ICT-related incident management policy


As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement an ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; policy through which they shall:

  1. document the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; management process referred to in Article 17 of Regulation (EU) 2022/2554;

  2. establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on:

    1. the detection and monitoring of cyber threatsmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881;;

    2. the detection of anomalous activities;

    3. vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; management;

  3. establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation;

  4. retain all evidence relating to ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assetsmeans a collection of information, either tangible or intangible, that is worth protecting;, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772 (12)Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (OJ L, 2024/1772, 25.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1772/oj). and with any applicable retention requirement pursuant to Union law;

  5. establish and implement mechanisms to analyse significant or recurring ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and patterns in the number and the occurrence of ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;.

For the purposes of point (d), financial entitiesas defined in Article 2, points (a) to (t) shall retain the evidence referred to in that point in a secure manner.