Germany: New Cyber-resilience Oversight Expectations May Carry Compliance Challenges

Last Updated: 14 December 2018
Article by Michael Huertas and Katja Michel

Getting cyber-resilience right matters. In July 2018, we published our analysis1 on the European Central Bank's (ECB) first foray into setting its expectations on cyber-resilience. In September, it finalized the TIBER-EU Framework on ethical red teaming by setting out standards that firms ought to meet in selecting eligible providers of recognized TIBER tests.2 All of this marked a "crossing of the Rubicon" for the ECB, acting in its central banking and financial stability role as opposed to its financial regulatory and supervisory role at the head of the Banking Union's Single Supervisory Mechanism (SSM) – which itself continues to put cyber-resilience as a key supervisory priority for 2019 and beyond. The ECB continued work on cyber-resilience on December 3, 2018 by publishing its Cyber-Resilience Oversight Expectations (the CROE) for financial market infrastructures (FMI).3

CROE in 2018 replaces the 2016 version, and it does so with quite some effect. It sets very comprehensive and prescriptive expectations that, in its 62 pages, translate into in-scope entities needing to consider on-going risk assessments, introducing more detailed compliance and governance processes than perhaps may have been commonplace as well as putting cyber-resilience at the heart of various operations including when recruiting staff. It also comes at a time when international banking sector standard setters, including the Bank for International Settlements' BCBS have published their own updates on cyber-resilience, including the December 2018 "Report on Cyber-resilience: Range of practices" evaluating the state of play in various key jurisdictions.4The ECB regularly points to and applies practices from international standard setters, including the BCBS, even where these are not measures with legal effect. The measures should also be read in conjunction with national measures that may have legal effect, such as in Germany for example, the extensions of the Federal Financial Supervision Authority (BaFin's) own cyber-resilience regime (BAIT), which was amended in September 2018 to cover critical infrastructure.

This Client Alert assesses CROE's requirements and the ECB's expectations of FMIs as well as Banking Union Supervised Institutions (BUSIs) that face FMIs who may need to document cyber-resilience compliance in considerably more depth or to whom the ECB, in its SSM role, may address similar expectatoins. The CROE will be of relevance and of interest to both existing FMIs and those new FMIs looking to enter the Eurozone as well as the range of BUSIs and other non-SSM supervised EU and non-EU credit institutions, other regulated market participants and non-financial corporates. The CROE also sets out what the ECB looks for in the job role and performance of a Senior Executive or the Chief Information Security Officer (CISO)—which may be of wider-reaching interest.

The aims of CROE and its key contents

The ECB intends that CROE will be applied by the Eurosystem (i.e. Eurozone central banks) to the oversight of all payment systems (designated in turn as any systemically important payment systems (SIPS), prominently important retail payment systems (PIRPS) and other retail payment systems (ORPS)) and the TARGET2-Securities system (T2S). CROE in 2018 is also clear that national central banks, operating under national law competencies, often in conjunction with other national competent authorities may opt-in to use the CROE for any "other" FMIs—primarily this is aimed at clearing and settlement systems (including central securities depositors (CSDs) and central counterparties (CCPs). We anticipate that CROE will become, as has been the case in other ECB rulemaking exercised by way of non-binding guidance, more widely adopted by core Eurozone member states, in particular those with significant FMIs operating within their jurisdiction.

The CROE, whilst building on international guidelines, such as those established by the Committee on Payments and Market Infrastructures (CPMI) or the International Organization of Securities Commissions (IOSCO) and in particular their joint 2016 published "Guidance on cyber-resilience for financial market infrastructures" (the Guidance), goes beyond those principles while at the same time setting concrete steps on how to operationalize the Guidance. The 2018 version of CROE however, like its predecessor, aims to provide:

  1. In-scope FMIs with detailed steps5on how to operationalize the Guidance and improve sustained cyber-resilience over a period of time
  2. Overseers with clear expectations on how to assess and monitor FMI's compliance with the Guidelines
  3. The basis for common understanding and discussion amongst in-scope FMIs and relevant overseer,

but also seeks to incorporate and hold addressees to account to other standards it considers best practice that relevant firms use to meet their "capabilities" i.e., the "people, processes and technologies the FMI uses to identify, mitigate and manage its cyber risks and to support its objectives."

CROE also communicates detail on what is expected to be included in the role of a "Senior Executive" tasked with the responsibility of "owning" cyber-resilience as well as the role of a CISO (the two roles may be combined). This is welcome and also is in keeping with the BCBS' December 2018 report on practices and a general reshaping of the role of a CISO within firms and contribution to risk controls. Those officers, coupled with the relevant policies that aim to operationalize the requirements and expectations set in the frameworks adopted by the ECB's international peers, conceptually aim to foster a cyber-risk awareness culture, an area that the BCBS considers crucial for relevant firms to embed throughout their operations.

The Annex to CROE sets out a welcomingly practical and detailed Glossary of terms. These may be useful for FMIs but also other market participants wanting to tackle cyber-resilience. This is the case even if this ECB Glossary does expand existing defined terms or even when and where it diverges from terms agreed at the international level such as by the BCBS or FSB.6 As an example, CROE widens existing EU legal definitions and recasts "Cyber incident" as:

"A cyber event that:

  1. jeopardizes the cybersecurity of an information system or the information the system processes, stores or transmits; or
  2. violates the security polices, security procedures or acceptable use policies,

whether resulting from malicious activity or not."

A "cyber event" is defined in CROE and very much building on EU definitions as: "Any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring."

The BCBS report, unlike CROE, sets out a taxonomy of cyber risk controls contained in its own Annex A. This sets a control objective, a control description, example control and practices and example testing approaches in relation to a number of areas. Annex B of the BCBS report sets out board IT metrics which are applicable to cyber-resilience and which set out what forward-looking indicators and metrics might be useful as items to present to the Board (or equivalent governance function) of a firm. BCBS Annex C sets out cyber-resilience metrics in terms of events and practices before a compromising event – i.e., a cyber-incident, at the point of compromise and after compromise. Many in-scope firms may find it useful to borrow from this BCBS Annexes A, B and C when designing compliance monitoring frameworks to meet CROE's expectations.

How to comply with CROE – meet or explain

CROE establishes three levels of expectation (also referred to as "maturity levels") of how to comply with CROE's criteria or explain why they do not meet the criteria. Firms are expected and T2S as well as SIPS are required to meet and maintain at least "Advancing" maturity prior to migrating to "Innovating":

  • Evolving: Essential capabilities are established, evolve and are sustained across the FMI to identify, mitigate and manage cyber-risks in alignment with the cyber-resilience strategy and framework approved by the Board. Performance of practice and capabilities are monitored and managed;
  • Advancing: In addition to meeting the "evolving" level's requirements, practices at this level involve implementing "more advanced tools" (e.g. advanced technology and risk management tools) that are integrated across the FMI's business lines and have been improved over time to manage cyber risks posed to the FMI proactively. There is no qualitative standard in the CROE as to what constitute an "advanced" tool.
  • Innovating: In addition to meeting the "evolving" and "advancing" levels, FMIs' capabilities across the business are "...enhanced as needed in order to strengthen cyber-resilience." Again, in the absence of some qualitative examples, this leaves much to interpretation. This may also risk a divergence between those taking the meet and explain approach of CROE quite seriously and those that merely window-dress. That in turn may mean that those embedded more fully will want to ensure they have material readily available to show to the oversight functions how they are meeting various (vaguely drafted) expectations in a concrete manner. This is especially the case as in order to meet the innovating level relevant in-scope FMIs are expected to demonstrate that they are "...driving innovation in people, processes and technology for the FMI and the wider ecosystem to manage cyber risk and enhance cyber-resilience. This may call for new controls and tools to be developed or new information-sharing groups to be created."

While the CROE does recognize that all addressees are different and thus that the means of how their capabilities meet the relevant levels will differ, the CROE is drafted in a technological, operational and jurisdictional agnostic manner. CROE is also built around the following risk management pillars as a component of an overall cyber-resilience framework that firms will need to meet or explain why they do not/cannot meet the relevant criteria:

  1. governance
  2. identification
  3. protection
  4. detection
  5. response and recovery

These principles in each of the thematic areas are translated into Sections of CROE that detail the overarching expectation and the qualitative features that must be fulfilled by an addressee to meet each of the levels from evolving to innovating. The common threads are summarized in the following sections below.

As a general observation, while some of what is set out in CROE may be familiar to a number of CROE addresses, especially larger FMIs, the depth of what is documented and how may be different as the ECB's expectations—regardless of whether at "evolving" or "innovating"—may go beyond what is currently in place in those organizations. This not only extends to policies and procedures but also how decisions to act or refrain from acting in a particular context are justified along with issues on data integrity.


Section 2.1 Governance begins with expectations on establishing a cyber-resilience strategy and framework. Conceptually some of this follows a similar approach to how the ECB-SSM communicated its supervisory expectations in transforming governance and culture in relation to non-performing loans and exposures.7 The setting-up of a cross-disciplinary steering committee of senior management and appropriate staff—including (external) contractors—from multiple business units to develop a holistic framework based on threats to the firm as well as its risk tolerance for individual as well as enterprise-wide impacts is at the heart of that process and the core of building a framework. Stemming from the risk self-assessment exercise, CROE expects that organizations develop and then set their cyber-resilience strategy. This should also be aligned to its corporate strategy and its "threat landscape".

Moving on from frameworks and strategy documents, Section 2.1 of CROE looks at the role and involvement of the FMI's "Board" (and one presumes this extends to other forums exercising similar governance and strategic steering functions), their skills and accountability of senior management and ultimately the wider risk culture of the FMI. The Board is expected to take an active role in approving the cyber-resilience strategy and framework, setting the FMI's risk tolerance and implementation of the framework in terms of policies, procedures and controls that support the framework. As with other EU but more recently ECB-SSM rules and/or expectations (that read like rules) that relate to the Board and senior management, there is a need to demonstrate both individual and collective responsibility and ability. While there is an appreciation that a "senior executive" e.g. the CISO may have primary responsibility and accountability, demonstrating compliance with this supervisory outcome means having collective capabilities and taking of ownership.

In terms of culture, the supervisory expectation and outcome is that in-scope FMIs apply and embed a top-down as well as bottom up approach. Again, as with the documentation aspects in Section 2.1, the distinguishing features between each of the levels are largely the deepening degree of granularity that would be expected in both the analysis of what effects a firm and the capabilities in place to maintain cyber-resilience. For FMIs that are "innovating," appointing a "cyber-expert" to the Board is one of the qualitative features. Other qualitative measures include introducing cyber-resilience and risk threat updates as a standing Board meeting agenda. In order to meet the "innovating" level, senior management is expected to cooperate proactively with other stakeholders across the ecosystem to promote a cyber-resilience culture more generally.


Section 2.2 addresses "identification" and specifically that FMIs should identify and classify business processes and information assets that should be protected against compromise and the external dependencies. FMIs are expected to identify and document all of its critical operations8 and functions, key roles, processes and information assets that support those functions as well as third-party dependencies and interconnections and update that information periodically. This means having in place not only measures which aim to prevent intrusions from third-party connections and the ability to block those but also the validation of the FMI's third-party relationship management and outsourcing arrangements by an independent audit function.

This risk inventory and risk assessment should be supported by a network map showing network resources with associated IPs that locate routing and security devices as well as servers supporting critical functions as well as external linkages. Further, FMIs are expected to conduct risk assessments before deploying new and/or updated technologies, products, services and connections to identify potential threats and vulnerabilities. CROE follows the general supervisory trend amongst international peers that relevant organizations, including senior management and their Board (i.e.taking ownership and accountability beyond the IT-staff), understand, map and manage their exposure to cyber-risk. This applies regardless of whether the connection and/or potential to exposure is connected to financial and non-financial entities. CROE also expects that external map to be reflected in understanding risks that are generated in the internal functions and thus different business units and jurisdictions and measuring both qualitative and quantitative impacts and mitigants to control risk generators and exposure threats.

Getting from "evolving" to "innovating" will, according to CROE, rest on automating information feeds and data management so as to strengthen a holistic enterprise-wide risk management. The CROE however is silent on what FMIs will need to do to test the resilience and accuracy of those very data feeds and does not address the concerns of many respondents during the consultation phase that automation may actually embed and hardwire risks from programming or other shortcomings.


Section 2.3 deals with the effective security controls, systems and processes that protect the confidentiality, integrity and availability of the FMI's assets. The measures to be implemented may be applied in a proportionate manner and should be reflective of the risk and threat landscape in which the FMIs operate. FMIs are expected to "apply a defence in-depth strategy in line with a risk-based approach." This is then clarified as meaning an FMI should implement multiple independent security controls so that if one control fails or a vulnerability is exploited, alternative controls will be able to protect the assets and/or processes that are protected and/or targeted.

In order to meet the "advancing" level criteria, the FMI is expected to develop and implement a bespoke information management system (ISMS), which it states "...could be based on a combination of well-recognized international standards (e.g. ISO 270001, ISO 20000-1 and ISO 27103 etc.)". Moreover, FMIs are expected to include cyber-resilience at the outset of system design, development and acquisition process lifecycle and thus embed "resilience by design".

The Section also goes on to set out its expectations on network and infrastructure management. As a key principle, FMIs are expected to establish secure boundaries that protect network infrastructure. This includes using a router, firewall, intrusion prevention system or intrusion detection systems, virtual private networks and appropriate use of proxies as well as device connectivity. The boundaries should be split between trusted and untrusted zones, and the relevant risk profiles and criticality of information assets contained in each zone. Change and patch management processes are expected to be included in detailed policies and procedures as well as active involvement of the cyber-security team.

Logical and physical access are also addressed in this Section including in role-based access controls that allocates system access rights and privileges to specific roles. FMIs are required to review such rights periodically and take appropriate action. Interactions with suppliers and third-party security management is also touched upon in CROE. This includes due diligence on the relevant party's own systems and controls, and FMIs will need to factor that into the relevant onboarding process and risk review.

Embedding cyber-resilience into the employment recruitment and employee on-boarding process is also highlighted in the CROE as a priority area. Specifically this Section calls for screening for cyber-related incidents of prospective applicants or contractors along with regular cyber-risk and resilience training. Moving to "innovating" in the criteria set out in this Section calls for greater use of automated solutions in terms of processes in various lifecycle steps as well as individual steps and programs communicating with one another. CROE is equally silent here in terms


Section 2.4 discusses the expectations that FMIs will need to meet to show they have early detection capabilities to detect a potential or actual breach having taken place. Much of this Section echoes and builds upon what is set out in Section 2.1 – Identification. FMIs should have detailed incident response processes in place. Those FMIs that are "advancing" will have developed and implemented a security, information and event management system, which correlates all the network and system alerts and other unusual activity in order to detect multi-faceted attacks. This Section also sets out that FMIs should, even at "evolving" stage, establish procedures for collecting digital evidence in a "forensically acceptable manner" and maintain a "forensic readiness policy" to support forensic investigations. This may require some very technical drafting to meet both regulatory and IT-specifications.

Response and recovery

Section 2.5 deals with how FMIs should set their Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). Both of these are key in setting what point should systems be restored to in order to recommence business following a cyber-incident/attack and how quickly one can recover to that point in time. Much of what is in this Section also echoes and reiterates what is set out in the TIBER-EU Framework in terms of having computer security incident response teams. As iterated in our coverage on TIBER-EU, FMIs will have an interest in having a detailed Cyber-Response and Recovery Plan as well as escalation lists on file and in the field with the relevant colleagues.


The trend of building on the TIBER-EU Framework continues in Section 2.6 – Testing. This Section expects FMIs to have detailed and periodic vulnerability and penetration testing including using communicated scenario-based testing and a covert "red teaming" test. Moreover, FMIs are expected to develop, monitor and analyze detailed metrics of testing efficacy and regularly conduct tests in collaboration with its peers, participants and third-parties in addition to industry-wide exercises to test cooperation and coordination along with communication plans.

Situational awareness and learning and evolving sections

This part of the CROE sets out what FMIs can do to monitor cyber threats both in terms of intelligence i.e., tactics, techniques and procedures of attacks along with targets as well as going a step further than the TIBER-EU Framework for those FMIs that would like to migrate to "advancing" in maintaining a cyber-risk threat dashboard. The dashboard aims to capture all threats as well as those that could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred previously.

Situational awareness also requires information sharing, and CROE considers good compliance amongst FMIs when they establish trusted and safe channels of communication with direct stakeholders for exchanging information. The Learning and Evolving Section ties everything together with FMIs expected to place emphasis on cyber-resilience awareness to deliver on the policies an FMI has in place, as well as the CROE expectations along with how to spot and report suspicious activity.

Outlook and next steps

CROE is another part of the emerging strategy of how the ECB, in its central banking and financial stability role, expands its expectations of FMIs but also those firms facing FMIs. The latter may also have additional Banking Union supervisory requirements. CROE's focus means that FMIs and firms may need to revisit and/or expand on details in documented policies and procedures as well as how they evidence that cyber-resilience is embedded in a firm's culture as well as people and processes.

Complying with CROE may also mean that a number of firms that are caught may need to ensure that they have a clear and traceable trail of justifications (including a certain degree of independent documented challenge is desirable) as to why certain arrangements have been implemented to meet CROE's expectations or why they are proportionate. Some firms may find that notably in terms of compliance monitoring much of what CROE sets in expectations could be complemented nicely by measures set out in the BCBS Annexes to help achieve the meet or explain standard.

In terms of next steps addresses, and those, such as BUSIs, which are likely to become addressees of similar measures, may want to consider performing a gap analysis between current documented and operational arrangements and what CROE expects, mapping plans to migrate to the relevant maturity level as well as facilitating linkages with other market participants. As CROE provides prescriptive detail on what various policies ought to achieve in terms of outcomes as well as detailed operative deliverables such as dashboards, affected parties may want to plan and involve stakeholders from early on, in particular as meeting CROE compliance is likely to be only but one of many workstreams.

If you would like to discuss any of the items mentioned above or how CROE, the TIBER-EU Framework and the ECB's cyber-resilience expectations may affect your business more generally, please contact our Eurozone Hub key contacts.


1 See our analysis here.

2 See our analysis here.

3 See:

4 See:

5 It is important to note that whilst the ECB's drafting of CROE is framed as non-binding – as with other similar non-binding guidance that forms part of supervisory expectations and on-going supervisory dialogue of the ECB-SSM, the CROE does set definitive expectations that addressees must either "meet or explain". The use of "should" in CROE, imply a "must" or "are expected to" as opposed to granting a degree of optionality – unless that divergence from the expectation can be justified.

6 Including the FSB's proposed Cyber Lexicon – available here:

7 See our dedicated coverage on this from our Eurozone Hub.

8 The CROE definition of "critical operations" builds upon that in the Guidance and means "Any activity, function, process or service, the loss of which, for even a short period of time, would materially affect the continued operation of an FMI, its participants, the market it serves, and/or the broader financial system."

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
6 Jun 2019, Seminar, Prague, Czech Republic

We cordially invite you to attend a breakfast seminar focusing on issues of bid rigging and private enforcement of competition law.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions