The policy on management of ICT assets referred to in paragraph 1 shall:

• (a) prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;
• (b) prescribe that the financial entity keeps records of all of the following:
  • (i) the unique identifier of each ICT asset;
  • (ii) information on the location, either physical or logical, of all ICT assets;
  • (iii) the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;
  • (iv) the identity of ICT asset owners;
  • (v) the business functions or services supported by the ICT asset;
  • (vi) the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
  • (vii) whether the ICT asset can be or is exposed to external networks, including the internet;
  • (viii) the links and interdependencies among ICT assets and the business functions using each ICT asset;
  • (ix) where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;
• (c) for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.