ICT risk management


Financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management policies and procedures that shall contain all of the following:

  1. an indication of the approval of the risk tolerance level for ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554

  2. a procedure and a methodology to conduct the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment assessment, identifying:

    1. vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited and threats that affect or may affect the supported business functions, the ICT systems and ICT assetsa software or hardware asset in the network and information systems used by the financial entity supporting those functions;

    2. the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited and threats referred to in point (i)

  3. the procedure to identify, implement, and document ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment treatment measures for the ICT risksany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment identified and assessed, including the determination of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment treatment measures necessary to bring ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment within the risk tolerance level referred to in point (a)

  4. for the residual ICT risksany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment that are still present following the implementation of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment treatment measures referred to in point (c):

    1. provisions on the identification of those residual ICT risksany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;

    2. the assignment of roles and responsibilities regarding:

      1. the acceptance of the residual ICT risksany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment that exceed the financial entity’s risk tolerance level referred to in point (a)

      2. for the review process referred to in point (iv) of this point (d)

    3. the development of an inventory of the accepted residual ICT risksany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, including a justification for their acceptance;

    4. provisions on the review of the accepted residual ICT risksany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment at least once a year, including:

      1. the identification of any changes to the residual ICT risksany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;

      2. the assessment of available mitigation measures;

      3. the assessment of whether the reasons justifying the acceptance of residual ICT risksany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment are still valid and applicable at the date of the review;

  5. provisions on the monitoring of:

    1. any changes to the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment and cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons landscape;

    2. internal and external vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited and threats:

    3. ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment of the financial entity that enables promp detection of changes that could affect its ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment profile;

  6. provisions on a process to ensure that any changes to the business strategy and the digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions strategy of the financial entity are taken into account.

For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure:

  1. the monitoring of the effectiveness of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment treatment measures implemented;

  2. the assessment of whether the established risk tolerance levels of the financial entity have been attained;

  3. the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary.