Format and content of the report on the review of the ICT risk management framework

  1. Financial entitiesas defined in Article 2, points (a) to (t) shall submit the report on the review of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(5) of Regulation (EU) 2022/2554 in a searchable electronic format.

  2. Financial entitiesas defined in Article 2, points (a) to (t) shall include all of the following information in the report referred to in paragraph 1:

    1. an introductory section that:

      1. clearly identifies the financial entity that is the subject of the report, and describes its groupa group as defined in Article 2, point (11), of Directive 2013/34/EU structure, where relevant;

      2. describes the context of the report in terms of the nature, scale, and complexity of the financial entity’s services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law and market efficiency;

      3. summarises the major changes in the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework since the previous report submitted;

      4. provides an executive level summary of the current and near-term ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity;

    2. the date of the approval of the report by the management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law of the financial entity;

    3. a description of the reason for the review of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework in accordance with Article 6(5) of Regulation (EU) 2022/2554;

    4. the start and end dates of the review period;

    5. an indication of the function responsible for the review;

    6. a description of the major changes and improvements to the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework since the previous review;

    7. a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework during the review period;

    8. a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following:

      1. a summary of measures taken to remediate to identified weaknesses, deficiencies and gaps;

      2. an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected;

      3. tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external;

      4. a description of the impact of the changes envisaged in the measures on the financial entity’s budgetary, human, and material resources, including resources dedicated to the implementation of any corrective measures;

      5. information on the process for informing the competent authorityas defined in Article 46, where appropriate;

      6. where the weaknesses, deficiencies, or gaps identified are not subject to corrective measures, a detailed explanation of the criteria used to analyse the impact of those weaknesses, deficiencies, or gaps, to evaluate the related residual ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, and of the criteria used to accept the related residual risk;

    9. information on planned further developments of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework;

    10. conclusions resulting from the review of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework;

    11. information on past reviews, including:

      1. a list of past reviews to date;

      2. where applicable, a state of implementation of the corrective measures identified by the last report;

      3. where the proposed corrective measures in past reviews have proven ineffective or have created unexpected challenges, a description of how those corrective measures could be improved or of those unexpected challenges;

    12. sources of information used in the preparation of the report, including all of the following:

      1. for financial entitiesas defined in Article 2, points (a) to (t) other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million as referred to in Article 6(6) of Regulation (EU) 2022/2554, the results of internal audits;

      2. the results of compliance assessments;

      3. results of digital operational resilience testingas defined in Article 24, and where applicable the results of advanced testing, based on threat-led penetration testinga framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems (TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems), of ICT tools, systems, and processes;

      4. external sources.

    For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testingas defined in Article 24 or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, the report shall contain the list of all ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity with incident root-cause analysis.

    For the purposes of point (f), the description shall contain an analysis of the impact of the changes on the financial entity’s digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions strategy, on the financial entity’s ICT internal control framework, and on the financial entity’s ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management governance.