Governance and organisation


  1. The financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; to achieve a high level of digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;.

  2. The financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 shall, as part of their simplified ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework, ensure that their management bodymeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law;:

    1. bears the overall responsibility for ensuring that the simplified ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework allows for the achievement of the financial entity’s business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; is considered in that context;

    2. sets clear roles and responsibilities for all ICT-related tasks;

    3. sets out information security objectives and ICT requirements;

    4. approves, oversees, and periodically reviews:

      1. the classification of information assetsmeans a collection of information, either tangible or intangible, that is worth protecting; of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies;

      2. the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554;

    5. allocates and reviews at least once a year the budget necessary to fulfil the financial entity’s digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; training and ICT skills for all staff;

    6. specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; the financial entity is exposed to;

    7. identifies and implements procedures, ICT protocols, and tools that are necessary to protect all information assetsmeans a collection of information, either tangible or intangible, that is worth protecting; and ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;;

    8. ensures that the staff of the financial entity is kept up to date with sufficient knowledge and skills to understand and assess ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and its impact on the operations of the financial entity, commensurate to the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; being managed;

    9. establishes reporting arrangements, including the frequency, form, and content of reporting to the management bodymeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; on the information security and digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;.

  3. The financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management requirements to ICT intra-group or ICT third-party service providersmeans an undertaking providing ICT services;. In case of such outsourcing, financial entitiesas defined in Article 2, points (a) to (t) shall remain fully responsible for the verification of compliance with the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management requirements.

  4. The financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions.

  5. The financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 shall ensure that their simplified ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework is subject to an internal audit by auditors, in line with the financial entities’ audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; of the financial entity.

  6. Based on the outcome of the audit referred to in paragraph 5, the financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings.