Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 17 ICT change management
Summary What does Article 17 of the RTS on ICT risk management framework say?
This article elaborates on the ICT change management procedures that financial entities must have in place, building directly on the requirement in Article 9(4)(e) of DORA (Regulation (EU) 2022/2554).
It sets out the minimum content those procedures must cover for any change to software, hardware, firmware, systems, or security parameters — encompassing everything from roles and responsibilities, documentation, and fall-back procedures, to the handling of emergency changes both during and after their implementation.
The article also imposes an additional, more demanding obligation on central counterparties and central securities depositories specifically: following significant ICT system changes, they must conduct stringent stress-condition testing and involve relevant external parties in that process.
Important points:
- Include all mandated elements — such as independence of approval functions, fall-back procedures, and impact assessments on existing security measures — in your ICT change management procedures.
- Emergency changes must be covered by dedicated procedures, protocols, and tools, and must be documented, re-evaluated, assessed, and approved even after their implementation.
- Central counterparties and central securities depositories are required to conduct stringent stress-condition testing after significant ICT changes, involving clearing members, clients, users, and other relevant external parties as appropriate.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements:
a verification of whether the ICT security requirements have been met;
mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes;
a clear description of the roles and responsibilities to ensure that:
changes are specified and planned;
an adequate transition is designed;
the changes are tested and finalised in a controlled manner;
there is an effective quality assurance;
the documentation and communication of change details, including:
the purpose and scope of the change;
the timeline for the implementation of the change;
the expected outcomes;
the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented;
procedures, protocols, and tools to manage emergency changes that provide adequate safeguards;
procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches;
the identification of the potential impact of a change on existing ICT security measures and an assessment of whether such change requires the adoption of additional ICT security measures.
After having made significant changes to their ICT systems, central counterparties and central securities depositories shall submit their ICT systems to stringent testing by simulating stressed conditions.
Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph:
clearing members and clients;
interoperable central counterparties;
other interested parties,
Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph:
users;
critical utilities and critical service providers;
other central securities depositories;
other market infrastructures;
any other institutions with which central securities depositories have identified interdependencies in their ICT business continuity policy.
Relevant recitals
Recital 17 ICT change management policies and procedures
Changes, regardless of their scale, carry inherent risks and may pose significant risks of loss of confidentiality, integrity, and availability of data, and could thus lead to severe business disruptions. To safeguard financial entities from potential ICT vulnerabilities and weaknesses that could expose them to significant risks, a rigorous verification process is necessary to confirm that all changes meet the necessary ICT security requirements. Financial entities referred to in Title II of this Regulation should therefore, as an essential element of their ICT security policies and procedures, have in place sound ICT change management policies and procedures. To uphold the objectivity and effectiveness of the ICT change management process, to prevent conflicts of interest, and to ensure that ICT changes are evaluated objectively, it is necessary to separate the functions responsible for approving those changes from the functions that request and implement those changes. To achieve effective transitions, controlled ICT change implementation, and minimal disruptions to the operation of the ICT systems, financial entities should assign clear roles and responsibilities that ensure that ICT changes are planned, adequately tested, and that quality is ensured. To ensure that ICT systems continue to operate effectively, and to provide a safety net for financial entities, financial entities should also develop and implement fall-back procedures. Financial entities should clearly identify those fall-back procedures and assign responsibilities to ensure a swift and effective response in the event of unsuccessful ICT changes.
Recital 24 Additional requirements for financial market infrastructure participants
It is necessary to lay down requirements for operational risk, and more particularly requirements for ICT project and change management and ICT business continuity management building on those that apply already to central counterparties, central securities depositories and trading venues under, respectively, Regulations (EU) No 648/2012(3), (EU) No 600/2014(4) and (EU) No 909/2014(5) of the European Parliament and of the Council.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
central counterparty
Definition
trading venue
Definition
vulnerability
Definition
central securities depository
Footnote 5
Footnote 4
Footnote 3