2. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following:

• (a) an ICT assets description, including all of the following:
  • (i) requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system;
  • (ii) requirements regarding the management of information assets used by ICT assets, including their processing
    and handling, both automated and manual;
  • (iii) requirements regarding the identification and control of legacy ICT systems;
• (b) controls and monitoring of ICT systems, including all of the following:
  • (i) backup and restore requirements of ICT systems;
  • (ii) scheduling requirements, taking into consideration interdependencies among the ICT systems;
  • (iii) protocols for audit-trail and system log information;
  • (iv) requirements to ensure that the performance of internal audit and other testing minimises disruptions to
    business operations;
  • (v) requirements on the separation of ICT production environments from the development, testing, and other non-production environments;
    • For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a).
  • (vi) requirements to conduct the development and testing in environments which are separated from the production environment;
  • (vii) requirements to conduct the development and testing in production environments;
    • For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment.
• (c) error handling concerning ICT systems, including all of the following:
  • (i) procedures and protocols for handling errors;
  • (ii) support and escalation contacts, including external support contacts in case of unexpected operational or technical issues;
  • (iii) ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption.

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following:

• (a) the identification of capacity requirements of their ICT systems;
• (b) the application of resource optimisation;
• (c) the monitoring procedures for maintaining and improving:
  • (i) the availability of data and ICT systems;
  • (ii) the efficiency of ICT systems;
  • (iii) the prevention of ICT capacity shortages.

2. The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following:

• (a) the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created;
  • For the purposes of point (a), financial entities shall establish the retention period, taking into account the business and information security objectives, the reason for recording the event in the logs, and the results of the ICT risk assessment.
• (b) the alignment of the level of detail of the logs with their purpose and usage to enable the effective detection of anomalous activities as referred to in Article 24;
• (c) the requirement to log events related to all of the following:
  • (i) logical and physical access control, as referred to in Article 21, and identity management;
  • (ii) capacity management;
  • (iii) change management;
  • (iv) ICT operations, including ICT system activities;
  • (v) network traffic activities, including ICT network performance;
• (d) measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use;
• (e) measures to detect a failure of logging systems;
• (f) without prejudice to any applicable regulatory requirements under Union or national law, the synchronisation of the clocks of each of the financial entity’s ICT systems upon a documented reliable reference time source.