Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 1 Overall risk profile and complexity
Summary What does Article 1 of the RTS on ICT risk management framework say?
This opening article establishes a cross-cutting principle that applies to everything that follows in the regulation.
It states that financial entities must take their own size, risk profile, and operational complexity into account when developing and implementing their ICT security policies and simplified ICT risk management framework.
In other words, the obligations set out in Titles II and III are not one-size-fits-all; the way they are applied must reflect the specific characteristics of each entity.
Important points:
- Tailor your ICT security policies and risk management framework to the size, risk profile, and complexity of your organisation.
- The tailoring requirement covers key domains including encryption, network security, ICT operations, and project and change management.
- Factor in the potential impact of ICT risk on the confidentiality, integrity, and availability of data, as well as on the continuity of your activities.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to:
encryption and cryptography;
ICT operations security;
network security;
ICT project and change management;
the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity’s activities.
Relevant recitals
Recital 1 Principle of proportionality
Regulation (EU) 2022/2554 covers a wide variety of financial entities that differ in size, structure, internal organisation, and in the nature and complexity of their activities, and thus have increased or reduced elements of complexity or risks. To ensure that that variety is duly taken into account, any requirements as regards ICT security policies, procedures, protocols and tools, and as regards a simplified ICT risk management framework, should be proportionate to that size, structure, internal organisation, nature and complexity of those financial entities, and to the corresponding risks.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT risk
Definition
network and information system