Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 2 General elements of ICT security policies, procedures, protocols, and tools
Summary What does Article 2 of the RTS on ICT risk management framework say?
This article establishes the core requirements for how financial entities must structure and maintain their ICT security policies.
It builds directly on Article 9(2) of DORA (Regulation (EU) 2022/2554), specifying that ICT security policies must be embedded within the broader ICT risk management framework.
Beyond setting out the fundamental security objectives these policies must achieve — network security, data protection, and reliable data transmission — the article goes into considerable detail about the formal characteristics those policies must have, covering everything from management body approval and staff responsibilities to alignment with the digital operational resilience strategy and responsiveness to material changes.
Important points:
- Embed ICT security policies within the ICT risk management framework, ensuring they cover network security, safeguards against intrusions, data integrity, and reliable transmission.
- Ensure ICT security policies are formally approved by the management body, aligned to the digital operational resilience strategy, and include indicators to monitor implementation and manage exceptions.
- ICT security policies must specify staff responsibilities and consequences of non-compliance, reflect segregation of duties, consider leading practices and standards, and be updated to account for material changes to the entity's activities, the cyber threat landscape, or applicable legal obligations.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that:
ensure the security of networks;
contain safeguards against intrusions and data misuse;
preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques;
guarantee an accurate and prompt data transmission without major disruptions and undue delays.
Financial entities shall ensure that the ICT security policies referred to in paragraph 1:
are aligned to the financial entity’s information security objectives included in the digital operational resilience strategy referred to in Article 6(8) of Regulation (EU) 2022/2554;
indicate the date of the formal approval of the ICT security policies by the management body;
contain indicators and measures to:
monitor the implementation of the ICT security policies, procedures, protocols, and tools;
record exceptions from that implementation;
ensure that the digital operational resilience of the financial entity is ensured in case of exceptions as referred to in point (ii);
specify the responsibilities of staff at all levels to ensure the financial entity’s ICT security;
specify the consequences of non-compliance by staff of the financial entity with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity;
list the documentation to be maintained;
specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk management and control model, as applicable, to avoid conflicts of interest;
consider leading practices and, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012;
identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools;
are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554;
take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations.
Relevant recitals
Recital 2 Flexibility in documentation requirements compliance
For the same reason, financial entities subject to Regulation (EU) 2022/2554 should have a certain flexibility in the way they comply with any requirements as regards ICT security policies, procedures, protocols and tools, and as regards any simplified ICT risk management framework. For that reason, financial entities should be allowed to use any documentation they have already to comply with any documentation requirements that flow from those requirements. It follows that the development, documentation, and implementation of specific ICT security policies should be required only for certain essential elements, taking into account, inter alia, leading industry practices and standards. Furthermore, to cover specific technical implementation aspects, it is necessary to develop, document and implement ICT security procedures to cover specific technical implementation aspects, including capacity and performance management, vulnerability and patch management, data and system security, and logging.
Recital 3 Importance of roles, responsibilities and non-compliance consequences
To ensure the correct implementation over time of ICT security policies, procedures, protocols, and tools referred to in Title II, Chapter I of this Regulation, it is important that financial entities correctly assign and maintain any roles and responsibilities relating to ICT security, and that they lay down the consequences of non-compliance with ICT security policies or procedures.
Recital 4 Avoid conflicts of interests
To limit the risk of conflicts of interests, financial entities should ensure the segregation of duties when assigning ICT roles and responsibilities.
Recital 5 Flexibility in provisions for non-compliance consequences
To ensure flexibility and to simplify the financial entities’ control framework, financial entities should not be required to develop specific provisions on the consequences of non-compliance with ICT security policies, procedures and protocols referred to in Title II, Chapter I of this Regulation where such provisions are already set out in another policy or procedure.
Recital 6 Standards-based ICT security policies
In a dynamic environment where ICT risks constantly evolve, it is important that financial entities develop their set of ICT security policies on the basis of leading practices, and where applicable, of standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(2).This should enable financial entities referred to in Title II of this Regulation to remain informed and prepared in a changing landscape.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT risk
Definition
ICT third-party service provider
Definition
network and information system
Definition
cyber threat
Definition
management body
Definition
vulnerability
Definition
digital operational resilience
Definition
ICT services
Footnote 2