Art. 10 Vulnerability and patch management | RTS on ICT risk management framework | DORA

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; management procedures.
1. The vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; management procedures referred to in paragraph 1 shall:
  1. identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;;
  2. ensure the performance of automated vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; scanning and assessments on ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT assetmeans a software or hardware asset in the network and information systems used by the financial entity;;
  3. verify whether:
    ICT third-party service providersmeans an undertaking providing ICT services; handle vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; related to the ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided to the financial entity;
    whether those service providers report to the financial entity at least the critical vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and statistics and trends in a timely manner;
  4. track the usage of:
    third-party libraries, including open-source libraries, used by ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;;
    ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service providermeans an undertaking providing ICT services;;
  5. establish procedures for the responsible disclosure of vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; to clients, counterparties, and to the public;
  6. prioritise the deployment of patches and other mitigation measures to address the vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; identified;
  7. monitor and verify the remediation of vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;;
  8. require the recording of any detected vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; affecting ICT systems and the monitoring of their resolution.
2. For the purposes of point (b), financial entities shall perform the automated vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; scanning and assessments on ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; for the ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; on at least a weekly basis.
3. For the purposes of point (c), financial entities shall request that ICT third-party service providersmeans an undertaking providing ICT services; investigate the relevant vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;, determine the root causes, and implement appropriate mitigating action.
4. For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service providermeans an undertaking providing ICT services;, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; or components of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; acquired and used in the operation of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; not supporting critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries.
5. For the purposes of point (f), financial entities shall consider the criticality of the vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; affected by the identified vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;.
1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document and implement patch management procedures.
1. The patch management procedures referred to in paragraph 3 shall:
  1. to the extent possible identify and evaluate available software and hardware patches and updates using automated tools;
  2. identify emergency procedures for the patching and updating of ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity;;
  3. test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii);
  4. set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met.

The fast-evolving nature of ICT landscapes, ICT vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and cyber threatsmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; necessitates a proactive and comprehensive approach to identifying, evaluating, and addressing ICT vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;. Without such an approach, financial entities, their customers, users, or counterparties may be severely exposed to risks, which would put at risk their digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;, the security of their networks, and the availability, authenticity, integrity, and confidentiality of data that ICT security policies and procedures should protect. Financial entities referred to in Title II of this Regulation should therefore identify and remedy vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; in their ICT environment, and both the financial entities and their ICT third-party service providersmeans an undertaking providing ICT services; should adhere to a coherent, transparent, and responsible vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; management framework. For the same reason, financial entities should monitor ICT vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; using reliable resources and automated tools, verifying that ICT third-party service providersmeans an undertaking providing ICT services; ensure prompt action on vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; in provided ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;.

Article 10 Vulnerability and patch management

Relevant recitals