Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 34 ICT operations security
Summary What does Article 34 of the RTS on ICT risk management framework say?
This article sits within the simplified ICT risk management framework, applying to the subset of financial entities covered by Article 16(1) of DORA.
It lays out a broad set of operational requirements for how those entities must manage and oversee their ICT assets on an ongoing basis.
The article covers the full operational spectrum: from lifecycle and capacity management, to vulnerability scanning, legacy asset risk, event logging, anomaly detection, and cyber threat monitoring.
It is essentially the operational backbone of the simplified framework, translating the risk identification work required by Article 31 into concrete day-to-day technical controls.
Important points:
- Perform automated vulnerability scanning of ICT assets, scaled to their classification and risk profile, and deploy patches to address any vulnerabilities identified.
- Log events across logical and physical access control, ICT operations, network traffic, and change management, ensuring the level of detail in those logs is aligned to the purpose and usage of the asset producing them.
- Implement measures to detect anomalous activities, monitor cyber threats, and identify information leakages, malicious code, and publicly known vulnerabilities in software and hardware.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets:
monitor and manage the lifecycle of all ICT assets;
monitor whether the ICT assets are supported by ICT third-party service providers of financial entities, where applicable;
identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise;
perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities;
manage the risks related to outdated, unsupported, or legacy ICT assets;
log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management;
identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations;
implement measures to monitor relevant and up-to-date information about cyber threats;
implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates.
For the purposes of point (f), financial entities shall align the level of detail of the logs with their purpose and usage of the ICT asset producing those logs.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
ICT asset
Definition
network and information system
Definition
cyber threat
Definition
vulnerability
Definition
ICT services