1.   Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure.

All detection mechanisms referred to in the first subparagraph shall be regularly tested in accordance with Article 25.

2.   The detection mechanisms referred to in paragraph 1 shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incident response.

3.   Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.

4.   Data reporting service providers shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports.

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following:

• (a) the identification of capacity requirements of their ICT systems;
• (b) the application of resource optimisation;
• (c) the monitoring procedures for maintaining and improving:
  • (i) the availability of data and ICT systems;
  • (ii) the efficiency of ICT systems;
  • (iii) the prevention of ICT capacity shortages.

2. The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following:

• (a) the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created;
  • For the purposes of point (a), financial entities shall establish the retention period, taking into account the business and information security objectives, the reason for recording the event in the logs, and the results of the ICT risk assessment.
• (b) the alignment of the level of detail of the logs with their purpose and usage to enable the effective detection of anomalous activities as referred to in Article 24;
• (c) the requirement to log events related to all of the following:
  • (i) logical and physical access control, as referred to in Article 21, and identity management;
  • (ii) capacity management;
  • (iii) change management;
  • (iv) ICT operations, including ICT system activities;
  • (v) network traffic activities, including ICT network performance;
• (d) measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use;
• (e) measures to detect a failure of logging systems;
• (f) without prejudice to any applicable regulatory requirements under Union or national law, the synchronisation of the clocks of each of the financial entity’s ICT systems upon a documented reliable reference time source.

2. The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to:

• (a) collect, monitor, and analyse all of the following:
  • (i) internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity;
  • (ii) potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity;
  • (iii) ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity;
• (b) identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions;
  • For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection.
• (c) prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours;
• (d) record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually.

4. Financial entities shall log all relevant information for each detected anomalous activity enabling:

• (a) the identification of the date and time of occurrence of the anomalous activity;
• (b) the identification of the date and time of detection of the anomalous activity;