firm’s preparedness to respond to and recover from different types of disruptions, ensuring resilience in adverse conditions.

Governance is central to ensuring that operational resilience measures are effective and regularly reviewed. Senior management and the board must be actively involved in overseeing the firm’s resilience strategies, ensuring they are continuously updated to reflect changes in the risk environment and operational landscape. This active oversight aligns with the broader governance requirements under Solvency II and is crucial for maintaining the firm’s stability and compliance.

Digital Operational Resilience Act

The EU’s Digital Operational Resilience Act (DORA),⁵⁴⁹ coming into effect on 17 January 2025, introduces additional requirements that (re)insurers in the EU must adhere to, some of which extend beyond the existing Solvency II framework and under the Outsourcing Guidelines. While some of the requirements overlap, DORA goes beyond in many measures, bringing into scope all ICT risks so as to ensure digital resilience and ensuring continuity of operations in a rapidly evolving digital environment.

In-scope (re)insurers are required to:

Establish and maintain a comprehensive ICT risk management framework that addresses the specific risks associated with digital operations.⁵⁵⁰
Implement continuous monitoring and control of ICT systems to ensure their resilience against potential threats.⁵⁵¹
Conduct advanced digital operational resilience testing, including threat-led penetration testing, to identify and address vulnerabilities.⁵⁵²
Develop a robust third-party risk management function to oversee and mitigate risks associated with outsourcing digital services.⁵⁵³
Establish an incident classification and reporting framework to ensure timely and accurate reporting of ICT-related incidents to regulatory authorities.⁵⁵⁴
Develop and maintain business continuity and ICT service continuity plans, including secure and segregated backup systems to ensure operations can continue during disruptions.⁵⁴⁰
Define clear governance structures that hold top management accountable for ICT risk management, ensuring that resilience is embedded at the highest levels of the organisation.⁵⁵⁶

_______________

527 Articles 40 to 49 Solvency II Directive (transposed in (i) the Conditions Governing Business Part of the PRA Rulebook; (ii) the Insurance Part of the PRA Rulebook; and (iii) the FCA Fit and Proper Test for Approved Persons (FIT) 1.2.4BG).

528 The EIOPA Final Report on Public Consultation No. 14/017 on Guidelines on system of governance (EIOPA-BOS-14/253).

529 Senior Management Functions Part of the PRA Rulebook.

530 Article 45 of the Solvency II Directive (transposed in PRA Conditions Governing Business Part 3.8 to 3.11).

531 The EIOPA, Final Report on Consultation Paper No. 14/017 on Guidelines on System of Governance (EIOPA-BOS-14/253).

532 Paragraph 3.6 of the PRA SS26/15.

533 Article 41 of the Solvency II Directive (transposed in (i) Sections 137G and 165, FSMA; and (ii) Paragraphs 2.2 to 2.4 and 2.6, Conditions Governing Business Part of the PRA Rulebook).

534 Paragraph 2.4 of the PRA SS5/18.

535 Paragraph 3.1, ibid.

536 The EIOPA, Opinion on the Supervision of the Use of Climate Change Risk Scenarios in ORSA (EIOPA-BoS-21-127, 2021); PRA SS3/19.

537 Article 44 of the Solvency II Directive (transposed in Paragraphs 3.1 to 3.7, Conditions Governing Business Part of the PRA Rulebook).

538 Article 46, ibid (transposed in Paragraphs 4.1 and 4.2, Conditions Governing Business Part of the PRA Rulebook).

539 Article 47, ibid (transposed in Paragraph 5.1, Conditions Governing Business Part of the PRA Rulebook).

540 Article 48, ibid (transposed in Paragraph 5.1, Conditions Governing Business Part of the PRA Rulebook).

541 Senior Managers and Certification Regime: Management Responsibilities Map Part of the PRA Rulebook.

542 Ibid.

543 Article 49(2) Solvency II Directive (transposed in Paragraph 7.2, PRA Conditions Governing Business Part of the PRA Rulebook).

544 EBA Guidelines on Outsourcing (EBA/GL/2019/02, 2019).

545 Article 49 of the Solvency II Directive (transposed in Paragraphs 7.1 to 7.3, Conditions Governing Business Part of the PRA Rulebook).

546 PRA SS2/21.

547 PRA SS5/18.

548 PRA SS1/21.

549 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on Digital Operational Resilience for the Financial Sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014 and (EU) No. 909/2014.

550 Article 10, ibid.

551 Article 11, ibid.

552 Article 23, ibid.

553 Article 25, ibid.

554 Article 17, ibid.

555 Article 13, ibid.

556 Article 5, ibid.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.