Beta

Source: OJ L, 2025/305, 31.3.2025

Current language: EN

Article 9 ICT systems and related security arrangements

For the purposes of Article 62(2), point (j), of Regulation (EU) 2023/1114, applicants shall provide to the competent authoritymeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; the following information:

  1. technical documentation of the ICT systems, DLT infrastructure relied upon, where relevant, and the security arrangements, including a description of the arrangements and deployed ICT and human resources established to comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council(9)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj).as follows:

    1. a description of how the applicant ensures a sound, comprehensive and well-documented ICT risk management framework as part of its overall risk management system, including a detailed description of ICT systems, protocols and tools and of how the applicant’s procedures, policies and systems to safeguard the security, integrity, availability, authenticity and confidentiality of data comply with Regulations (EU) 2022/2554 and (EU) 2016/679;

    2. an identification of ICT services supporting critical or important functions, developed or maintained by the applicant, and ICT services supporting critical or important functions provided by third-party service providers, a description of such contractual arrangements (identity and geographical location of the providers, description of the outsourced activities or ICT services with their main characteristics, copy of contractual agreements) and how those arrangements comply with Article 73 of Regulation (EU) 2023/1114 and Chapter V of Regulation (EU) 2022/2554;

    3. a description of the applicant’s procedures, policies, arrangements and systems for security and incident management;

  2. if available, a description of a cybersecurity audit conducted by a third-party cybersecurity auditor having sufficient experience in accordance with Commission Delegated Regulation establishing technical standards adopted pursuant to Article 26(11) fourth subparagraph of Regulation (EU) 2022/2554 covering ideally the following audits or tests:

    1. organisational cybersecurity, physical security and secure software development lifecycle arrangements;

    2. vulnerability assessments and scans and, network security assessments;

    3. configuration reviews of ICT assets supporting critical and important functions as defined in Article 3, point (22) of Regulation (EU) 2022/2554;

    4. penetration tests on the ICT assets supporting critical and important functions as defined in Article 3, point (17) of Regulation (EU) 2022/2554, in accordance with all the following audit test approaches:

      1. black box: the auditor has no information other than the IP addresses and URLs associated with the audited target. This phase is generally preceded by the discovery of information and the identification of the target by querying domain name system (DNS) services, scanning open ports, discovering the presence of filtering equipment, etc.;

      2. grey box phase: auditors have the knowledge of a standard user of the information system (legitimate authentication, ‘standard’ workstation, etc.). The identifiers can belong to different user profiles in order to test different privilege levels;

      3. white box phase: auditors have as much technical information as possible (architecture, source code, telephone contacts, identifiers, etc.) before starting the analysis and also access to technical contacts related to the target;

    5. where the applicant uses and/or develops smart-contracts, a cybersecurity source code review of them;

  3. a description of conducted audits of the ICT systems, if any, including used DLT infrastructure and security arrangements;

  4. a description of the relevant information referred to in points (a) and (b) in non-technical language.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod