Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 8 Policies and procedures for ICT operations
Summary What does Article 8 of the RTS on ICT risk management framework say?
This article sits within the broader ICT security framework established under Article 9(2) of DORA and focuses specifically on the operational management of ICT systems.
It requires financial entities to develop, document, and implement policies and procedures that govern how they operate, monitor, control, and restore their ICT assets.
The article covers three core operational areas: asset description and lifecycle management, system controls and monitoring, and error handling.
Notably, it addresses the sensitive topic of testing in production environments, imposing strict conditions on when and how this is permitted, linking directly to requirements set out in Article 16(6) of this regulation.
Important points:
- Develop, document, and implement ICT operations policies covering asset management, system controls and monitoring, and error handling procedures.
- Separate production environments from development and testing environments across all components, including accounts, data, and connections.
- Testing in production environments is only permitted in clearly identified and reasoned instances, for limited periods, and must be approved by the relevant function.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations.
The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following:
an ICT assets description, including all of the following:
requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system;
requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual;
requirements regarding the identification and control of legacy ICT systems;
controls and monitoring of ICT systems, including all of the following:
backup and restore requirements of ICT systems;
scheduling requirements, taking into consideration interdependencies among the ICT systems;
protocols for audit-trail and system log information;
requirements to ensure that the performance of internal audit and other testing minimises disruptions to business operations;
requirements on the separation of ICT production environments from the development, testing, and other non-production environments;
requirements to conduct the development and testing in environments which are separated from the production environment;
requirements to conduct the development and testing in production environments;
error handling concerning ICT systems, including all of the following:
procedures and protocols for handling errors;
support and escalation contacts, including external support contacts in case of unexpected operational or technical issues;
ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption.
For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a).
For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment.
Relevant recitals
Recital 10 Production and development environment separation
ICT operations security and operational policies, procedures, protocols, and tools are essential to ensure the confidentiality, integrity, and availability of data. One pivotal aspect is the strict separation of ICT production environments from the environments where ICT systems are developed and tested or from other non-production environments. That separation should serve as an important ICT security measure against unintended and unauthorised access to, modifications of, and deletions of data in the production environment, which could result in major disruptions in the business operations of financial entities referred to in Title II of this Regulation. However, considering current ICT system development practices, in exceptional circumstances, financial entities should be allowed to test in production environments, provided that they justify such testing and obtain the required approval.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
legacy ICT system
Definition
ICT third-party service provider
Definition
ICT asset
Definition
network and information system
Definition
information asset
Definition
ICT services