Source: OJ L, 2024/1774, 25.6.2024
EN- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 37 ICT systems acquisition, development, and maintenance
The financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall:
ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned;
ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment;
identify measures to mitigate the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.