Article 22 ICT-related incident management policy

1. document the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; management process referred to in Article 17 of Regulation (EU) 2022/2554;

2. establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on:

   1. the detection and monitoring of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;;

   2. the detection of anomalous activities;

   3. vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; management;

3. establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation;

4. retain all evidence relating to ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assets means a collection of information, either tangible or intangible, that is worth protecting;, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772 (¹²)Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (OJ L, 2024/1772, 25.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1772/oj). and with any applicable retention requirement pursuant to Union law;

5. establish and implement mechanisms to analyse significant or recurring ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and patterns in the number and the occurrence of ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;.

For the purposes of point (d), financial entitiesas defined in Article 2, points (a) to (t) shall retain the evidence referred to in that point in a secure manner.