Classification of information assets and ICT assets


  1. As part of the simplified ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, the information assetsa collection of information, either tangible or intangible, that is worth protecting and ICT assetsa software or hardware asset in the network and information systems used by the financial entity supporting them and their interdependencies. Financial entitiesas defined in Article 2, points (a) to (t) shall review that identification and classification as needed.

  2. The financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 shall identify all critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law supported by ICT third-party service providersan undertaking providing ICT services.