Article 95 Management of operational and security risks
1. Member States shall ensure that payment service providers establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, payment service providers shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.
The first subparagraph is without prejudice to the application of Chapter II of Regulation (EU) 2022/2554 to:
(a) payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive;
(b) account information service providers referred to in Article 33(1) of this Directive;
(c) payment institutions exempted pursuant to Article 32(1) of this Directive; and
(d) electronic money institutions benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC.