ICT project management


  1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement an ICT project management policy.

  2. The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity’s ICT systems.

  3. The ICT project management policy referred to in paragraph 1 shall contain all of the following:

    1. ICT project objectives;

    2. ICT project governance, including roles and responsibilities;

    3. ICT project planning, timeframe, and steps;

    4. ICT project risk assessment;

    5. relevant milestones;

    6. change management requirements;

    7. the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment.

  4. The ICT project management policy referred to in paragraph 1 shall ensure the secure ICT project implementation through the provision of the necessary information and expertise from the business area or functions impacted by the ICT project.

  5. In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of the financial entity and their associated risks are reported to the management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law as follows:

    1. individually or in aggregation, depending on the importance and size of the ICT projects;

    2. periodically and, where necessary, on an event-driven basis.