TITLE I — GENERAL PRINCIPLE

Article 1Overall risk profile and complexity

When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to:

(a)
encryption and cryptography;
(b)
ICT operations security;
(c)
network security;
(d)
ICT project and change management;
(e)
the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity’s activities.

TITLE II — FURTHER HARMONISATION OF ICT RISK MANAGEMENT TOOLS, METHODS, PROCESSES, AND POLICIES IN ACCORDANCE WITH ARTICLE 15 OF REGULATION (EU) 2022/2554

CHAPTER IICT Security policies, procedures, protocols, and tools

Section 1

Article 2General elements of ICT security policies, procedures, protocols, and tools

1. Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that:

(a)
ensure the security of networks;
(b)
contain safeguards against intrusions and data misuse;
(c)
preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques;
(d)
guarantee an accurate and prompt data transmission without major disruptions and undue delays.

2. Financial entities shall ensure that the ICT security policies referred to in paragraph 1:

(a)
are aligned to the financial entity’s information security objectives included in the digital operational resilience strategy referred to in Article 6(8) of Regulation (EU) 2022/2554;
(b)
indicate the date of the formal approval of the ICT security policies by the management body;
(c)
contain indicators and measures to:
1. (i)
  monitor the implementation of the ICT security policies, procedures, protocols, and tools;
2. (ii)
  record exceptions from that implementation;
3. (iii)
  ensure that the digital operational resilience of the financial entity is ensured in case of exceptions as referred to in point (ii);
(d)
specify the responsibilities of staff at all levels to ensure the financial entity’s ICT security;
(e)
specify the consequences of non-compliance by staff of the financial entity with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity;
(f)
list the documentation to be maintained;
(g)
specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk management and control model, as applicable, to avoid conflicts of interest;
(h)
consider leading practices and, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012;
(i)
identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools;
(j)
are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554;
(k)
take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations.

Section 2

Article 3ICT risk management

Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following:

(a)
an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554;
(b)
a procedure and a methodology to conduct the ICT risk assessment, identifying:
1. (i)
  vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions;
2. (ii)
  the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i);
(c)
the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a);
(d)
for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c):
1. (i)
  provisions on the identification of those residual ICT risks;
2. (ii)
  the assignment of roles and responsibilities regarding:
  1. (1)
    the acceptance of the residual ICT risks that exceed the financial entity’s risk tolerance level referred to in point (a);
  2. (2)
    for the review process referred to in point (iv) of this point (d);
3. (iii)
  the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance;
4. (iv)
  provisions on the review of the accepted residual ICT risks at least once a year, including:
  1. (1)
    the identification of any changes to the residual ICT risks;
  2. (2)
    the assessment of available mitigation measures;
  3. (3)
    the assessment of whether the reasons justifying the acceptance of residual ICT risks are still valid and applicable at the date of the review;
(e)
provisions on the monitoring of:
1. (i)
  any changes to the ICT risk and cyber threat landscape;
2. (ii)
  internal and external vulnerabilities and threats:
3. (iii)
  ICT risk of the financial entity that enables promp detection of changes that could affect its ICT risk profile;
(f)
provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account.

For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure:

(a)
the monitoring of the effectiveness of the ICT risk treatment measures implemented;
(b)
the assessment of whether the established risk tolerance levels of the financial entity have been attained;
(c)
the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary.

Section 3 — ICT asset management

Article 4ICT asset management policy

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets.

2. The policy on management of ICT assets referred to in paragraph 1 shall:

(a)
prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;
(b)
prescribe that the financial entity keeps records of all of the following:
1. (i)
  the unique identifier of each ICT asset;
2. (ii)
  information on the location, either physical or logical, of all ICT assets;
3. (iii)
  the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;
4. (iv)
  the identity of ICT asset owners;
5. (v)
  the business functions or services supported by the ICT asset;
6. (vi)
  the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
7. (vii)
  whether the ICT asset can be or is exposed to external networks, including the internet;
8. (viii)
  the links and interdependencies among ICT assets and the business functions using each ICT asset;
9. (ix)
  where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;
(c)
for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.

Article 5ICT asset management procedure

1. Financial entities shall develop, document, and implement a procedure for the management of ICT assets.

2. The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account:

(a)
the ICT risk related to those business functions and their dependencies on the information assets or ICT assets;
(b)
how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities.

Section 4 — Encryption and cryptography

Article 6Encryption and cryptographic controls

1. As part of their ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on encryption and cryptographic controls.

2. Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following:

(a)
the encryption of data at rest and in transit;
(b)
the encryption of data in use, where necessary;
(c)
the encryption of internal network connections and traffic with external parties;
(d)
the cryptographic key management referred to in Article 7, laying down rules on the correct use, protection, and lifecycle of cryptographic keys.

For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data.

3. Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall adopt mitigation and monitoring measures that ensure resilience against cyber threats.

4. Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats.

5. Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so.

Article 7Cryptographic key management

1. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys.

2. Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment.

3. Financial entities shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged.

4. Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date.

5. Financial entities shall ensure the prompt renewal of certificates in advance of their expiration.

Section 5 — ICT operations security

Article 8Policies and procedures for ICT operations

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations.

2. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following:

(a)
an ICT assets description, including all of the following:
1. (i)
  requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system;
2. (ii)
  requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual;
3. (iii)
  requirements regarding the identification and control of legacy ICT systems;
(b)
controls and monitoring of ICT systems, including all of the following:
1. (i)
  backup and restore requirements of ICT systems;
2. (ii)
  scheduling requirements, taking into consideration interdependencies among the ICT systems;
3. (iii)
  protocols for audit-trail and system log information;
4. (iv)
  requirements to ensure that the performance of internal audit and other testing minimises disruptions to business operations;
5. (v)
  requirements on the separation of ICT production environments from the development, testing, and other non-production environments;
6. (vi)
  requirements to conduct the development and testing in environments which are separated from the production environment;
7. (vii)
  requirements to conduct the development and testing in production environments;
(c)
error handling concerning ICT systems, including all of the following:
1. (i)
  procedures and protocols for handling errors;
2. (ii)
  support and escalation contacts, including external support contacts in case of unexpected operational or technical issues;
3. (iii)
  ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption.

For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a).For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment.

Article 9Capacity and performance management

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following:

(a)
the identification of capacity requirements of their ICT systems;
(b)
the application of resource optimisation;
(c)
the monitoring procedures for maintaining and improving:
1. (i)
  the availability of data and ICT systems;
2. (ii)
  the efficiency of ICT systems;
3. (iii)
  the prevention of ICT capacity shortages.

2. The capacity and performance management procedures referred to in paragraph 1 shall ensure that financial entities take measures that are appropriate to cater for the specificities of ICT systems with long or complex procurement or approval processes or ICT systems that are resource-intensive.

Article 10Vulnerability and patch management

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement vulnerability management procedures.

2. The vulnerability management procedures referred to in paragraph 1 shall:

(a)
identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities;
(b)
ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset;
(c)
verify whether:
1. (i)
  ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity;
2. (ii)
  whether those service providers report to the financial entity at least the critical vulnerabilities and statistics and trends in a timely manner;
(d)
track the usage of:
1. (i)
  third-party libraries, including open-source libraries, used by ICT services supporting critical or important functions;
2. (ii)
  ICT services developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider;
(e)
establish procedures for the responsible disclosure of vulnerabilities to clients, counterparties, and to the public;
(f)
prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified;
(g)
monitor and verify the remediation of vulnerabilities;
(h)
require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution.

For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis.For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action.For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries.For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities.

3. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document and implement patch management procedures.

4. The patch management procedures referred to in paragraph 3 shall:

(a)
to the extent possible identify and evaluate available software and hardware patches and updates using automated tools;
(b)
identify emergency procedures for the patching and updating of ICT assets;
(c)
test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii);
(d)
set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met.

Article 11Data and system security

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a data and system security procedure.

2. The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554:

(a)
the access restrictions referred to in Article 21 of this Regulation, supporting the protection requirements for each level of classification;
(b)
the identification of a secure configuration baseline for ICT assets that minimise exposure of those ICT assets to cyber threats and measures to verify regularly that those baselines are effectively deployed;
(c)
the identification of security measures to ensure that only authorised software is installed in ICT systems and endpoint devices;
(d)
the identification of security measures against malicious codes;
(e)
the identification of security measures to ensure that only authorised data storage media, systems, and endpoint devices are used to transfer and store data of the financial entity;
(f)
the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices:
1. (i)
  the requirement to use a management solution to remotely manage the endpoint devices and remotely wipe the financial entity’s data;
2. (ii)
  the requirement to use security mechanisms that cannot be modified, removed or bypassed by staff members or ICT third-party service providers in an unauthorised manner;
3. (iii)
  the requirement to use removable data storage devices only where the residual ICT risk remains within the financial entity’s risk tolerance level referred to in Article 3, first subparagraph, point (a);
(g)
the process to securely delete data, present on premises of the financial entity or stored externally, that the financial entity no longer needs to collect or to store;
(h)
the process to securely dispose or decommission of data storage devices present on premises of the financial entity or stored externally containing confidential information;
(i)
the identification and implementation of security measures to prevent data loss and leakage for systems and endpoint devices;
(j)
the implementation of security measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the ICT security of the financial entity;
(k)
for ICT assets or services operated by an ICT third-party service provider, the identification and implementation of requirements to maintain digital operational resilience, in accordance with the results of the data classification and ICT risk assessment.

For the purposes of point (b), the secure configuration baseline referred to in that point shall take into account leading practices and appropriate techniques laid down in the standards defined in Article 2, point (1), of Regulation (EU) No 1025/2012.

For the purposes of point (k), financial entities shall consider the following:

(a)
the implementation of vendor recommended settings on the elements operated by the financial entity;
(b)
a clear allocation of information security roles and responsibilities between the financial entity and the ICT third-party service provider, in accordance with the principle of full responsibility of the financial entity over its ICT third-party service provider referred to in Article 28(1), point (a), of Regulation (EU) 2022/2554, and for financial entities referred to in Article 28(2) of that Regulation, and in accordance with the financial entity’s policy on the use of ICT services supporting critical or important functions;
(c)
the need to ensure and maintain adequate competences within the financial entity in the management and security of the service used;
(d)
technical and organisational measures to minimise the risks related to the infrastructure used by the ICT third-party service provider for its ICT services, considering leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012.

Article 12Logging

1. Financial entities shall, as part of the safeguards against intrusions and data misuse, develop, document, and implement logging procedures, protocols and tools.

2. The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following:

(a)
the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created;
(b)
the alignment of the level of detail of the logs with their purpose and usage to enable the effective detection of anomalous activities as referred to in Article 24;
(c)
the requirement to log events related to all of the following:
1. (i)
  logical and physical access control, as referred to in Article 21, and identity management;
2. (ii)
  capacity management;
3. (iii)
  change management;
4. (iv)
  ICT operations, including ICT system activities;
5. (v)
  network traffic activities, including ICT network performance;
(d)
measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use;
(e)
measures to detect a failure of logging systems;
(f)
without prejudice to any applicable regulatory requirements under Union or national law, the synchronisation of the clocks of each of the financial entity’s ICT systems upon a documented reliable reference time source.

For the purposes of point (a), financial entities shall establish the retention period, taking into account the business and information security objectives, the reason for recording the event in the logs, and the results of the ICT risk assessment.

Section 6 — Network security

Article 13Network security management

Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following:

(a)
the segregation and segmentation of ICT systems and networks taking into account:
1. (i)
  the criticality or importance of the function those ICT systems and networks support;
2. (ii)
  the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554;
3. (iii)
  the overall risk profile of ICT assets using those ICT systems and networks;
(b)
the documentation of all of the financial entity’s network connections and data flows;
(c)
the use of a separate and dedicated network for the administration of ICT assets;
(d)
the identification and implementation of network access controls to prevent and detect connections to the financial entity’s network by any unauthorised device or system, or any endpoint not meeting the financial entity’s security requirements;
(e)
the encryption of network connections passing over corporate networks, public networks, domestic networks, third-party networks, and wireless networks, for communication protocols used, taking into account the results of the approved data classification, the results of the ICT risk assessment and the encryption of network connections referred to in Article 6(2);
(f)
the design of networks in line with the ICT security requirements established by the financial entity, taking into account leading practices to ensure the confidentiality, integrity, and availability of the network;
(g)
the securing of network traffic between the internal networks and the internet and other external connections;
(h)
the identification of the roles and responsibilities and steps for the specification, implementation, approval, change, and review of firewall rules and connections filters;
(i)
the performance of reviews of the network architecture and of the network security design once a year, and periodically for microenterprises, to identify potential vulnerabilities;
(j)
the measures to temporarily isolate, where necessary, subnetworks, and network components and devices;
(k)
the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices;
(l)
the procedures to limit, lock, and terminate system and remote sessions after a specified period of inactivity;
(m)
for network services agreements:
1. (i)
  the identification and specification of ICT and information security measures, service levels, and management requirements of all network services;
2. (ii)
  whether those services are provided by an ICT intra-group service provider or by ICT third-party service providers.

For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months.

Article 14Securing information in transit

1. As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following:

(a)
the availability, authenticity, integrity and confidentiality of data during network transmission, and the establishment of procedures to assess compliance with those requirements;
(b)
the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties;
(c)
that requirements on confidentiality or non-disclosure arrangements reflecting the financial entity’s needs for the protection of information for both the staff of the financial entity and of third parties are implemented, documented, and regularly reviewed.

2. Financial entities shall design the policies, procedures, protocols, and tools to protect the information in transit referred to in paragraph 1 on the basis of the results of the approved data classification and of the ICT risk assessment.

Section 7 — ICT project and change management

Article 15ICT project management

1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document, and implement an ICT project management policy.

2. The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity’s ICT systems.

3. The ICT project management policy referred to in paragraph 1 shall contain all of the following:

(a)
ICT project objectives;
(b)
ICT project governance, including roles and responsibilities;
(c)
ICT project planning, timeframe, and steps;
(d)
ICT project risk assessment;
(e)
relevant milestones;
(f)
change management requirements;
(g)
the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment.

4. The ICT project management policy referred to in paragraph 1 shall ensure the secure ICT project implementation through the provision of the necessary information and expertise from the business area or functions impacted by the ICT project.

5. In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows:

(a)
individually or in aggregation, depending on the importance and size of the ICT projects;
(b)
periodically and, where necessary, on an event-driven basis.

Article 16ICT systems acquisition, development, and maintenance

1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall:

(a)
identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems;
(b)
require the identification of:
1. (i)
  technical specifications and ICT technical specifications, as defined in Article 2, points (4) and (5), of Regulation (EU) No 1025/2012;
2. (ii)
  requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity’s internal governance arrangements;
(c)
specify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during the development, maintenance, and deployment of those ICT systems in the production environment.

2. Financial entities shall develop, document, and implement an ICT systems’ acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally.

Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph:

(a)
clearing members and clients;
(b)
interoperable central counterparties;
(c)
other interested parties.

Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph:

(a)
users;
(b)
critical utilities and critical service providers;
(c)
other central securities depositories;
(d)
other market infrastructures;
(e)
any other institutions with which central securities depositories have identified interdependencies in their business continuity policy.

3. The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall:

(a)
identify and analyse vulnerabilities and anomalies in the source code;
(b)
adopt an action plan to address those vulnerabilities and anomalies;
(c)
monitor the implementation of that action plan.

4. The procedure referred to in paragraph 2 shall contain security testing of software packages no later than at the integration phase, in accordance with Article 8(2), points (b)(v), (vi) and(vii).

5. The procedure referred to in paragraph 2 shall provide that:

(a)
non-production environments only store anonymised, pseudonymised, or randomised production data;
(b)
financial entities are to protect the integrity and confidentiality of data in non-production environments.

6. By way of derogation from paragraph 5, the procedure referred to in paragraph 2 may provide that production data are stored only for specific testing occasions, for limited periods of time, and following the approval by the relevant function and the reporting of such occasions to the ICT risk management function.

7. The procedure referred to in paragraph 2 shall contain the implementation of controls to protect the integrity of the source code of ICT systems that are developed in-house or by an ICT third-party service provider and delivered to the financial entity by an ICT third-parties service provider.

8. The procedure referred to in paragraph 2 shall provide that proprietary software and, where feasible, the source code provided by ICT third-party service providers or coming from open-source projects, are to be analysed and tested in accordance with paragraph 3 prior to their deployment in the production environment.

9. Paragraph 1 to 8 of this Article shall also apply to ICT systems developed or managed by users outside the ICT function, using a risk-based approach.

Article 17ICT change management

1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements:

(a)
a verification of whether the ICT security requirements have been met;
(b)
mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes;
(c)
a clear description of the roles and responsibilities to ensure that:
1. (i)
  changes are specified and planned;
2. (ii)
  an adequate transition is designed;
3. (iii)
  the changes are tested and finalised in a controlled manner;
4. (iv)
  there is an effective quality assurance;
(d)
the documentation and communication of change details, including:
1. (i)
  the purpose and scope of the change;
2. (ii)
  the timeline for the implementation of the change;
3. (iii)
  the expected outcomes;
(e)
the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented;
(f)
procedures, protocols, and tools to manage emergency changes that provide adequate safeguards;
(g)
procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches;
(h)
the identification of the potential impact of a change on existing ICT security measures and an assessment of whether such change requires the adoption of additional ICT security measures.

2. After having made significant changes to their ICT systems, central counterparties and central securities depositories shall submit their ICT systems to stringent testing by simulating stressed conditions.

Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph:

(a)
clearing members and clients;
(b)
interoperable central counterparties;
(c)
other interested parties,

Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph:

(a)
users;
(b)
critical utilities and critical service providers;
(c)
other central securities depositories;
(d)
other market infrastructures;
(e)
any other institutions with which central securities depositories have identified interdependencies in their ICT business continuity policy.

Section 8

Article 18Physical and environmental security

1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets.

2. The physical and environmental security policy referred to in paragraph 1 shall contain all of the following:

(a)
a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g);
(b)
measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside;
(c)
measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets;
(d)
measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance;
(e)
measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including:
1. (i)
  a clear desk policy for papers;
2. (ii)
  a clear screen policy for information processing facilities.

For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein.For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assets.

CHAPTER IIHuman resources policy and access control

Article 19Human resources policy

Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements:

(a)
the identification and assignment of any specific ICT security responsibilities;
(b)
requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to:
1. (i)
  be informed about, and adhere to, the financial entity’s ICT security policies, procedures, and protocols;
2. (ii)
  be aware of the reporting channels put in place by the financial entity for the detection of anomalous behaviour, including, where applicable, the reporting channels established in line with Directive (EU) 2019/1937 of the European Parliament and of the CouncilDirective (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (OJ L 305, 26.11.2019, p. 17, ELI: http://data.europa.eu/eli/dir/2019/1937/oj).;
3. (iii)
  for the staff, to return to the financial entity, upon termination of employment, all ICT assets and tangible information assets in their possession that belong to the financial entity.

Article 20Identity management

1. As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities’ information to enable assignment of user access rights in accordance with Article 21.

2. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following:

(a)
without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity or staff of the ICT third-party service providers accessing the information assets and ICT assets of the financial entity;
(b)
a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts.

For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law.For the purposes of point (b), financial entities shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process.

Article 21Access control

As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following:

(a)
the assignment of access rights to ICT assets based on need-to-know, need-to-use and least privilege principles, including for remote and emergency access;
(b)
the segregation of duties designed to prevent unjustified access to critical data or to prevent the allocation of combinations of access rights that may be used to circumvent controls;
(c)
a provision on user accountability, by limiting to the extent possible the use of generic and shared user accounts and ensuring that users are identifiable for the actions performed in the ICT systems at all times;
(d)
a provision on restrictions of access to ICT assets, setting out controls and tools to prevent unauthorised access;
(e)
account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following:
1. (i)
  assignment of roles and responsibilities for granting, reviewing, and revoking access rights;
2. (ii)
  assignment of privileged, emergency, and administrator access on a need-to-use or an ad-hoc basis for all ICT systems;
3. (iii)
  withdrawal of access rights without undue delay upon termination of the employment or when the access is no longer necessary;
4. (iv)
  update of access rights where changes are necessary and at least once a year for all ICT systems, other than ICT systems supporting critical or important functions and at least every 6 months for ICT systems supporting critical or important functions;
(f)
authentication methods, including all of the following:
1. (i)
  the use of authentication methods commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and to the overall risk profile of ICT assets and considering leading practices;
2. (ii)
  the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity’s network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible;
(g)
physical access controls measures including:
1. (i)
  the identification and logging of natural persons that are authorised to access premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets reside;
2. (ii)
  the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis;
3. (iii)
  the monitoring of physical access to premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets or both reside;
4. (iv)
  the review of physical access rights to ensure that unnecessary access rights are promptly revoked.

For the purposes of point (e)(i), financial entities shall establish the retention period taking into account the business and information security objectives, the reasons for recording the event in the logs, and the results of the ICT risk assessment.For the purposes of point (e)(ii), financial entities shall, where possible, use dedicated accounts for the performance of administrative tasks on ICT systems. Where feasible and appropriate, financial entities shall deploy automated solutions for the privilege access management.For the purposes of point (g)(i), the identification and logging shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein.For the purposes of point (g)(iii), the monitoring shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the criticality of the area accessed.

CHAPTER IIIICT-related incident detection and response

Article 22ICT-related incident management policy

As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall:

(a)
document the ICT-related incident management process referred to in Article 17 of Regulation (EU) 2022/2554;
(b)
establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on:
1. (i)
  the detection and monitoring of cyber threats;
2. (ii)
  the detection of anomalous activities;
3. (iii)
  vulnerability management;
(c)
establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation;
(d)
retain all evidence relating to ICT-related incidents for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assets, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (OJ L, 2024/1772, 25.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1772/oj). and with any applicable retention requirement pursuant to Union law;
(e)
establish and implement mechanisms to analyse significant or recurring ICT-related incidents and patterns in the number and the occurrence of ICT-related incidents.

For the purposes of point (d), financial entities shall retain the evidence referred to in that point in a secure manner.

Article 23Anomalous activities detection and criteria for ICT-related incidents detection and response

1. Financial entities shall set clear roles and responsibilities to effectively detect and respond to ICT-related incidents and anomalous activities.

2. The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to:

(a)
collect, monitor, and analyse all of the following:
1. (i)
  internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity;
2. (ii)
  potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity;
3. (iii)
  ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity;
(b)
identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions;
(c)
prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours;
(d)
record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually.

For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection.

3. Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use.

4. Financial entities shall log all relevant information for each detected anomalous activity enabling:

(a)
the identification of the date and time of occurrence of the anomalous activity;
(b)
the identification of the date and time of detection of the anomalous activity;
(c)
the identification of the type of the anomalous activity.

5. Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554:

(a)
indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised;
(b)
data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data;
(c)
adverse impact detected on financial entity’s transactions and operations;
(d)
ICT systems’ and network unavailability.

6. For the purposes of paragraph 5, financial entities shall also consider the criticality of the services affected.

CHAPTER IVICT business continuity management

Article 24Components of the ICT business continuity policy

1. Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following:

(a)
a description of:
1. (i)
  the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554;
2. (ii)
  the scope of the ICT business continuity arrangements, plans, procedures, and mechanisms, including limitations and exclusions;
3. (iii)
  the timeframe to be covered by the ICT business continuity arrangements, plans, procedures, and mechanisms;
4. (iv)
  the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans;
(b)
provisions on:
1. (i)
  the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available;
2. (ii)
  the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following:
  1. (1)
    potential failure scenarios, including the scenarios referred to in Article 26(2) of this Regulation;
  2. (2)
    recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective;
3. (iii)
  the development of ICT business continuity plans for severe business disruptions as part of those plans, and the prioritisation of ICT business continuity actions using a risk-based approach;
4. (iv)
  the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation;
5. (v)
  the review of the effectiveness of the implemented ICT business continuity arrangements, plans, procedures and mechanisms, in accordance with Article 26 of this Regulation;
6. (vi)
  the alignment of the ICT business continuity policy to:
  1. (1)
    the communication policy referred to in Article 14(2) of Regulation (EU) 2022/2554;
  2. (2)
    the communication and crisis communication actions referred to in Article 11(2), point (e), of Regulation (EU) 2022/2554.

2. In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy:

(a)
contains a maximum recovery time for their critical functions that is not longer than 2 hours;
(b)
takes into account external links and interdependencies within the financial infrastructures, including trading venues cleared by the central counterparty, securities settlement and payment systems, and credit institutions used by the central counterparty or a linked central counterparty;
(c)
requires that arrangements are in place to:
1. (i)
  ensure the continuity of critical or important functions of the central counterparty based on disaster scenarios;
2. (ii)
  maintain a secondary processing site capable of ensuring continuity of critical or important functions of the central counterparty identical to the primary site;
3. (iii)
  maintain or have immediate access to a secondary business site, to allow staff to ensure continuity of the service if the primary location of business is not available;
4. (iv)
  consider the need for additional processing sites, in particular where the diversity of the risk profiles of the primary and secondary sites does not provide sufficient confidence that the central counterparty’s business continuity objectives will be met in all scenarios.

For the purposes of point (a), central counterparties shall complete end of day procedures and payments on the required time and day in all circumstances.For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site.For the purposes of point (c)(ii), the secondary processing site referred to in that point shall have a geographical risk profile which is distinct from that of the primary site.

3. In addition to the requirements referred to in paragraph 1, central securities depositories shall ensure that their ICT business continuity policy:

(a)
takes into account any links and interdependencies to users, critical utilities and critical service providers, other central securities depositories and other market infrastructures;
(b)
requires its ICT business continuity arrangements to ensure that the recovery time objective for their critical or important functions shall not be longer than 2 hours.

4. In addition to the requirements referred to in paragraph 1, trading venues shall ensure that their ICT business continuity policy ensures that:

(a)
trading can be resumed within or close to 2 hours of a disruptive incident;
(b)
the maximum amount of data that may be lost from any IT service of the trading venue after a disruptive incident is close to zero.

Article 25Testing of the ICT business continuity plans

1. When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity’s business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation.

2. Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity’s critical or important functions. That testing shall:

(a)
be performed on the basis of test scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios;
(b)
contain the testing of ICT services provided by ICT third-party service providers, where applicable;
(c)
for financial entities, other than microenterprises, as referred to in Article 11(6), second subparagraph, of Regulation (EU) 2022/2554, contain scenarios of switchover from primary ICT infrastructure to the redundant capacity, backups and redundant facilities;
(d)
be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans;
(e)
contain procedures to verify the ability of the financial entities’ staff, of ICT third-party service providers, of ICT systems, and ICT services to respond adequately to the scenarios duly taken into account in accordance with Article 26(2).

For the purposes of point (a), financial entities shall always include in the testing the scenarios considered for the development of the business continuity plans.For the purposes of point (b), financial entities shall duly consider scenarios linked to insolvency or failures of the ICT third-party service providers or linked to political risks in the ICT third-party service providers’ jurisdictions, where relevant.For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored.

3. In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1:

(a)
clearing members;
(b)
external providers;
(c)
relevant institutions in the financial infrastructure with which central counterparties have identified interdependencies in their business continuity policies.

4. In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate:

(a)
users of the central securities depositories;
(b)
critical utilities and critical service providers;
(c)
other central securities depositories;
(d)
other market infrastructures;
(e)
any other institutions with which central securities depositories have identified interdependencies in their business continuity policy.

5. Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body.

Article 26ICT response and recovery plans

1. When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity’s business impact analysis (BIA). Those ICT response and recovery plans shall:

(a)
specify the conditions prompting their activation or deactivation, and any exceptions for such activation or deactivation;
(b)
describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity;
(c)
be designed to meet the recovery objectives of the operations of the financial entities;
(d)
be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency;
(e)
provide for both short-term and long-term recovery options, including partial systems recovery;
(f)
lay down the objectives of ICT response and recovery plans and the conditions to declare a successful execution of those plans.

For the purposes of point (d), financial entities shall clearly specify roles and responsibilities.

2. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios:

(a)
cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities;
(b)
scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly consider the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider;
(c)
partial or total failure of premises, including office and business premises, and data centres;
(d)
substantial failure of ICT assets or of the communication infrastructure;
(e)
the non-availability of a critical number of staff or staff members in charge of guaranteeing the continuity of operations;
(f)
impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks;
(g)
insider attacks;
(h)
political and social instability, including, where relevant, in the ICT third-party service provider’s jurisdiction and the location where the data are stored and processed;
(i)
widespread power outages.

3. Where the primary recovery measures may not be feasible in the short term because of costs, risks, logistics, or unforeseen circumstances, the ICT response and recovery plans referred to in paragraph 1 shall consider alternative options.

4. As part of the ICT response and recovery plans referred to in paragraph 1, financial entities shall consider and implement continuity measures to mitigate failures of ICT third-party service providers of ICT services supporting critical or important functions of the financial entity.

CHAPTER VReport on the ICT risk management framework review

Article 27Format and content of the report on the review of the ICT risk management framework

1. Financial entities shall submit the report on the review of the ICT risk management framework referred to in Article 6(5) of Regulation (EU) 2022/2554 in a searchable electronic format.

2. Financial entities shall include all of the following information in the report referred to in paragraph 1:

(a)
an introductory section that:
1. (i)
  clearly identifies the financial entity that is the subject of the report, and describes its group structure, where relevant;
2. (ii)
  describes the context of the report in terms of the nature, scale, and complexity of the financial entity’s services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency;
3. (iii)
  summarises the major changes in the ICT risk management framework since the previous report submitted;
4. (iv)
  provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity;
(b)
the date of the approval of the report by the management body of the financial entity;
(c)
a description of the reason for the review of the ICT risk management framework in accordance with Article 6(5) of Regulation (EU) 2022/2554.;
(d)
the start and end dates of the review period;
(e)
an indication of the function responsible for the review;
(f)
a description of the major changes and improvements to the ICT risk management framework since the previous review;
(g)
a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT risk management framework during the review period;
(h)
a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following:
1. (i)
  a summary of measures taken to remediate to identified weaknesses, deficiencies and gaps;
2. (ii)
  an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected;
3. (iii)
  tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external;
4. (iv)
  a description of the impact of the changes envisaged in the measures on the financial entity’s budgetary, human, and material resources, including resources dedicated to the implementation of any corrective measures;
5. (v)
  information on the process for informing the competent authority, where appropriate;
6. (vi)
  where the weaknesses, deficiencies, or gaps identified are not subject to corrective measures, a detailed explanation of the criteria used to analyse the impact of those weaknesses, deficiencies, or gaps, to evaluate the related residual ICT risk, and of the criteria used to accept the related residual risk;
(i)
information on planned further developments of the ICT risk management framework;
(j)
conclusions resulting from the review of the ICT risk management framework;
(k)
information on past reviews, including:
1. (i)
  a list of past reviews to date;
2. (ii)
  where applicable, a state of implementation of the corrective measures identified by the last report;
3. (iii)
  where the proposed corrective measures in past reviews have proven ineffective or have created unexpected challenges, a description of how those corrective measures could be improved or of those unexpected challenges;
(l)
sources of information used in the preparation of the report, including all of the following:
1. (i)
  for financial entities other than microenterprises as referred to in Article 6(6) of Regulation (EU) 2022/2554, the results of internal audits;
2. (ii)
  the results of compliance assessments;
3. (iii)
  results of digital operational resilience testing, and where applicable the results of advanced testing, based on threat-led penetration testing (TLPT), of ICT tools, systems, and processes;
4. (iv)
  external sources.

For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testing or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidents, the report shall contain the list of all ICT-related incidents with incident root-cause analysis.For the purposes of point (f), the description shall contain an analysis of the impact of the changes on the financial entity’s digital operational resilience strategy, on the financial entity’s ICT internal control framework, and on the financial entity’s ICT risk management governance.

TITLE III — SIMPLIFIED ICT RISK MANAGEMENT FRAMEWORK FOR FINANCIAL ENTITIES REFERRED TO IN ARTICLE 16(1) OF REGULATION (EU) 2022/2554

CHAPTER ISimplified ICT risk management framework

Article 28Governance and organisation

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience.

2. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body:

(a)
bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity’s business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context;
(b)
sets clear roles and responsibilities for all ICT-related tasks;
(c)
sets out information security objectives and ICT requirements;
(d)
approves, oversees, and periodically reviews:
1. (i)
  the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies;
2. (ii)
  the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554;
(e)
allocates and reviews at least once a year the budget necessary to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff;
(f)
specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to;
(g)
identifies and implements procedures, ICT protocols, and tools that are necessary to protect all information assets and ICT assets;
(h)
ensures that the staff of the financial entity is kept up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, commensurate to the ICT risk being managed;
(i)
establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience.

3. The financial entities referred to in paragraph 1 may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT risk management requirements to ICT intra-group or ICT third-party service providers. In case of such outsourcing, financial entities shall remain fully responsible for the verification of compliance with the ICT risk management requirements.

4. The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions.

5. The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities’ audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.

6. Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings.

Article 29Information security policy and measures

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide.

2. Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers.The ICT security measures shall include all of the measures referred to in Articles 30 to 38.

Article 30Classification of information assets and ICT assets

1. As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed.

2. The financial entities referred to in paragraph 1 shall identify all critical or important functions supported by ICT third-party service providers.

Article 31ICT risk management

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following:

(a)
a determination of the risk tolerance levels for ICT risk, in accordance with the risk appetite of the financial entity;
(b)
the identification and assessment of the ICT risks to which the financial entity is exposed;
(c)
the specification of mitigation strategies at least for the ICT risks that are not within the risk tolerance levels of the financial entity;
(d)
the monitoring of the effectiveness of the mitigation strategies referred to in point (c);
(e)
the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident.

2. The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities’ ICT risk profile.

3. The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions.

4. The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT-related incident response processes.

Article 32Physical and environmental security

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall identify and implement physical security measures designed on the basis of the threat landscape and in accordance with the classification referred to in Article 30(1) of this Regulation, the overall risk profile of ICT assets, and accessible information assets.

2. The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards.

3. The protection from environmental threats and hazards shall be commensurate with the importance of the premises concerned and, where applicable, the data centres and the criticality of the operations or ICT systems located therein.

CHAPTER IIFurther elements of systems, protocols, and tools to minimise the impact of ICT risk

Article 33Access Control

The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access:

(a)
access rights to information assets, ICT assets, and their supported functions, and to critical locations of operation of the financial entity, are managed on a need-to-know, need-to-use and least privileges basis, including for remote and emergency access;
(b)
user accountability, which ensures that users can be identified for the actions performed in the ICT systems;
(c)
account management procedures to grant, change, or revoke access rights for user and generic accounts, including generic administrator accounts;
(d)
authentication methods that are commensurate to the classification referred to in Article 30(1) and to the overall risk profile of ICT assets, and which are based on leading practices;
(e)
access rights are periodically reviewed and are withdrawn when no longer required.

For the purposes of point (c), the financial entity shall assign privileged, emergency, and administrator access on a need-to-use or an ad-hoc basis for all ICT systems, and shall be logged in accordance with Article 34, first paragraph, point (f).For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities’ network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available.

Article 34ICT operations security

The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets:

(a)
monitor and manage the lifecycle of all ICT assets;
(b)
monitor whether the ICT assets are supported by ICT third-party service providers of financial entities, where applicable;
(c)
identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise;
(d)
perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities;
(e)
manage the risks related to outdated, unsupported, or legacy ICT assets;
(f)
log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management;
(g)
identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations;
(h)
implement measures to monitor relevant and up-to-date information about cyber threats;
(i)
implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates.

For the purposes of point (f), financial entities shall align the level of detail of the logs with their purpose and usage of the ICT asset producing those logs.

Article 35Data, system and network security

The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following:

(a)
the identification and implementation of measures to protect data in use, in transit, and at rest;
(b)
the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity;
(c)
the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity’s network, and to secure the network traffic between the financial entity’s internal networks and the internet and other external connections;
(d)
the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions;
(e)
a process to securely delete data on premises, or that are stored externally, that the financial entity no longer needs to collect or store;
(f)
a process to securely dispose of, or decommission, data storage devices on premises, or data storage devices that are stored externally, that contain confidential information;
(g)
the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity’s ability to carry out its critical activities in an adequate, timely, and secure manner.

Article 36ICT security testing

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures developed in accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. Financial entities shall ensure that that plan considers threats and vulnerabilities identified as part of the simplified ICT risk management framework referred to in Article 31 of this Regulation.

2. The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity.

3. The financial entities referred to in paragraph 1 shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions.

Article 37ICT systems acquisition, development, and maintenance

The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall:

(a)
ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned;
(b)
ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment;
(c)
identify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment.

Article 38ICT project and change management

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure.

2. The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity’s digital operational resilience.

CHAPTER IIIICT business continuity management

Article 39Components of the ICT business continuity plan

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario.

2. The ICT business continuity plans referred to in paragraph 1 shall:

(a)
be approved by the management body of the financial entity;
(b)
be documented and readily accessible in the event of an emergency or crisis;
(c)
allocate sufficient resources for their execution;
(d)
establish planned recovery levels and timeframes for the recovery and resumption of functions and key internal and external dependencies, including ICT third-party service providers;
(e)
identify the conditions that may prompt the activation of the ICT business continuity plans and what actions are to be taken to ensure the availability, continuity, and recovery of the financial entities’ ICT assets supporting critical or important functions;
(f)
identify the restoration and recovery measures for critical or important business functions, supporting processes, information assets, and their interdependencies to avoid adverse effects on the functioning of the financial entities;
(g)
identify backup procedures and measures that specify the scope of the data that are subject to the backup, and the minimum frequency of the backup, based on the criticality of the function using those data;
(h)
consider alternative options where recovery may not be feasible in the short term because of costs, risks, logistics, or unforeseen circumstances;
(i)
specify the internal and external communication arrangements, including escalation plans;
(j)
be updated in line with lessons learned from incidents, tests, new risks, and threats identified, changed recovery objectives, major changes to the financial entity’s organisation, and to the ICT assets supporting critical or business functions.

For the purposes of point (f), the measures referred to in that point shall provide for the mitigation of failures of critical third-party providers.

Article 40Testing of business continuity plans

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall test their business continuity plans referred to in Article 39 of this Regulation, including the scenarios referred to in that Article, at least once every year for the back-up and restore procedures, or upon every major change of the business continuity plan.

2. The testing of business continuity plans referred to in paragraph 1 shall demonstrate that the financial entities referred to in that paragraph are able to sustain the viability of their businesses until critical operations are re-established and identify any deficiencies in those plans.

3. The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body.

CHAPTER IVReport on the review of the simplified ICT risk management framework

Article 41Format and content of the report on the review of the simplified ICT risk management framework

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall submit the report on the review of the ICT risk management framework referred to in paragraph 2 of that Article in a searchable electronic format.

2. The report referred to in paragraph 1 shall contain all of the following information:

(a)
an introductory section providing:
1. (i)
  a description of the context of the report in terms of the nature, scale, and complexity of the financial entity’s services, activities, and operations, the financial entity’s organisation, identified critical functions, strategy, major ongoing projects or activities, and relationships, and the financial entity’s dependence on in-house and outsourced ICT services and systems, or the implications that a total loss or severe degradation of such systems would have on critical or important functions and market efficiency;
2. (ii)
  an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity;
3. (iii)
  information about the reported area;
4. (iv)
  a summary of the major changes in the ICT risk management framework since the previous report;
5. (v)
  a summary and a description of the impact of major changes to the simplified ICT risk management framework since the previous report;
(b)
where applicable, the date of the approval of the report by the management body of the financial entity;
(c)
a description of the reasons for the review, including:
1. (i)
  where the review has been initiated following supervisory instructions, evidence of such instructions;
2. (ii)
  where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis;
(d)
the start and end date of the review period;
(e)
the person responsible for the review;
(f)
a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof;
(g)
remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied;
(h)
overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments.

TITLE IV — FINAL PROVISIONS

Article 42Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.