2.   The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).

For the purposes of the first subparagraph, the management body shall:

• (a) bear the ultimate responsibility for managing the financial entity’s ICT risk;
• (b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
• (c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
• (d) bear the overall responsibility for setting and approving the digital operational resilience strategy as referred to in Article 6(8), including the determination of the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in Article 6(8), point (b);
• (e) approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan;
• (f) approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;
• (g) allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 13(6), and ICT skills for all staff;
• (h) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
• (i) put in place, at corporate level, reporting channels enabling it to be duly informed of the following:
  • (i) arrangements concluded with ICT third-party service providers on the use of ICT services,
  • (ii) any relevant planned material changes regarding the ICT third-party service providers,
  • (iii) the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.

8.   The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented. To that end, the digital operational resilience strategy shall include methods to address ICT risk and attain specific ICT objectives, by:

• (a) explaining how the ICT risk management framework supports the financial entity’s business strategy and objectives;
• (b) establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruptions;
• (c) setting out clear information security objectives, including key performance indicators and key risk metrics;
• (d) explaining the ICT reference architecture and any changes needed to reach specific business objectives;
• (e) outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it;
• (f) evidencing the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the effectiveness of preventive measures;
• (g) implementing digital operational resilience testing, in accordance with Chapter IV of this Regulation;
• (h) outlining a communication strategy in the event of ICT-related incidents the disclosure of which is required in accordance with Article 14.

4.   Financial entities shall monitor the effectiveness of the implementation of their digital operational resilience strategy set out in Article 6(8). They shall map the evolution of ICT risk over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understanding the level of ICT risk exposure, in particular in relation to critical or important functions, and enhance the cyber maturity and preparedness of the financial entity.