Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 4 ICT asset management policy
Summary What does Article 4 of the RTS on ICT risk management framework say?
This article requires financial entities to develop, document, and implement a formal policy for managing ICT assets, sitting within the broader ICT security framework established under Article 9(2) of DORA.
It builds directly on the asset identification and classification work required by Article 8(1) of DORA, translating that classification into concrete record-keeping and lifecycle management obligations.
The core thrust is that financial entities must maintain detailed, structured records about every ICT asset they hold, covering everything from ownership and location to business continuity requirements and third-party support end dates.
Important points:
- Develop, document, and implement a policy for ICT asset management that covers the full lifecycle of all identified and classified ICT assets.
- Keep comprehensive records for each ICT asset, including its unique identifier, location, owner, supported business functions, continuity requirements, internet exposure, and interdependencies with other assets.
- Financial entities other than microenterprises must also maintain records sufficient to perform an ICT risk assessment on all legacy ICT systems still in use.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets.
The policy on management of ICT assets referred to in paragraph 1 shall:
prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;
prescribe that the financial entity keeps records of all of the following:
the unique identifier of each ICT asset;
information on the location, either physical or logical, of all ICT assets;
the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;
the identity of ICT asset owners;
the business functions or services supported by the ICT asset;
the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
whether the ICT asset can be or is exposed to external networks, including the internet;
the links and interdependencies among ICT assets and the business functions using each ICT asset;
where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;
for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
legacy ICT system
Definition
central counterparty
Definition
ICT risk
Definition
ICT third-party service provider
Definition
ICT asset
Definition
trading venue
Definition
network and information system
Definition
trade repository
Definition
microenterprise
Definition
ICT services
Definition
central securities depository