Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 38 ICT project and change management
Summary What does Article 38 of the RTS on ICT risk management framework say?
This article sits within the simplified ICT risk management framework for the smaller financial entities referred to in Article 16(1) of DORA, and it sets out two closely related procedural obligations: ICT project management and ICT change management.
Rather than prescribing detailed content requirements, it focuses on the existence and implementation of these procedures, requiring that they span the full lifecycle of projects and changes respectively.
It is the simplified-framework counterpart to the more detailed project and change management provisions that apply to larger financial entities elsewhere in this regulation.
Important points:
- Develop, document, and implement an ICT project management procedure that covers all stages of ICT projects from initiation to closure, with clearly specified roles and responsibilities.
- Develop, document, and implement an ICT change management procedure ensuring all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner.
- Both obligations apply to the financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554, i.e., those subject to the simplified ICT risk management framework.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure.
The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity’s digital operational resilience.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
network and information system
Definition
digital operational resilience
Definition
ICT services