Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 22 ICT-related incident management policy
Summary What does Article 22 of the RTS on ICT risk management framework say?
This article requires financial entities to develop, document, and implement a dedicated ICT-related incident policy as part of their broader anomaly detection mechanisms.
It connects directly to the ICT-related incident management process established under Article 17 of DORA (Regulation (EU) 2022/2554), effectively operationalising that process by setting out what the supporting policy must contain.
The article covers the full incident policy lifecycle: from maintaining contact lists and deploying detection mechanisms, to retaining evidence securely and analysing patterns in recurring incidents.
Important points:
- Develop, document, and implement an ICT-related incident policy that supports the incident management process referenced in Article 17 of DORA.
- Retain all evidence related to ICT-related incidents securely, for no longer than necessary, and in line with Commission Delegated Regulation (EU) 2024/1772 and applicable Union law.
- Establish mechanisms to analyse significant or recurring ICT-related incidents, including patterns in their number and occurrence.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall:
document the ICT-related incident management process referred to in Article 17 of Regulation (EU) 2022/2554;
establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on:
the detection and monitoring of cyber threats;
the detection of anomalous activities;
vulnerability management;
establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation;
retain all evidence relating to ICT-related incidents for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assets, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772(12) and with any applicable retention requirement pursuant to Union law;
establish and implement mechanisms to analyse significant or recurring ICT-related incidents and patterns in the number and the occurrence of ICT-related incidents.
For the purposes of point (d), financial entities shall retain the evidence referred to in that point in a secure manner.
Relevant recitals
Recital 18 ICT-related incident management process
To detect, manage, and report ICT-related incidents, financial entities referred to in Title II of this Regulation should establish an ICT-related incident policy encompassing the components of an ICT-related incident management process. For that purpose, financial entities should identify all relevant contacts inside and outside the organisation that can facilitate the correct coordination and implementation of the different phases within that process. To optimise the detection of, and response to, ICT-related incidents, and to identify trends among those incidents, which are a valuable source of information enabling financial entities to identify and address root causes and problems in an effective manner, financial entities should in particular analyse in detail the ICT-related incidents that they consider to be most significant, inter alia, because of their regular reoccurrence.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
network and information system
Definition
cyber threat
Definition
information asset
Definition
vulnerability
Definition
ICT-related incident
Footnote 12