ICT systems, protocols and tools

In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are:

• (a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 4;
• (b) reliable;
• (c) equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;
• (d) technologically resilient in order to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.

5.   Financial entities shall identify and document all processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that provide services that support critical or important functions.

The policy on management of ICT assets referred to in paragraph 1 shall:

• (a) prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;
• (b) prescribe that the financial entity keeps records of all of the following:
  • (i) the unique identifier of each ICT asset;
  • (ii) information on the location, either physical or logical, of all ICT assets;
  • (iii) the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;
  • (iv) the identity of ICT asset owners;
  • (v) the business functions or services supported by the ICT asset;
  • (vi) the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
  • (vii) whether the ICT asset can be or is exposed to external networks, including the internet;
  • (viii) the links and interdependencies among ICT assets and the business functions using each ICT asset;
  • (ix) where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;
• (c) for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.

2. The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account:

• (a) the ICT risk related to those business functions and their dependencies on the information assets or ICT assets;
• (b) how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities.