Regulation (EU) No 600/2014 is amended as follows:

(1) Article 27g is amended as follows:

(a) paragraph 4 is replaced by the following:

'4. An APA shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554 of the European Parliament and of the Council [(4)](#ntr4-L_2022333EN.01000101-E0043).

[(4)](#ntc4-L_2022333EN.01000101-E0043) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 ([OJ L 333, 27.12.2022, p. 1](http://publications.europa.eu/resource/oj/JOL_2022_333_R_TOC)).';"

(b) in paragraph 8, point (c) is replaced by the following:

'(c) the concrete organisational requirements laid down in paragraphs 3 and 5.';

(2) Article 27h is amended as follows:

(a) paragraph 5 is replaced by the following:

'5. A CTP shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554.'.

(b) in paragraph 8, point (e) is replaced by the following:

'(e) the concrete organisational requirements laid down in paragraph 4.';

(3) Article 27i is amended as follows:

(a) paragraph 3 is replaced by the following:

'3. An ARM shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554.';

(b) in paragraph 5, point (b) is replaced by the following:

'(b) the concrete organisational requirements laid down in paragraphs 2 and 4.'.