The requirements for financial entitiesas defined in Article 2, points (a) to (t) that are subject to the simplified ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework referred to in Article 16 of Regulation (EU) 2022/2554 should be focused on those essential areas and elements that, in light of the scale, risk, size, and complexity of those financial entitiesas defined in Article 2, points (a) to (t), are as a minimum necessary to ensure the confidentiality, integrity, availability, and authenticity of the data and services of those financial entitiesas defined in Article 2, points (a) to (t). In that context, those financial entitiesas defined in Article 2, points (a) to (t) should have in place an internal governance and control framework with clear responsibilities to enable an effective and sound risk management framework. Furthermore, to reduce the administrative and operational burden, those financial entitiesas defined in Article 2, points (a) to (t) should develop and document only one policy, that is an information security policy, that specifies the high-level principles and rules necessary to protect the confidentiality, integrity, availability, and authenticity of data and of the services of those financial entitiesas defined in Article 2, points (a) to (t).