Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Recital 26 Simplified ICT risk management framework

The requirements for financial entitiesas defined in Article 2, points (a) to (t) that are subject to the simplified ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework referred to in Article 16 of Regulation (EU) 2022/2554 should be focused on those essential areas and elements that, in light of the scale, risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, size, and complexity of those financial entitiesas defined in Article 2, points (a) to (t), are as a minimum necessary to ensure the confidentiality, integrity, availability, and authenticity of the data and services of those financial entitiesas defined in Article 2, points (a) to (t). In that context, those financial entitiesas defined in Article 2, points (a) to (t) should have in place an internal governance and control framework with clear responsibilities to enable an effective and sound risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management framework. Furthermore, to reduce the administrative and operational burden, those financial entitiesas defined in Article 2, points (a) to (t) should develop and document only one policy, that is an information security policy, that specifies the high-level principles and rules necessary to protect the confidentiality, integrity, availability, and authenticity of data and of the services of those financial entitiesas defined in Article 2, points (a) to (t).

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod