Article 23 Anomalous activities detection and criteria for ICT-related incidents detection and response
-
Financial entitiesas defined in Article 2, points (a) to (t) shall set clear roles and responsibilities to effectively detect and respond to ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and anomalous activities.
-
The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entitiesas defined in Article 2, points (a) to (t) to:
-
collect, monitor, and analyse all of the following:
-
internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity;
-
potential internal and external cyber threatsmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881;, considering scenarios commonly used by threat actors and scenarios based on threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; activity;
-
ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; notification from an ICT third-party service providermeans an undertaking providing ICT services; of the financial entity detected in the ICT systems and networks of the ICT third-party service providermeans an undertaking providing ICT services; and that may affect the financial entity;
-
-
identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; and information assetsmeans a collection of information, either tangible or intangible, that is worth protecting; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;;
-
prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; within the expected resolution time, as specified by financial entitiesas defined in Article 2, points (a) to (t), both during and outside working hours;
-
record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually.
For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection.
-
-
Financial entitiesas defined in Article 2, points (a) to (t) shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use.
-
Financial entitiesas defined in Article 2, points (a) to (t) shall log all relevant information for each detected anomalous activity enabling:
-
the identification of the date and time of occurrence of the anomalous activity;
-
the identification of the date and time of detection of the anomalous activity;
-
the identification of the type of the anomalous activity.
-
-
Financial entitiesas defined in Article 2, points (a) to (t) shall consider all of the following criteria to trigger the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554:
-
indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised;
-
data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data;
-
adverse impact detected on financial entity’s transactions and operations;
-
ICT systems’ and network unavailability.
-
-
For the purposes of paragraph 5, financial entitiesas defined in Article 2, points (a) to (t) shall also consider the criticality of the services affected.