Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Article 10 Vulnerability and patch management

    1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; management procedures.

    1. The vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; management procedures referred to in paragraph 1 shall:

      1. identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;;

      2. ensure the performance of automated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; scanning and assessments on ICT assets means a software or hardware asset in the network and information systems used by the financial entity;, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile of the ICT asset means a software or hardware asset in the network and information systems used by the financial entity;;

      3. verify whether:

        1. ICT third-party service providers means an undertaking providing ICT services; handle vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; related to the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

        2. whether those service providers report to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; at least the critical vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and statistics and trends in a timely manner;

      4. track the usage of:

        1. third-party libraries, including open-source libraries, used by ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;;

        2. ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; developed by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; itself or specifically customised or developed for the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; by an ICT third-party service provider means an undertaking providing ICT services;;

      5. establish procedures for the responsible disclosure of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; to clients, counterparties, and to the public;

      6. prioritise the deployment of patches and other mitigation measures to address the vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; identified;

      7. monitor and verify the remediation of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;;

      8. require the recording of any detected vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; affecting ICT systems and the monitoring of their resolution.

    2. For the purposes of point (b), financial entitiesas defined in Article 2, points (a) to (t) shall perform the automated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; scanning and assessments on ICT assets means a software or hardware asset in the network and information systems used by the financial entity; for the ICT assets means a software or hardware asset in the network and information systems used by the financial entity; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; on at least a weekly basis.

    3. For the purposes of point (c), financial entitiesas defined in Article 2, points (a) to (t) shall request that ICT third-party service providers means an undertaking providing ICT services; investigate the relevant vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, determine the root causes, and implement appropriate mitigating action.

    4. For the purposes of point (d), financial entitiesas defined in Article 2, points (a) to (t) shall, where appropriate in collaboration with the ICT third-party service provider means an undertaking providing ICT services;, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets means a software or hardware asset in the network and information systems used by the financial entity; or components means software or hardware intended for integration into an electronic information system; of ICT assets means a software or hardware asset in the network and information systems used by the financial entity; acquired and used in the operation of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; not supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, financial entitiesas defined in Article 2, points (a) to (t) shall track the usage to the extent possible of third-party libraries, including open-source libraries.

    5. For the purposes of point (f), financial entitiesas defined in Article 2, points (a) to (t) shall consider the criticality of the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile of the ICT assets means a software or hardware asset in the network and information systems used by the financial entity; affected by the identified vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;.

    1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document and implement patch management procedures.

    1. The patch management procedures referred to in paragraph 3 shall:

      1. to the extent possible identify and evaluate available software means the part of an electronic information system which consists of computer code; and hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; patches and updates using automated tools;

      2. identify emergency procedures for the patching and updating of ICT assets means a software or hardware asset in the network and information systems used by the financial entity;;

      3. test and deploy the software means the part of an electronic information system which consists of computer code; and hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii);

      4. set deadlines for the installation of software means the part of an electronic information system which consists of computer code; and hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; patches and updates and escalation procedures in case those deadlines cannot be met.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod