2. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following:

• (a) an ICT assets description, including all of the following:
  • (i) requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system;
  • (ii) requirements regarding the management of information assets used by ICT assets, including their processing
    and handling, both automated and manual;
  • (iii) requirements regarding the identification and control of legacy ICT systems;
• (b) controls and monitoring of ICT systems, including all of the following:
  • (i) backup and restore requirements of ICT systems;
  • (ii) scheduling requirements, taking into consideration interdependencies among the ICT systems;
  • (iii) protocols for audit-trail and system log information;
  • (iv) requirements to ensure that the performance of internal audit and other testing minimises disruptions to
    business operations;
  • (v) requirements on the separation of ICT production environments from the development, testing, and other non-production environments;
    • For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a).
  • (vi) requirements to conduct the development and testing in environments which are separated from the production environment;
  • (vii) requirements to conduct the development and testing in production environments;
    • For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment.
• (c) error handling concerning ICT systems, including all of the following:
  • (i) procedures and protocols for handling errors;
  • (ii) support and escalation contacts, including external support contacts in case of unexpected operational or technical issues;
  • (iii) ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption.

1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements:

• (a) a verification of whether the ICT security requirements have been met;
• (b) mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes;
• (c) a clear description of the roles and responsibilities to ensure that:
  • (i) changes are specified and planned;
  • (ii) an adequate transition is designed;
  • (iii) the changes are tested and finalised in a controlled manner;
  • (iv) there is an effective quality assurance;
• (d) the documentation and communication of change details, including:
  • (i) the purpose and scope of the change;
  • (ii) the timeline for the implementation of the change;
  • (iii) the expected outcomes;
• (e) the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented;
• (f) procedures, protocols, and tools to manage emergency changes that provide adequate safeguards;
• (g) procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches;
• (h) the identification of the potential impact of a change on existing ICT security measures and an assessment of whether such change requires the adoption of additional ICT security measures.

2. After having made significant changes to their ICT systems, central counterparties and central securities depositories shall submit their ICT systems to stringent testing by simulating stressed conditions.
Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph:

• (a) clearing members and clients;
• (b) interoperable central counterparties;
• (c) other interested parties,

Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph:

• (a) users;
• (b) critical utilities and critical service providers;
• (c) other central securities depositories;
• (d) other market infrastructures;
• (e) any other institutions with which central securities depositories have identified interdependencies in their ICT
  business continuity policy.