RTS

The ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, as well as upon the occurrence of major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, and following supervisory instructions or conclusions derived from relevant digital operational resilience testingas defined in Article 24 or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework shall be submitted to the competent authorityas defined in Article 46 upon its request.

Financial entitiesas defined in Article 2, points (a) to (t) shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.

implement policies that limit the physical or logical access to information assetsmeans a collection of information, either tangible or intangible, that is worth protecting; and ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof;

Financial entitiesas defined in Article 2, points (a) to (t) shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, and to identify potential material single points of failure.

All detection mechanisms referred to in the first subparagraph shall be regularly tested in accordance with Article 25.

The detection mechanisms referred to in paragraph 1 shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; response.

As part of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework referred to in Article 6(1) and based on the identification requirements set out in Article 8, financial entitiesas defined in Article 2, points (a) to (t) shall put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy of the financial entity.

As part of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework referred to in Article 6(1), financial entitiesas defined in Article 2, points (a) to (t) shall implement associated ICT response and recovery plans which, in the case of financial entitiesas defined in Article 2, points (a) to (t) other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall be subject to independent internal audit reviews.

As part of their comprehensive ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management, financial entitiesas defined in Article 2, points (a) to (t) shall:

For the purposes of the first subparagraph, point (a), financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall include in the testing plans scenarios of cyber-attacksmeans a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset; and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 12.

Financial entitiesas defined in Article 2, points (a) to (t) shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews.

Articles 5 to 15 of this Regulation shall not apply to small and non-interconnected investment firmsmeans an investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033 of the European Parliament and of the Council (³³);, payment institutions exempted pursuant to Directive (EU) 2015/2366means a payment institution exempted pursuant to Article 32(1) of Directive (EU) 2015/2366;; institutions exempted pursuant to Directive 2013/36/EUmeans an entity as referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU; in respect of which Member States have decided not to apply the option referred to in Article 2(4) of this Regulation; electronic money institutions exempted pursuant to Directive 2009/110/ECmeans an electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC;; and small institutions for occupational retirement provisionmeans an institution for occupational retirement provision which operates pension schemes which together have less than 100 members in total;.

Without prejudice to the first subparagraph, the entities listed in the first subparagraph shall:

The ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework referred to in paragraph 1, second subparagraph, point (a), shall be documented and reviewed periodically and upon the occurrence of major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; in compliance with supervisory instructions. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework shall be submitted to the competent authorityas defined in Article 46 upon its request.

Financial entitiesas defined in Article 2, points (a) to (t) shall classify ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and shall determine their impact based on the following criteria:

Financial entitiesas defined in Article 2, points (a) to (t) shall classify cyber threatsmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.

Financial entitiesas defined in Article 2, points (a) to (t) shall report major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; to the relevant competent authorityas defined in Article 46 as referred to in Article 46 in accordance with paragraph 4 of this Article.

Where a financial entity is subject to supervision by more than one national competent authorityas defined in Article 46 referred to in Article 46, Member States shall designate a single competent authorityas defined in Article 46 as the relevant competent authorityas defined in Article 46 responsible for carrying out the functions and duties provided for in this Article.

Credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (³²); classified as significant, in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall report major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; to the relevant national competent authorityas defined in Article 46 designated in accordance with Article 4 of Directive 2013/36/EU, which shall immediately transmit that report to the ECB.

For the purpose of the first subparagraph, financial entitiesas defined in Article 2, points (a) to (t) shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authorityas defined in Article 46. In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entitiesas defined in Article 2, points (a) to (t) shall notify the competent authorityas defined in Article 46 about it via alternative means.

The initial notification and reports referred to in paragraph 4 shall include all information necessary for the competent authorityas defined in Article 46 to determine the significance of the major ICT-related incidentmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and assess possible cross-border impacts.

Without prejudice to the reporting pursuant to the first subparagraph by the financial entity to the relevant competent authorityas defined in Article 46, Member States may additionally determine that some or all financial entitiesas defined in Article 2, points (a) to (t) shall also provide the initial notification and each report referred to in paragraph 4 of this Article using the templates referred to in Article 20 to the competent authoritiesas defined in Article 46 or the computer security incident response teams (CSIRTscomputer security incident response teams) designated or established in accordance with Directive (EU) 2022/2555.

Financial entitiesas defined in Article 2, points (a) to (t) may, on a voluntary basis, notify significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; to the relevant competent authorityas defined in Article 46 when they deem the threat to be of relevance to the financial system, service users or clients. The relevant competent authorityas defined in Article 46 may provide such information to other relevant authorities referred to in paragraph 6.

Credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (³²); classified as significant, in accordance with Article 6(4) of Regulation (EU) No 1024/2013, may, on a voluntary basis, notify significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; to relevant national competent authorityas defined in Article 46, designated in accordance with Article 4 of Directive 2013/36/EU, which shall immediately transmit the notification to the ECB.

Member States may determine that those financial entitiesas defined in Article 2, points (a) to (t) that on a voluntary basis notify in accordance with the first subparagraph may also transmit that notification to the CSIRTscomputer security incident response teams designated or established in accordance with Directive (EU) 2022/2555.

Financial entitiesas defined in Article 2, points (a) to (t) shall, within the time limits to be laid down in accordance with Article 20, first paragraph, point (a), point (ii) submit the following to the relevant competent authorityas defined in Article 46:

Upon receipt of the initial notification and of each report referred to in paragraph 4, the competent authorityas defined in Article 46 shall, in a timely manner, provide details of the major ICT-related incidentmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; to the following recipients based, as applicable, on their respective competences:

Following receipt of information in accordance with paragraph 6, EBA, ESMA or EIOPA and the ECB, in consultation with ENISA and in cooperation with the relevant competent authorityas defined in Article 46, shall assess whether the major ICT-related incidentmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; is relevant for competent authoritiesas defined in Article 46 in other Member States. Following that assessment, EBA, ESMA or EIOPA shall, as soon as possible, notify relevant competent authoritiesas defined in Article 46 in other Member States accordingly. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system. Based on that notification, the competent authoritiesas defined in Article 46 shall, where appropriate, take all of the necessary measures to protect the immediate stability of the financial system.

As part of their ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework, financial entitiesas defined in Article 2, points (a) to (t), other than entities referred to in Article 16(1), first subparagraph, and other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall adopt, and regularly review, a strategy on ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party riskmeans an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; shall include a policy on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; provided by ICT third-party service providersmeans an undertaking providing ICT services; and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management bodymeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (³¹), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;.

The contractual arrangements on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; shall include at least the following elements: