Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 25 Testing of the ICT business continuity plans
Summary What does Article 25 of the RTS on ICT risk management framework say?
This article builds directly on Article 24, which establishes the ICT business continuity policy, by setting out the detailed requirements for how financial entities must actually test those plans.
The core purpose is to ensure that testing is rigorous and meaningful — grounded in the entity's business impact analysis and ICT risk assessment — and that it genuinely verifies whether critical or important functions can be kept running through disruptions.
The article also extends specific obligations to central counterparties and central securities depositories, requiring them to involve relevant external parties, such as clearing members and other market infrastructures, in their testing exercises.
Important points:
- Test ICT business continuity plans using realistic, severe but plausible disruption scenarios, including switchover to backup infrastructure (for all entities except microenterprises), and scenarios covering potential failures of ICT third-party service providers.
- Central counterparties and central securities depositories must involve relevant external stakeholders — such as clearing members, external providers, and other market infrastructures — in their business continuity testing.
- Document all testing results and ensure that any deficiencies identified are analysed, addressed, and reported to the management body.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity’s business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation.
Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity’s critical or important functions. That testing shall:
be performed on the basis of test scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios;
contain the testing of ICT services provided by ICT third-party service providers, where applicable;
for financial entities, other than microenterprises, as referred to in Article 11(6), second subparagraph, of Regulation (EU) 2022/2554, contain scenarios of switchover from primary ICT infrastructure to the redundant capacity, backups and redundant facilities;
be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans;
contain procedures to verify the ability of the financial entities’ staff, of ICT third-party service providers, of ICT systems, and ICT services to respond adequately to the scenarios duly taken into account in accordance with Article 26(2).
For the purposes of point (a), financial entities shall always include in the testing the scenarios considered for the development of the business continuity plans.
For the purposes of point (b), financial entities shall duly consider scenarios linked to insolvency or failures of the ICT third-party service providers or linked to political risks in the ICT third-party service providers’ jurisdictions, where relevant.
For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored.
In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1:
clearing members;
external providers;
relevant institutions in the financial infrastructure with which central counterparties have identified interdependencies in their business continuity policies.
In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate:
users of the central securities depositories;
critical utilities and critical service providers;
other central securities depositories;
other market infrastructures;
any other institutions with which central securities depositories have identified interdependencies in their business continuity policy.
Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body.
Relevant recitals
Recital 24 Additional requirements for financial market infrastructure participants
It is necessary to lay down requirements for operational risk, and more particularly requirements for ICT project and change management and ICT business continuity management building on those that apply already to central counterparties, central securities depositories and trading venues under, respectively, Regulations (EU) No 648/2012(3), (EU) No 600/2014(4) and (EU) No 909/2014(5) of the European Parliament and of the Council.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
central counterparty
Definition
ICT risk
Definition
ICT third-party service provider
Definition
trading venue
Definition
network and information system
Definition
trade repository
Definition
microenterprise
Definition
management body
Definition
ICT services
Definition
critical or important function
Definition
central securities depository
Footnote 5
Footnote 4
Footnote 3