Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 19 Human resources policy
Summary What does Article 19 of the RTS on ICT risk management framework say?
This article focuses on the human element of ICT security, requiring financial entities to embed specific ICT security obligations directly into their HR policies or equivalent internal policies.
Rather than treating ICT security as a purely technical matter, it extends accountability to staff and third-party service provider personnel who interact with the financial entity's ICT assets, covering their conduct during and at the end of their engagement.
Important points:
- Embed ICT security requirements into your human resource policy, covering both internal staff and staff of ICT third-party service providers who access your ICT assets.
- Ensure all relevant staff are informed of and adhere to ICT security policies, and are aware of reporting channels for anomalous behaviour, including those aligned with the EU whistleblowing directive.
- Require staff to return all ICT assets and tangible information assets to the financial entity upon termination of employment.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements:
the identification and assignment of any specific ICT security responsibilities;
requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to:
be informed about, and adhere to, the financial entity’s ICT security policies, procedures, and protocols;
be aware of the reporting channels put in place by the financial entity for the detection of anomalous behaviour, including, where applicable, the reporting channels established in line with Directive (EU) 2019/1937 of the European Parliament and of the Council(11);
for the staff, to return to the financial entity, upon termination of employment, all ICT assets and tangible information assets in their possession that belong to the financial entity.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
ICT asset
Definition
network and information system
Definition
information asset
Definition
ICT services
Footnote 11