proportionality

Financial entitiesas defined in Article 2, points (a) to (t) shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, in accordance with Article 6(4), in order to achieve a high level of digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.

The management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1).

For the purposes of the first subparagraph, the management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law shall:

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall establish a role in order to monitor the arrangements concluded with ICT third-party service providersan undertaking providing ICT services on the use of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.

Members of the management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment being managed.

Financial entitiesas defined in Article 2, points (a) to (t) shall have a sound, comprehensive and well-documented ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework as part of their overall risk management system, which enables them to address ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment quickly, efficiently and comprehensively and to ensure a high level of digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.

The ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assetsa collection of information, either tangible or intangible, that is worth protecting and ICT assetsa software or hardware asset in the network and information systems used by the financial entity, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assetsa collection of information, either tangible or intangible, that is worth protecting and ICT assetsa software or hardware asset in the network and information systems used by the financial entity are adequately protected from risks including damage and unauthorised access or usage.

In accordance with their ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework, financial entitiesas defined in Article 2, points (a) to (t) shall minimise the impact of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment and on their ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework to the competent authoritiesas defined in Article 46 upon their request.

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall assign the responsibility for managing and overseeing ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Financial entitiesas defined in Article 2, points (a) to (t) shall ensure appropriate segregation and independence of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.

The ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, as well as upon the occurrence of major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity, and following supervisory instructions or conclusions derived from relevant digital operational resilience testingas defined in Article 24 or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework shall be submitted to the competent authorityas defined in Article 46 upon its request.

The ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework of financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, as well as appropriate independence. The frequency and focus of ICT audits shall be commensurate to the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment of the financial entity.

Based on the conclusions from the internal audit review, financial entitiesas defined in Article 2, points (a) to (t) shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings.

The ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework shall include a digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions strategy setting out how the framework shall be implemented. To that end, the digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions strategy shall include methods to address ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment and attain specific ICT objectives, by:

Financial entitiesas defined in Article 2, points (a) to (t) may, in the context of the digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions strategy referred to in paragraph 8, define a holistic ICT multi-vendor strategy, at groupa group as defined in Article 2, point (11), of Directive 2013/34/EU or entity level, showing key dependencies on ICT third-party service providersan undertaking providing ICT services and explaining the rationale behind the procurement mix of ICT third-party service providersan undertaking providing ICT services.

Financial entitiesas defined in Article 2, points (a) to (t) may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management requirements to intra-group or external undertakings. In case of such outsourcing, the financial entity remains fully responsible for the verification of compliance with the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management requirements.

In order to address and manage ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, financial entitiesas defined in Article 2, points (a) to (t) shall use and maintain updated ICT systems, protocols and tools that are:

Financial entitiesas defined in Article 2, points (a) to (t) shall, on a continuous basis, identify all sources of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, in particular the risk exposure to and from other financial entitiesas defined in Article 2, points (a) to (t), and assess cyber threatsas defined in Article 2, point (8), of Regulation (EU) 2019/881 and ICT vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited relevant to their ICT supported business functions, information assetsa collection of information, either tangible or intangible, that is worth protecting and ICT assetsa software or hardware asset in the network and information systems used by the financial entity. Financial entitiesas defined in Article 2, points (a) to (t) shall review on a regular basis, and at least yearly, the risk scenarios impacting them.

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall perform a risk assessment upon each major change in the network and information systema network and information system as defined in Article 6, point 1, of Directive (EU) 2022/2555 infrastructure, in the processes or procedures affecting their ICT supported business functions, information assetsa collection of information, either tangible or intangible, that is worth protecting or ICT assetsa software or hardware asset in the network and information systems used by the financial entity.

Financial entitiesas defined in Article 2, points (a) to (t) shall identify all information assetsa collection of information, either tangible or intangible, that is worth protecting and ICT assetsa software or hardware asset in the network and information systems used by the financial entity, including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the information assetsa collection of information, either tangible or intangible, that is worth protecting and ICT assetsa software or hardware asset in the network and information systems used by the financial entity and the links and interdependencies between the different information assetsa collection of information, either tangible or intangible, that is worth protecting and ICT assetsa software or hardware asset in the network and information systems used by the financial entity.

Financial entitiesas defined in Article 2, points (a) to (t) shall identify and document all processes that are dependent on ICT third-party service providersan undertaking providing ICT services, and shall identify interconnections with ICT third-party service providersan undertaking providing ICT services that provide services that support critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.

For the purposes of paragraphs 1, 4 and 5, financial entitiesas defined in Article 2, points (a) to (t) shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs.

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall on a regular basis, and at least yearly, conduct a specific ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment assessment on all legacy ICT systemsan ICT system that has reached the end of its lifecycle (end-of- life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity and, in any case before and after connecting technologies, applications or systems.

For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entitiesas defined in Article 2, points (a) to (t) shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.

Financial entitiesas defined in Article 2, points (a) to (t) shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.

In order to achieve the objectives referred to in paragraph 2, financial entitiesas defined in Article 2, points (a) to (t) shall use ICT solutions and processes that are appropriate in accordance with Article 4. Those ICT solutions and processes shall:

As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1), financial entitiesas defined in Article 2, points (a) to (t) shall:

For the purposes of the first subparagraph, point (b), financial entitiesas defined in Article 2, points (a) to (t) shall design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes.

For the purposes of the first subparagraph, point (e), the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place.

Financial entitiesas defined in Article 2, points (a) to (t) shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, and to identify potential material single points of failure.

All detection mechanisms referred to in the first subparagraph shall be regularly tested in accordance with Article 25.

The detection mechanisms referred to in paragraph 1 shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity response.

Financial entitiesas defined in Article 2, points (a) to (t) shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset.

Data reporting service providersa data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereof shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports.

As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1) and based on the identification requirements set out in Article 8, financial entitiesas defined in Article 2, points (a) to (t) shall put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy of the financial entity.

Financial entitiesas defined in Article 2, points (a) to (t) shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to:

As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1), financial entitiesas defined in Article 2, points (a) to (t) shall implement associated ICT response and recovery plans which, in the case of financial entitiesas defined in Article 2, points (a) to (t) other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall be subject to independent internal audit reviews.

Financial entitiesas defined in Article 2, points (a) to (t) shall put in place, maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law outsourced or contracted through arrangements with ICT third-party service providersan undertaking providing ICT services.

As part of the overall business continuity policy, financial entitiesas defined in Article 2, points (a) to (t) shall conduct a business impact analysis (BIAbusiness impact analysis) of their exposures to severe business disruptions. Under the BIAbusiness impact analysis, financial entitiesas defined in Article 2, points (a) to (t) shall assess the potential impact of severe business disruptions by means of quantitative and qualitative criteria, using internal and external data and scenario analysis, as appropriate. The BIAbusiness impact analysis shall consider the criticality of identified and mapped business functions, support processes, third-party dependencies and information assetsa collection of information, either tangible or intangible, that is worth protecting, and their interdependencies. Financial entitiesas defined in Article 2, points (a) to (t) shall ensure that ICT assetsa software or hardware asset in the network and information systems used by the financial entity and ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services are designed and used in full alignment with the BIAbusiness impact analysis, in particular with regard to adequately ensuring the redundancy of all critical components.

As part of their comprehensive ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management, financial entitiesas defined in Article 2, points (a) to (t) shall:

For the purposes of the first subparagraph, point (a), financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall include in the testing plans scenarios of cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 12.

Financial entitiesas defined in Article 2, points (a) to (t) shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews.

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall have a crisis management function, which, in the event of activation of their ICT business continuity plans or ICT response and recovery plans, shall, inter alia, set out clear procedures to manage internal and external crisis communications in accordance with Article 14.

Financial entitiesas defined in Article 2, points (a) to (t) shall keep readily accessible records of activities before and during disruption events when their ICT business continuity plans and ICT response and recovery plans are activated.

Central securities depositoriesa central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 shall provide the competent authoritiesas defined in Article 46 with copies of the results of the ICT business continuity tests, or of similar exercises.

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall report to the competent authoritiesas defined in Article 46, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity.

In accordance with Article 16 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAsEuropean Supervisory Authority, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, shall by 17 July 2024 develop common guidelines on the estimation of aggregated annual costs and losses referred to in paragraph 10.

For the purpose of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss, as part of their ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework, financial entitiesas defined in Article 2, points (a) to (t) shall develop and document:

Financial entitiesas defined in Article 2, points (a) to (t) shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods. The activation of backup systems shall not jeopardise the security of the network and information systemsa network and information system as defined in Article 6, point 1, of Directive (EU) 2022/2555 or the availability, authenticity, integrity or confidentiality of data. Testing of the backup procedures and restoration and recovery procedures and methods shall be undertaken periodically.

When restoring backup data using own systems, financial entitiesas defined in Article 2, points (a) to (t) shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorised access or ICT corruption and allow for the timely restoration of services making use of data and system backups as necessary.

For central counterpartiesa central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012, the recovery plans shall enable the recovery of all transactions at the time of disruption to allow the central counterpartya central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012 to continue to operate with certainty and to complete settlement on the scheduled date.

Data reporting service providersa data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereof shall additionally maintain adequate resources and have back-up and restoration facilities in place in order to offer and maintain their services at all times.

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs. Microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million shall assess the need to maintain such redundant ICT capacities based on their risk profile.

Central securities depositoriesa central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs.

The secondary processing site shall be:

In determining the recovery time and recovery point objectives for each function, financial entitiesas defined in Article 2, points (a) to (t) shall take into account whether it is a critical or important functiona function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law and the potential overall impact on market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met.

When recovering from an ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, financial entitiesas defined in Article 2, points (a) to (t) shall perform necessary checks, including any multiple checks and reconciliations, in order to ensure that the highest level of data integrity is maintained. These checks shall also be performed when reconstructing data from external stakeholders, in order to ensure that all data is consistent between systems.

Financial entitiesas defined in Article 2, points (a) to (t) shall have in place capabilities and staff to gather information on vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited and cyber threatsas defined in Article 2, point (8), of Regulation (EU) 2019/881, ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset, and analyse the impact they are likely to have on their digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.

Financial entitiesas defined in Article 2, points (a) to (t) shall put in place post ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity reviews after a major ICT-related incidentan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in Article 11.

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall, upon request, communicate to the competent authoritiesas defined in Article 46, the changes that were implemented following post ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity reviews as referred to in the first subparagraph.

The post ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, including in relation to the following:

Lessons derived from the digital operational resilience testingas defined in Article 24 carried out in accordance with Articles 26 and 27 and from real life ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset, along with challenges faced upon the activation of ICT business continuity plans and ICT response and recovery plans, together with relevant information exchanged with counterparts and assessed during supervisory reviews, shall be duly incorporated on a continuous basis into the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment assessment process. Those findings shall form the basis for appropriate reviews of relevant components of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1).

Financial entitiesas defined in Article 2, points (a) to (t) shall monitor the effectiveness of the implementation of their digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions strategy set out in Article 6(8). They shall map the evolution of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment over time, analyse the frequency, types, magnitude and evolution of ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset and their patterns, with a view to understanding the level of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment exposure, in particular in relation to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, and enhance the cyber maturity and preparedness of the financial entity.

Senior ICT staff shall report at least yearly to the management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law on the findings referred to in paragraph 3 and put forward recommendations.

Financial entitiesas defined in Article 2, points (a) to (t) shall develop ICT security awareness programmes and digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions. Where appropriate, financial entitiesas defined in Article 2, points (a) to (t) shall also include ICT third-party service providersan undertaking providing ICT services in their relevant training schemes in accordance with Article 30(2), point (i).

Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions. They shall keep up-to-date with the latest ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management processes, in order to effectively combat current or new forms of cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset.

As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1), financial entitiesas defined in Article 2, points (a) to (t) shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity or vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited to clients and counterparts as well as to the public, as appropriate.

As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework, financial entitiesas defined in Article 2, points (a) to (t) shall implement communication policies for internal staff and for external stakeholders. Communication policies for staff shall take into account the need to differentiate between staff involved in ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management, in particular the staff responsible for response and recovery, and staff that needs to be informed.

At least one person in the financial entity shall be tasked with implementing the communication strategy for ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and fulfil the public and media function for that purpose.

The ESAsEuropean Supervisory Authority shall, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, in consultation with the European Union Agency on Cybersecurity (ENISA), develop common draft regulatory technical standards in order to:

When developing those draft regulatory technical standards, the ESAsEuropean Supervisory Authority shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations, while duly taking into consideration any specific feature arising from the distinct nature of activities across different financial services sectors.

The ESAsEuropean Supervisory Authority shall submit those draft regulatory technical standards to the Commission by 17 January 2024.

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

The ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in paragraph 1, second subparagraph, point (a), shall be documented and reviewed periodically and upon the occurrence of major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity in compliance with supervisory instructions. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework shall be submitted to the competent authorityas defined in Article 46 upon its request.

The ESAsEuropean Supervisory Authority shall, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, in consultation with the ENISA, develop common draft regulatory technical standards in order to:

When developing those draft regulatory technical standards, the ESAsEuropean Supervisory Authority shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations.

The ESAsEuropean Supervisory Authority shall submit those draft regulatory technical standards to the Commission by 17 January 2024.

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

The ESAsEuropean Supervisory Authority shall, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 and in consultation with the ECB and ENISA, develop common draft regulatory technical standards further specifying the following:

For the purpose of assessing preparedness for handling ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, of identifying weaknesses, deficiencies and gaps in digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions, and of promptly implementing corrective measures, financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testingas defined in Article 24 programme as an integral part of the ICT risk-management framework referred to in Article 6.

When conducting the digital operational resilience testingas defined in Article 24 programme referred to in paragraph 1 of this Article, financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall follow a risk-based approach taking into account the criteria set out in Article 4(2) duly considering the evolving landscape of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assetsa collection of information, either tangible or intangible, that is worth protecting and of services provided, as well as any other factor the financial entity deems appropriate.

The digital operational resilience testingas defined in Article 24 programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerabilitya weakness, susceptibility or flaw of an asset, system, process or control that can be exploited assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.

specific ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment profile, level of ICT maturity of the financial entity or technology features involved.

For ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, financial entitiesas defined in Article 2, points (a) to (t) shall put in place exit strategies. The exit strategies shall take into account risks that may emerge at the level of ICT third-party service providersan undertaking providing ICT services, in particular a possible failure on their part, a deterioration of the quality of the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided, any business disruption due to inappropriate or failed provision of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services or any material risk arising in relation to the appropriate and continuous deployment of the respective ICT service, or the termination of contractual arrangements with ICT third-party service providersan undertaking providing ICT services under any of the circumstances listed in paragraph 7.

Financial entitiesas defined in Article 2, points (a) to (t) shall ensure that they are able to exit contractual arrangements without:

Exit plans shall be comprehensive, documented and, in accordance with the criteria set out in Article 4(2), shall be sufficiently tested and reviewed periodically.

Financial entitiesas defined in Article 2, points (a) to (t) shall identify alternative solutions and develop transition plans enabling them to remove the contracted ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services and the relevant data from the ICT third-party service provideran undertaking providing ICT services and to securely and integrally transfer them to alternative providers or reincorporate them in-house.

Financial entitiesas defined in Article 2, points (a) to (t) shall have appropriate contingency measures in place to maintain business continuity in the event of the circumstances referred to in the first subparagraph.