A sound, comprehensive and well-documented ICT risk management framework is in place. Which as goal to address all ICT risks properly and ensure a high level of digital resilience. The reponsibility for risk management is properly assigned to a control function. 

The ICT risk management framework shall be documented and reviewed at least annually, or periodically for microenterprises, with immediate reviews triggered by major ICT-related incidents or supervisory feedback. Continuous improvement will be ensured by incorporating lessons learned from implementation, monitoring, and audits. The report of the review will be prepared according to the requirements as stated in chapter 5 (Article 27) of the RTS RM and will be made available for submission to the competent authority upon request. 

Assess new standards and relevant technology developments in the field of information security, cybersecurity and resilience on a continuous basis and make proposals on how they can strengthen the information security and cybersecurity control measures of the institution.

The effectiveness of the risk management framework is monitored based on the risk exposure over time to critical or important business functions. Implement a reviewing and auditing process, with a minimum yearly review of the framework, triggered by major ICT incidents, regulator instructions, or major audit findings. 

The tasks of verifying compliance with ICT risk management requirements may be outsourced to intra-group or external undertakings. In case of such outsourcing, the financial entity remains fully responsible for the verification of compliance with the ICT risk management requirements.

Maintain a comprehensive third-party risk management program which includes:

• A register of information related to the use of thirdparty service providers, especially those supporting critical or important functions (see also control 17.3).
• Put in place a policy on the management of ICT third-parties, including the criteria for determining the criticality of service providers and the internal responsibilities for managing third-parties.
• Ensuring that senior management reviews the policy and designate a member to monitor relations with the third-parties and the contractual arrangements.
• A (holistic) multi-vendor strategy, if deemed relevant,  showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers.  

Establish an ICT business continuity policy that enables the continuity of critical or important functions, ensures rapid response to incidents, facilitates the resumption of activities, deployment of containment measures, activation and deactivation of response and recovery procedures, estimation of impact, damage, and losses, and provides clear communication to relevant stakeholders. Regularly review the business continuity policy and make necessary adjustments to enhance effectiveness.

Refer to Articles 24.2-4 of the RTS RM for specific requirements for Central counterparties, Trading venues, and Central security depositories.

Establish comprehensive response and recovery plans encompassing short-term and long-term recovery options. These plans must thoroughly identify potential scenarios and shall duly take into account scenarios of cyber-attacks, switchovers, degradation of critical function provision, premises failure, breakdowns in ICT assets or communication infrastructure, staff unavailability, natural disasters and the impact of climate change, pandemic situations, physical attacks, insider threats, political or social instability, and power outages. Additionally, these plans must incorporate alternative options in cases where primary recovery measures are impractical in the short term due to factors such as cost, risks, logistics, or unforeseen circumstances. Address potential failures of key ICT third-party service providers into the plans.

Regularly test ICT business continuity, response, and recovery plans, particularly in collaboration with third-party service providers supporting critical or important functions. Testing should  take into account the financial entity’s BIA and the ICT risk assessment and occur on a yearly basis and whenever there are significant changes to systems supporting critical or important functions. 
Tests must be based on realistic scenarios and encompass scenarios like cyber attacks, insolvency or failure of the third-party, backup restores, and switchover between primary and redundant processing sites. 
The testing shall verify whether at least critical or important functions can be operated appropriately, for a sufficient period of time and whether the normal functioning (of the business process) may be restored. Conduct testing of crisis communication plans to ensure effective communication strategies during a crisis or major disruption. Document test results and report any identified deficiencies resulting from the tests to the management body.

Refer to Articles 24.2-3 of the RTS RM for the specific requirements for Central counterparties and Central security depositories.

Implement policies and procedures to protect all information, ICT assets, and relevant physical ICT components and infrastructures. At least the following policies shall be established and maintained.

• Security policy
• Human resources policy
• Encryption and cryptographic control policy
• Identity and access management (IAM) policy
• Change management policy
• Network security policy
• ICT operating policies and procedures
• (Crisis) Communication policy
• Vulnerability and patch management policy
• Back up policy
• Project management policy
• Physical and environmental security policy
• Business continuity policy with response and recovery plans (including testing plans), see control1.4 *
• ICT third-party service providers management policy, see control 1.1. *
• Operations of ICT assets (ensuring network security, protect against intrusions and data misuse and defining how the entity operates, monitors, controls, and restores ICT assets, including the documentation of ICT operations).

* must be approved by the Management body