ICT asset management policy


  1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement a policy on management of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;.

  2. The policy on management of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; referred to in paragraph 1 shall:

    1. prescribe the monitoring and management of the lifecycle of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;

    2. prescribe that the financial entity keeps records of all of the following:

      1. the unique identifier of each ICT assetmeans a software or hardware asset in the network and information systems used by the financial entity;;

      2. information on the location, either physical or logical, of all ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;;

      3. the classification of all ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;, as referred to in Article 8(1) of Regulation (EU) 2022/2554.A typographical error has been corrected here. The original authentic source said: Article 8(1) of Regulation (EU) 2022/2254;

      4. the identity of ICT assetmeans a software or hardware asset in the network and information systems used by the financial entity; owners;

      5. the business functions or services supported by the ICT assetmeans a software or hardware asset in the network and information systems used by the financial entity;;

      6. the ICT business continuity requirements, including recovery time objectives and recovery point objectives;

      7. whether the ICT assetmeans a software or hardware asset in the network and information systems used by the financial entity; can be or is exposed to external networks, including the internet;

      8. the links and interdependencies among ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; and the business functions using each ICT assetmeans a software or hardware asset in the network and information systems used by the financial entity;;

      9. where applicable, for all ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; are no longer supported by their supplier or by an ICT third-party service providermeans an undertaking providing ICT services;;

    3. for financial entitiesas defined in Article 2, points (a) to (t) other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, prescribe that those financial entitiesas defined in Article 2, points (a) to (t) keep records of the information necessary to perform a specific ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment on all legacy ICT systemsmeans an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity; referred to in Article 8(7) of Regulation (EU) 2022/2554.