ICT risk management


Financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management policies and procedures that shall contain all of the following:

  1. an indication of the approval of the risk tolerance level for ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554;

  2. a procedure and a methodology to conduct the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment, identifying:

    1. vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and threats that affect or may affect the supported business functions, the ICT systems and ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; supporting those functions;

    2. the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and threats referred to in point (i);

  3. the procedure to identify, implement, and document ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; treatment measures for the ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; identified and assessed, including the determination of ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; treatment measures necessary to bring ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; within the risk tolerance level referred to in point (a);

  4. for the residual ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; that are still present following the implementation of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; treatment measures referred to in point (c):

    1. provisions on the identification of those residual ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;;

    2. the assignment of roles and responsibilities regarding:

      1. the acceptance of the residual ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; that exceed the financial entity’s risk tolerance level referred to in point (a);

      2. for the review process referred to in point (iv) of this point (d);

    3. the development of an inventory of the accepted residual ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, including a justification for their acceptance;

    4. provisions on the review of the accepted residual ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; at least once a year, including:

      1. the identification of any changes to the residual ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;;

      2. the assessment of available mitigation measures;

      3. the assessment of whether the reasons justifying the acceptance of residual ICT risksmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; are still valid and applicable at the date of the review;

  5. provisions on the monitoring of:

    1. any changes to the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; landscape;

    2. internal and external vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and threats:

    3. ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; of the financial entity that enables promp detection of changes that could affect its ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; profile;

  6. provisions on a process to ensure that any changes to the business strategy and the digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; strategy of the financial entity are taken into account.

For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure:

  1. the monitoring of the effectiveness of the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; treatment measures implemented;

  2. the assessment of whether the established risk tolerance levels of the financial entity have been attained;

  3. the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary.