Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework

TITLE I

GENERAL PRINCIPLE

Article 1

Overall risk profile and complexity

When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to:

(a) encryption and cryptography;

(b) ICT operations security;

(c) network security;

(d) ICT project and change management;

(e) the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity’s activities.

TITLE II

FURTHER HARMONISATION OF ICT RISK MANAGEMENT TOOLS, METHODS, PROCESSES, AND POLICIES IN ACCORDANCE WITH ARTICLE 15 OF REGULATION (EU) 2022/2554

CHAPTER I

ICT Security policies, procedures, protocols, and tools

Section 1

Article 2

General elements of ICT security policies, procedures, protocols, and tools

Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that:

(a) ensure the security of networks;

(b) contain safeguards against intrusions and data misuse;

(c) preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques;

(d) guarantee an accurate and prompt data transmission without major disruptions and undue delays.

Financial entities shall ensure that the ICT security policies referred to in paragraph 1:

(a) are aligned to the financial entity’s information security objectives included in the digital operational resilience strategy referred to in Article 6(8) of Regulation (EU) 2022/2554;

(b) indicate the date of the formal approval of the ICT security policies by the management body;

(c) contain indicators and measures to: (i) monitor the implementation of the ICT security policies, procedures, protocols, and tools; (ii) record exceptions from that implementation; (iii) ensure that the digital operational resilience of the financial entity is ensured in case of exceptions as referred to in point (ii);

(d) specify the responsibilities of staff at all levels to ensure the financial entity’s ICT security;

(e) specify the consequences of non-compliance by staff of the financial entity with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity;

(f) list the documentation to be maintained;

(g) specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk management and control model, as applicable, to avoid conflicts of interest;

(h) consider leading practices and, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012;

(i) identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools;

(j) are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554;

(k) take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations.

Section 2

Article 3

ICT risk management

Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following:

(a) an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554;

(b) a procedure and a methodology to conduct the ICT risk assessment, identifying: (i) vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions; (ii) the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i);

(c) the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a);

(d) for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): (i) provisions on the identification of those residual ICT risks; (ii) the assignment of roles and responsibilities regarding: (1) the acceptance of the residual ICT risks that exceed the financial entity’s risk tolerance level referred to in point (a); (2) for the review process referred to in point (iv) of this point (d); (iii) the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance; (iv) provisions on the review of the accepted residual ICT risks at least once a year, including: (1) the identification of any changes to the residual ICT risks; (2) the assessment of available mitigation measures; (3) the assessment of whether the reasons justifying the acceptance of residual ICT risks are still valid and applicable at the date of the review;

(e) provisions on the monitoring of: (i) any changes to the ICT risk and cyber threat landscape; (ii) internal and external vulnerabilities and threats: (iii) ICT risk of the financial entity that enables promp detection of changes that could affect its ICT risk profile;

(f) provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account.

For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure:

(a) the monitoring of the effectiveness of the ICT risk treatment measures implemented;

(b) the assessment of whether the established risk tolerance levels of the financial entity have been attained;

(c) the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary.

Section 3

ICT asset management

Article 4

ICT asset management policy

The policy on management of ICT assets referred to in paragraph 1 shall:

(a) prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;

(b) prescribe that the financial entity keeps records of all of the following: (i) the unique identifier of each ICT asset; (ii) information on the location, either physical or logical, of all ICT assets; (iii) the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254; (iv) the identity of ICT asset owners; (v) the business functions or services supported by the ICT asset; (vi) the ICT business continuity requirements, including recovery time objectives and recovery point objectives; (vii) whether the ICT asset can be or is exposed to external networks, including the internet; (viii) the links and interdependencies among ICT assets and the business functions using each ICT asset; (ix) where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;

(c) for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.

Article 5

ICT asset management procedure

The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account:

(a) the ICT risk related to those business functions and their dependencies on the information assets or ICT assets;

(b) how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities.

Section 4

Encryption and cryptography

Article 6

Encryption and cryptographic controls

Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following:

(a) the encryption of data at rest and in transit;

(b) the encryption of data in use, where necessary;

(c) the encryption of internal network connections and traffic with external parties;

(d) the cryptographic key management referred to in Article 7, laying down rules on the correct use, protection, and lifecycle of cryptographic keys.

For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data.

Article 7

Cryptographic key management

Section 5

ICT operations security

Article 8

Policies and procedures for ICT operations

The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following:

(a) an ICT assets description, including all of the following: (i) requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; (ii) requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual; (iii) requirements regarding the identification and control of legacy ICT systems;

(b) controls and monitoring of ICT systems, including all of the following: (i) backup and restore requirements of ICT systems; (ii) scheduling requirements, taking into consideration interdependencies among the ICT systems; (iii) protocols for audit-trail and system log information; (iv) requirements to ensure that the performance of internal audit and other testing minimises disruptions to business operations; (v) requirements on the separation of ICT production environments from the development, testing, and other non-production environments; (vi) requirements to conduct the development and testing in environments which are separated from the production environment; (vii) requirements to conduct the development and testing in production environments;

(c) error handling concerning ICT systems, including all of the following: (i) procedures and protocols for handling errors; (ii) support and escalation contacts, including external support contacts in case of unexpected operational or technical issues; (iii) ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption.

For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a).

For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment.

Article 9

Capacity and performance management

As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following:

(a) the identification of capacity requirements of their ICT systems;

(b) the application of resource optimisation;

(c) the monitoring procedures for maintaining and improving: (i) the availability of data and ICT systems; (ii) the efficiency of ICT systems; (iii) the prevention of ICT capacity shortages.

Article 10

Vulnerability and patch management

The vulnerability management procedures referred to in paragraph 1 shall:

(a) identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities;

(b) ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset;

(c) verify whether: (i) ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity; (ii) whether those service providers report to the financial entity at least the critical vulnerabilities and statistics and trends in a timely manner;

(d) track the usage of: (i) third-party libraries, including open-source libraries, used by ICT services supporting critical or important functions; (ii) ICT services developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider;

(e) establish procedures for the responsible disclosure of vulnerabilities to clients, counterparties, and to the public;

(f) prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified;

(g) monitor and verify the remediation of vulnerabilities;

(h) require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution.

For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis.

For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action.

For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries.

For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities.

The patch management procedures referred to in paragraph 3 shall:

(a) to the extent possible identify and evaluate available software and hardware patches and updates using automated tools;

(b) identify emergency procedures for the patching and updating of ICT assets;

(c) test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii);

(d) set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met.

Article 11

Data and system security

The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554:

(a) the access restrictions referred to in Article 21 of this Regulation, supporting the protection requirements for each level of classification;

(b) the identification of a secure configuration baseline for ICT assets that minimise exposure of those ICT assets to cyber threats and measures to verify regularly that those baselines are effectively deployed;

(c) the identification of security measures to ensure that only authorised software is installed in ICT systems and endpoint devices;

(d) the identification of security measures against malicious codes;

(e) the identification of security measures to ensure that only authorised data storage media, systems, and endpoint devices are used to transfer and store data of the financial entity;

(f) the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: (i) the requirement to use a management solution to remotely manage the endpoint devices and remotely wipe the financial entity’s data; (ii) the requirement to use security mechanisms that cannot be modified, removed or bypassed by staff members or ICT third-party service providers in an unauthorised manner; (iii) the requirement to use removable data storage devices only where the residual ICT risk remains within the financial entity’s risk tolerance level referred to in Article 3, first subparagraph, point (a);

(g) the process to securely delete data, present on premises of the financial entity or stored externally, that the financial entity no longer needs to collect or to store;

(h) the process to securely dispose or decommission of data storage devices present on premises of the financial entity or stored externally containing confidential information;

(i) the identification and implementation of security measures to prevent data loss and leakage for systems and endpoint devices;

(j) the implementation of security measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the ICT security of the financial entity;

(k) for ICT assets or services operated by an ICT third-party service provider, the identification and implementation of requirements to maintain digital operational resilience, in accordance with the results of the data classification and ICT risk assessment.