law_on_digital_operational_resilience_for_financia

https://www.cbcg.me/slike_i_fajlovi/eng/fajlovi/fajlovi_brzi_linkovi/propisi/laws/law_on_digital_operational_resilience_for_financial_sector_unoff_consol_14-26.pdf
Success
Service
Specialism
2026-03-02 08:50:27 · arahman@vixio.com
Meta Id
2918936
GUID
862c69926099f67388d3aba91889e9f1

Pipeline Progress

🔄 Pipeline Journey

⏱ 19s total
Queued 08:50:07
+0s
Metadata 08:50:07
+0s
S3 Content 08:50:07
+9s
Extracted 08:50:16
+6s
LLM Gen 08:50:22
+4s
Stored 08:50:26
TITLE: Montenegro Adopts Digital Operational Resilience Law for Financial Sector BODY: On 2 February 2026, the Parliament of Montenegro adopted the Law on Digital Operational Resilience for the Financial Sector, establishing comprehensive requirements for managing information and communication technology (ICT) risk across the financial sector. The law applies to a broad range of financial entities, including credit institutions, payment institutions, investment firms, insurance undertakings, crypto-asset service providers, and alternative investment fund managers, among others. It establishes a framework requiring financial entities to implement sound ICT risk management systems proportionate to their size and risk profile. Key obligations include identifying and assessing ICT risks, protecting network and information systems, implementing business continuity plans, and managing third-party ICT service provider risks. The law designates three primary competent authorities: the Central Bank of Montenegro (for credit institutions and payment service providers), the Capital Market Authority (for investment firms and trading venues), and the Insurance Supervision Agency (for insurance undertakings). These authorities are empowered to supervise compliance and impose penalties ranging from EUR 5,000 to EUR 40,000 for violations. Significant provisions address digital operational resilience testing, including threat-led penetration testing (TLPT) for larger financial entities, and establish mandatory reporting requirements for major ICT-related incidents to competent authorities. Financial entities must also maintain registries of ICT service provider arrangements and implement exit strategies for critical functions. Competent authorities must adopt implementing regulations within 18 months of the law's entry into force. Financial entities have 24 months to achieve full compliance. Several provisions, including those relating to European Union cooperation mechanisms and cross-border incident reporting, apply only upon Montenegro's accession to the European Union. The law transposes Regulation (EU) 2022/2554 on digital operational resilience for the financial sector. The law enters into force eight days following publication in the Official Gazette of Montenegro.
  • Scraped:2026-03-02 08:50:27
  • Created:2026-03-02 08:50:26
  • By:arahman@vixio.com (35)