9.   Financial entities may, in the context of the digital operational resilience strategy referred to in paragraph 8, define a holistic ICT multi-vendor strategy, at group or entity level, showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers.

4.   As part of the ICT risk management framework referred to in Article 6(1), financial entities shall:

• (a) develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers, where applicable;
• (b) following a risk-based approach, establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected information assets in the event of cyber-attacks;
  • For the purposes of the first subparagraph, point (b), financial entities shall design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes.
• (c) implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof;
• (d) implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes;
• (e) implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters, that are based on a risk assessment approach and are an integral part of the financial entity’s overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner;
  • For the purposes of the first subparagraph, point (e), the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place.
• (f) have appropriate and comprehensive documented policies for patches and updates.

6.   As part of their comprehensive ICT risk management, financial entities shall:

• (a) test the ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly, as well as in the event of any substantive changes to ICT systems supporting critical or important functions;
  • For the purposes of the first subparagraph, point (a), financial entities, other than microenterprises, shall include in the testing plans scenarios of cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 12.
• (b) test the crisis communication plans established in accordance with Article 14.

Financial entities shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews.

1.   For the purpose of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss, as part of their ICT risk management framework, financial entities shall develop and document:

• (a) backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data;
• (b) restoration and recovery procedures and methods.

3.   When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorised access or ICT corruption and allow for the timely restoration of services making use of data and system backups as necessary.

For central counterparties, the recovery plans shall enable the recovery of all transactions at the time of disruption to allow the central counterparty to continue to operate with certainty and to complete settlement on the scheduled date.

Data reporting service providers shall additionally maintain adequate resources and have back-up and restoration facilities in place in order to offer and maintain their services at all times.

3.   Lessons derived from the digital operational resilience testing carried out in accordance with Articles 26 and 27 and from real life ICT-related incidents, in particular cyber-attacks, along with challenges faced upon the activation of ICT business continuity plans and ICT response and recovery plans, together with relevant information exchanged with counterparts and assessed during supervisory reviews, shall be duly incorporated on a continuous basis into the ICT risk assessment process. Those findings shall form the basis for appropriate reviews of relevant components of the ICT risk management framework referred to in Article 6(1).

1.   For the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures, financial entities, other than microenterprises, shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework referred to in Article 6.

2.   As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.

3.   As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not.

Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.

Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.

Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.

When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to:

• (a) encryption and cryptography;
• (b) ICT operations security;
• (c) network security;
• (d) ICT project and change management;
• (e) the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity’s activities.

Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that:

• (a) ensure the security of networks;
• (b) contain safeguards against intrusions and data misuse;
• (c) preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques;
• (d) guarantee an accurate and prompt data transmission without major disruptions and undue delays.

Financial entities shall ensure that the ICT security policies referred to in paragraph 1:

• (a) are aligned to the financial entity’s information security objectives included in the digital operational resilience strategy referred to in Article 6(8) of Regulation (EU) 2022/2554;
• (b) indicate the date of the formal approval of the ICT security policies by the management body;
• (c) contain indicators and measures to:
  • (i) monitor the implementation of the ICT security policies, procedures, protocols, and tools;
  • (ii) record exceptions from that implementation;
  • (iii) ensure that the digital operational resilience of the financial entity is ensured in case of exceptions as referred to in point (ii);"
• (d) specify the responsibilities of staff at all levels to ensure the financial entity’s ICT security;
• (e) specify the consequences of non-compliance by staff of the financial entity with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity;
• (f) list the documentation to be maintained;
• (g) specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk management and control model, as applicable, to avoid conflicts of interest;
• (h) consider leading practices and, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012;
• (i) identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools;
• (j) are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554;
• (k) take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations.

Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following:

• (a) an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554;
• (b) a procedure and a methodology to conduct the ICT risk assessment, identifying:
  • (i) vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions;
  • (ii) the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i);
• (c) the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a);
• (d) for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c):
  • (i) provisions on the identification of those residual ICT risks;
  • (ii) the assignment of roles and responsibilities regarding:
    • (1) the acceptance of the residual ICT risks that exceed the financial entity’s risk tolerance level referred to in point (a);
    • (2) for the review process referred to in point (iv) of this point (d);
  • (iii) the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance;
  • (iv) provisions on the review of the accepted residual ICT risks at least once a year, including:
    • (1) the identification of any changes to the residual ICT risks;
    • (2) the assessment of available mitigation measures;
    • (3) the assessment of whether the reasons justifying the acceptance of residual ICT risks are still valid and applicable at the date of the review;
• (e) provisions on the monitoring of:
  • (i) any changes to the ICT risk and cyber threat landscape;
  • (ii) internal and external vulnerabilities and threats:
  • (iii) ICT risk of the financial entity that enables promp detection of changes that could affect its ICT risk profile;
• (f) provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account.

2. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following:

• (a) an ICT assets description, including all of the following:
  • (i) requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system;
  • (ii) requirements regarding the management of information assets used by ICT assets, including their processing
    and handling, both automated and manual;
  • (iii) requirements regarding the identification and control of legacy ICT systems;
• (b) controls and monitoring of ICT systems, including all of the following:
  • (i) backup and restore requirements of ICT systems;
  • (ii) scheduling requirements, taking into consideration interdependencies among the ICT systems;
  • (iii) protocols for audit-trail and system log information;
  • (iv) requirements to ensure that the performance of internal audit and other testing minimises disruptions to
    business operations;
  • (v) requirements on the separation of ICT production environments from the development, testing, and other non-production environments;
    • For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a).
  • (vi) requirements to conduct the development and testing in environments which are separated from the production environment;
  • (vii) requirements to conduct the development and testing in production environments;
    • For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment.
• (c) error handling concerning ICT systems, including all of the following:
  • (i) procedures and protocols for handling errors;
  • (ii) support and escalation contacts, including external support contacts in case of unexpected operational or technical issues;
  • (iii) ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption.