2.   The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).

For the purposes of the first subparagraph, the management body shall:

• (a) bear the ultimate responsibility for managing the financial entity’s ICT risk;
• (b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
• (c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
• (d) bear the overall responsibility for setting and approving the digital operational resilience strategy as referred to in Article 6(8), including the determination of the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in Article 6(8), point (b);
• (e) approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan;
• (f) approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;
• (g) allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 13(6), and ICT skills for all staff;
• (h) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
• (i) put in place, at corporate level, reporting channels enabling it to be duly informed of the following:
  • (i) arrangements concluded with ICT third-party service providers on the use of ICT services,
  • (ii) any relevant planned material changes regarding the ICT third-party service providers,
  • (iii) the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.

Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements:

• (a) the identification and assignment of any specific ICT security responsibilities;
• (b) requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to:
  • (i) be informed about, and adhere to, the financial entity’s ICT security policies, procedures, and protocols;
  • (ii) be aware of the reporting channels put in place by the financial entity for the detection of anomalous behaviour, including, where applicable, the reporting channels established in line with Directive (EU) 2019/1937 of the European Parliament and of the Council (11);
  • (iii) for the staff, to return to the financial entity, upon termination of employment, all ICT assets and tangible information assets in their possession that belong to the financial entity."