Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 9 Capacity and performance management
Summary What does Article 9 of the RTS on ICT risk management framework say?
This article requires financial entities to put in place formal procedures for managing the capacity and performance of their ICT systems.
It sits within the broader ICT security framework established under Article 9(2) of DORA, and focuses on ensuring that ICT systems remain available and efficient, and that shortages are prevented before they arise.
A notable requirement is that these procedures must also account for ICT systems that are particularly resource-intensive or that involve lengthy procurement or approval processes, acknowledging that such systems carry unique operational risks.
Important points:
- Develop, document, and implement capacity and performance management procedures covering the identification of ICT system capacity requirements, resource optimisation, and monitoring for availability, efficiency, and shortage prevention.
- Ensure procedures specifically address ICT systems with long or complex procurement or approval processes, or those that are resource-intensive.
- These obligations apply to financial entities as part of their wider ICT security policies under DORA.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following:
the identification of capacity requirements of their ICT systems;
the application of resource optimisation;
the monitoring procedures for maintaining and improving:
the availability of data and ICT systems;
the efficiency of ICT systems;
the prevention of ICT capacity shortages.
The capacity and performance management procedures referred to in paragraph 1 shall ensure that financial entities take measures that are appropriate to cater for the specificities of ICT systems with long or complex procurement or approval processes or ICT systems that are resource-intensive.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.