Art. 17 ICT change management | RTS on ICT risk management framework | DORA

1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entitiesas defined in Article 2, points (a) to (t) shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software means the part of an electronic information system which consists of computer code;, hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, firmware components means software or hardware intended for integration into an electronic information system;, systems, or security parameters, all of the following elements:
  1. a verification of whether the ICT security requirements have been met;
  2. mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes;
  3. a clear description of the roles and responsibilities to ensure that:
    
    changes are specified and planned;
    
    an adequate transition is designed;
    
    the changes are tested and finalised in a controlled manner;
    
    there is an effective quality assurance;
  4. the documentation and communication of change details, including:
    
    the purpose and scope of the change;
    
    the timeline for the implementation of the change;
    
    the expected outcomes;
  5. the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented;
  6. procedures, protocols, and tools to manage emergency changes that provide adequate safeguards;
  7. procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches;
  8. the identification of the potential impact of a change on existing ICT security measures and an assessment of whether such change requires the adoption of additional ICT security measures.
1. After having made significant changes to their ICT systems, central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012; and central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014; shall submit their ICT systems to stringent testing by simulating stressed conditions.
2. Central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012; shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph:
  1. clearing members and clients;
  2. interoperable central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;;
  3. other interested parties,
3. Central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014; shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph:
  1. users;
  2. critical utilities and critical service providers;
  3. other central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;;
  4. other market infrastructures;
  5. any other institutions with which central securities depositories means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014; have identified interdependencies in their ICT business continuity policy.