Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 15 ICT project management
Summary What does Article 15 of the RTS on ICT risk management framework say?
This article requires financial entities to put in place a formal ICT project management policy, framed as one of the safeguards for preserving data availability, authenticity, integrity, and confidentiality.
It sets out the core components that such a policy must cover — from objectives and governance through to risk assessment, change management, and production deployment testing.
Notably, the article connects project management directly to senior oversight, requiring that ICT projects affecting critical or important functions be reported to the management body, reinforcing the governance thread running throughout the regulation.
Important points:
- Develop, document, and implement an ICT project management policy covering objectives, governance, planning, risk assessment, milestones, change management, and security testing.
- Ensure the policy draws on information and expertise from the business areas or functions affected by each ICT project.
- Report the progress and associated risks of ICT projects impacting critical or important functions to the management body, both periodically and on an event-driven basis.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document, and implement an ICT project management policy.
The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity’s ICT systems.
The ICT project management policy referred to in paragraph 1 shall contain all of the following:
ICT project objectives;
ICT project governance, including roles and responsibilities;
ICT project planning, timeframe, and steps;
ICT project risk assessment;
relevant milestones;
change management requirements;
the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment.
The ICT project management policy referred to in paragraph 1 shall ensure the secure ICT project implementation through the provision of the necessary information and expertise from the business area or functions impacted by the ICT project.
In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows:
individually or in aggregation, depending on the importance and size of the ICT projects;
periodically and, where necessary, on an event-driven basis.
Relevant recitals
Recital 15 ICT project management
To manage the rapid advancement in ICT environments, financial entities referred to in Title II of this Regulation should implement robust ICT project management policies and procedures to maintain data availability, authenticity, integrity, and confidentiality. Those ICT project management policies and procedures should identify the elements that are necessary to successfully manage ICT projects, including changes to, acquisitions of, the maintenance of, and developments of the financial entity’s ICT systems, regardless of the ICT project management methodology chosen by the financial entity. In the context of those policies and procedures, financial entities should adopt testing practices and methods that suit their needs, while adhering to a risk-based approach and ensuring that a secure, reliable, and resilient ICT environment is maintained. To guarantee the secure implementation of an ICT project, financial entities should ensure that staff from specific business sectors or roles influenced or impacted by that ICT project can provide the necessary information and expertise. To ensure effective oversight, reports on ICT projects, in particular about projects that affect critical or important functions and about their associated risks, should be submitted to the management body. Financial entities should tailor the frequency and details of the systematic and ongoing reviews and reports to the importance and the size of the ICT projects concerned.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
management body
Definition
critical or important function