Articles - Commission Delegated Regulation (EU) 2024/1774
The Commission Delegated Regulation (EU) 2024/1774 is not the main DORA (Digital Operational Resilience Act) document. Rather, it’s a supplementary regulatory text developed and adopted by the European Commission. Its primary purpose is to provide more detailed rules and guidelines on how to implement DORA effectively, particularly in the area of Information and Communication Technology (ICT) risk management. You can think of it as a blueprint for bringing DORA to life in the real world, specifying the technical standards and details needed for implementation.
The articles within the regulation are the binding components. See below for a summary of each article, which will provide a deeper understanding of DORA. Each article has a "more about" section if you would like to learn more.
Here is a very quick overview of each article. It is recommended to not only skim through these, but also go through the article summaries below.
TL;DR
Use a risk-based approach.
Develop ICT security policies that are integrated with overall risk management frameworks.
Develop ICT risk management policies that encompass risk assessment, treatment, and monitoring. Policies must be dynamic, allowing for regular reviews and updates in response to changes in the risk environment or the entity's business strategies.
Develop ICT asset management policy that ensures that all ICT assets are carefully tracked, managed, and documented throughout their lifecycle. The policy must also account for the complexities of legacy systems and external dependencies.
Establish a detailed procedure for managing ICT assets, which includes assessing the criticality of each asset based on the risks they pose to business functions and the potential consequences of their loss.
Establish a well-defined risk-based policy on encryption and cryptographic controls that is integrated with overall ICT security framework. The policy must cover various aspects of encryption, including data at rest, data in transit, network encryption, and cryptographic key management.
Make sure to have comprehensive cryptographic key management policies in place. Keys must be managed throughout their lifecycle and protective controls must be in place to safeguard keys against various risks, and methods for replacing compromised keys must be established. Additionally, a register of certificates must be maintained and kept current, and certificates must be renewed before they expire to ensure continuous security
Establishes a framework for managing ICT operations and assets. These polices and procedures should enhance and secure resilience against ICT-related risks, smooth operations, and maintain the integrity, availability, and confidentiality of systems and data.
Manage the capacity and performance of ICT systems proactively by identifying capacity needs, optimizing resources, and continuously monitor system performance, availability and efficiency.
Establish a systematic approach to managing vulnerabilities and patching in ICT systems.
Implement detailed procedures to handle data and system security, covering everything from access restrictions to secure data deletion. It's also crucial to closely oversee third-party providers and ensure that security responsibilities are clearly defined to maintain control over one's security.
Logging is a crucial tool to enhance security and operational resilience. Proper logging is a critical for investigating incidents, maintaining system integrity, and fulfilling regulatory obligations..
By implementing robust network security management, including network segmentation, encryption, access controls, and regular reviews, companies can protect their networks from cyber threats and ensure the integrity and availability of their ICT systems.
Adopt comprehensive measures to secure data while it is being transmitted that includes implementing preventive measures against data leaks, enforce confidentiality agreements, and design security protocols based on data classification and risk assessment.
Develop comprehensive ICT project management policies to systematically and securely control and mitigate risks associated with the development, acquisition, and maintenance of ICT systems.
Clear policies and procedures should be established for acquisition, development, maintenance, and testing of ICT systems to make sure that they are secure, reliable, and compliant with regulatory requirements.
Article 17 emphasizes the importance of controlled and secure management of ICT changes.
Establish clear physical and environmental security policies that addresses access control, protection against physical threats, and the security of ICT assets. The policy should also include clear desk and screen policies to protect sensitive information and ensure the secure handling of unattended ICT assets.
Integrate ICT security into human resources policies.
Implement robust identity management practices to safeguard access to their information and ICT assets.
Overall risk profile and complexity
Article1 promotes companies to use a risk-based approach and develop ICT security measures that are proportionate to their specific characteristics, ensuring that their security approach is neither too weak nor unnecessarily complex, based on their risk profile and operational needs.
-
TL;DR
Article 1 requires companies to use a risk-based approach and develop ICT security measures that are proportionate to their specific characteristics, ensuring that their security approach is neither too weak nor unnecessarily complex, based on their risk profile and operational needs.
FULL VERSION
Article 1 focuses on how financial entities should consider their unique characteristics—such as size, risk profile, and complexity—when developing and implementing ICT security policies and risk management frameworks.
Here's a breakdown of the key elements:
Overall Risk Profile and Complexity: The article emphasizes that financial entities need to tailor their ICT security strategies based on their specific circumstances. This includes considering factors like their size, overall risk exposure, and the complexity of their services and operations.
Consideration of Specific Elements:
(a) Encryption and Cryptography: The use of encryption and cryptography should be adjusted to the entity's risk profile, ensuring that sensitive data is adequately protected.
(b) ICT Operations Security: Security measures for daily ICT operations should reflect the entity’s complexity and potential risks, safeguarding the systems that support its activities.
(c) Network Security: The protection of the entity’s network infrastructure should be aligned with the scale and complexity of its operations, ensuring secure communication channels and preventing unauthorized access.
(d) ICT Project and Change Management: The way ICT projects and changes are managed should take into account the entity's overall risk profile, ensuring that changes do not introduce vulnerabilities or disrupt operations.
(e) Impact on Confidentiality, Integrity, and Availability: The potential impact of ICT risks on data and operations should be a key factor in designing security measures. Entities need to focus on protecting the confidentiality, integrity, and availability of data, and on ensuring that their activities can continue even in the face of ICT disruptions.
In summary, Article 1 requires financial entities to develop ICT security measures that are proportionate to their specific characteristics, ensuring that their security approach is neither too weak nor unnecessarily complex, based on their risk profile and operational needs.
General elements of ICT security policies, procedures, protocols, and tools
Article 2 mandates that companies develop comprehensive ICT security policies that are integrated with their overall risk management frameworks. These policies must be aligned with strategic objectives, formally approved, and regularly monitored and updated. The article emphasizes the importance of clear responsibilities, monitoring mechanisms, and the ability to adapt to changes in the organization or external threats.
-
TL;DR
Article 1 requires companies to use a risk-based approach and develop ICT security measures that are proportionate to their specific characteristics, ensuring that their security approach is neither too weak nor unnecessarily complex, based on their risk profile and operational needs.
FULL VERSION
Article 1 focuses on how financial entities should consider their unique characteristics—such as size, risk profile, and complexity—when developing and implementing ICT security policies and risk management frameworks.
Here's a breakdown of the key elements:
Overall Risk Profile and Complexity: The article emphasizes that financial entities need to tailor their ICT security strategies based on their specific circumstances. This includes considering factors like their size, overall risk exposure, and the complexity of their services and operations.
Consideration of Specific Elements:
(a) Encryption and Cryptography: The use of encryption and cryptography should be adjusted to the entity's risk profile, ensuring that sensitive data is adequately protected.
(b) ICT Operations Security: Security measures for daily ICT operations should reflect the entity’s complexity and potential risks, safeguarding the systems that support its activities.
(c) Network Security: The protection of the entity’s network infrastructure should be aligned with the scale and complexity of its operations, ensuring secure communication channels and preventing unauthorized access.
(d) ICT Project and Change Management: The way ICT projects and changes are managed should take into account the entity's overall risk profile, ensuring that changes do not introduce vulnerabilities or disrupt operations.
(e) Impact on Confidentiality, Integrity, and Availability: The potential impact of ICT risks on data and operations should be a key factor in designing security measures. Entities need to focus on protecting the confidentiality, integrity, and availability of data, and on ensuring that their activities can continue even in the face of ICT disruptions.
In summary, Article 1 requires financial entities to develop ICT security measures that are proportionate to their specific characteristics, ensuring that their security approach is neither too weak nor unnecessarily complex, based on their risk profile and operational needs.
General elements of ICT security policies, procedures, protocols, and tools
Article 3 requires financial entities to develop comprehensive ICT risk management policies that encompass risk assessment, treatment, and monitoring. These policies must be dynamic, allowing for regular reviews and updates in response to changes in the risk environment or the entity's business strategies.
-
TL;DR
Article 3 requires financial entities to develop comprehensive ICT risk management policies that encompass risk assessment, treatment, and monitoring. These policies must be dynamic, allowing for regular reviews and updates in response to changes in the risk environment or the entity's business strategies. By doing so, financial entities can better manage ICT risks, ensure their resilience, and remain within their approved risk tolerance levels.
FULL VERSION
Article 3 outlines the requirements for developing and implementing ICT risk management policies and procedures for financial entities. Here's a breakdown of the key elements:
1. Risk Tolerance and Approval
Approval of Risk Tolerance: The ICT risk management policies must include a clear indication that the risk tolerance level for ICT risk, as established under Article 6(8)(b) of Regulation (EU) 2022/2554, has been formally approved. This means that the financial entity must determine the maximum level of risk it is willing to accept and have this approved by relevant decision-makers.
2. ICT Risk Assessment Procedure
Identifying Vulnerabilities and Threats: The policies must include procedures and methodologies for conducting ICT risk assessments. This involves identifying vulnerabilities and threats that could impact business functions, ICT systems, and ICT assets.
Measuring Impact and Likelihood: The policies should define quantitative or qualitative indicators that can be used to assess the impact and likelihood of these vulnerabilities and threats.
3. ICT Risk Treatment Measures
Risk Treatment: The policies must outline procedures for identifying, implementing, and documenting ICT risk treatment measures. These measures are designed to manage the identified risks and ensure they remain within the approved risk tolerance level.
4. Residual ICT Risks
Identifying Residual Risks: Even after implementing risk treatment measures, some risks may remain. The policies must include provisions for identifying these residual risks.
Roles and Responsibilities: Specific roles and responsibilities must be assigned for accepting residual ICT risks that exceed the entity's risk tolerance level. This includes a process for reviewing these risks.
Inventory of Residual Risks: The financial entity must maintain an inventory of accepted residual ICT risks, along with justifications for their acceptance.
Annual Review: The policies must provide for an annual review of residual ICT risks to identify any changes, assess new mitigation measures, and determine if the reasons for accepting these risks are still valid.
5. Monitoring and Adapting to Changes
Monitoring Changes: The policies must include provisions for monitoring changes in the ICT risk and cyber threat landscape, as well as internal and external vulnerabilities and threats. This ensures that the financial entity can detect changes that could affect its ICT risk profile.
Adapting to Business Strategy Changes: The policies should also ensure that any changes to the financial entity's business strategy or digital operational resilience strategy are taken into account in its ICT risk management framework.
6. Effectiveness of ICT Risk Treatment Measures
Monitoring Effectiveness: The policies must include procedures for monitoring the effectiveness of implemented ICT risk treatment measures.
Assessing Risk Tolerance Levels: The financial entity must assess whether the established risk tolerance levels are being met.
Corrective Actions: If necessary, the financial entity should take corrective actions to improve ICT risk treatment measures.
Summary
In essence,
Article 3
requires financial entities to develop comprehensive ICT risk management policies that encompass risk assessment, treatment, and monitoring. These policies must be dynamic, allowing for regular reviews and updates in response to changes in the risk environment or the entity's business strategies. By doing so, financial entities can better manage ICT risks, ensure their resilience, and remain within their approved risk tolerance levels.
ICT asset management policy
Article 4 mandates companies to have a comprehensive ICT asset management policy. This policy ensures that all ICT assets are carefully tracked, managed, and documented throughout their lifecycle. The policy must also account for the complexities of legacy systems and external dependencies, ensuring that financial entities can manage risks effectively and maintain business continuity.
-
TL;DR
Article 4 mandates companies to have a comprehensive ICT asset management policy. This policy ensures that all ICT assets are carefully tracked, managed, and documented throughout their lifecycle. The policy must also account for the complexities of legacy systems and external dependencies, ensuring that financial entities can manage risks effectively and maintain business continuity.
FULL VERSION
Article 4 outlines the requirements for companies to manage their ICT assets effectively. This is a critical part of ICT security and risk management. Here's a breakdown of the key elements:
1. Development of ICT Asset Management Policy
Mandatory Policy: Financial entities are required to create, document, and implement a policy specifically for the management of their ICT assets. This policy is part of the broader ICT security policies outlined in Article 9(2) of Regulation (EU) 2022/2554.
2. Key Components of the ICT Asset Management Policy
The policy must include several essential elements:
a. Monitoring and Lifecycle Management
The policy must include procedures for monitoring and managing the entire lifecycle of ICT assets. This includes identifying and classifying ICT assets according to the standards set out in Article 8(1) of Regulation (EU) 2022/2554. Lifecycle management ensures that ICT assets are tracked from acquisition to disposal, minimizing risks throughout their usage.
b. Record-Keeping Requirements Financial entities must maintain detailed records of their ICT assets, including:
Unique Identifier: Each ICT asset must have a unique identifier for easy tracking.
Location Information: Both physical and logical locations of ICT assets must be recorded.
Classification: Assets must be classified according to their importance and risk, as required by Article 8(1) of Regulation (EU) 2022/2554.
Asset Owners: The policy must identify the owners responsible for each ICT asset.
Business Functions: The records should specify which business functions or services each ICT asset supports.
Continuity Requirements: ICT business continuity requirements, including recovery time objectives (RTO) and recovery point objectives (RPO), must be documented.
External Network Exposure: Information on whether an ICT asset is exposed to external networks, like the internet, must be recorded.
Interdependencies: The links and interdependencies between ICT assets and the business functions they support should be noted.
Support End Dates: If ICT assets rely on third-party service providers, records should include the end dates of the regular, extended, and custom support services. This ensures that entities are aware when an asset will no longer be supported.
c. Legacy ICT Systems
For financial entities other than microenterprises, the policy must include information necessary for assessing ICT risks associated with legacy systems, as mentioned in Article 8(7) of Regulation (EU) 2022/2554. Legacy systems often present increased risks due to outdated technology and limited support, so assessing these risks is crucial.
Summary
Article 4
mandates financial entities to have a comprehensive ICT asset management policy. This policy ensures that all ICT assets are carefully tracked, managed, and documented throughout their lifecycle. The policy must also account for the complexities of legacy systems and external dependencies, ensuring that financial entities can manage risks effectively and maintain business continuity.
ICT asset management policy
Article 5 mandates companies to establish a detailed procedure for managing ICT assets, which includes assessing the criticality of each asset based on the risks they pose to business functions and the potential consequences of their loss.
-
TL;DR
Article 5 mandates companies to establish a detailed procedure for managing ICT assets, which includes assessing the criticality of each asset based on the risks they pose to business functions and the potential consequences of their loss. This ensures that financial entities focus their security efforts on the most critical assets, maintaining the integrity, availability, and confidentiality of their operations.
FULL VERSION
Article 5 of the regulation focuses on establishing a structured procedure for managing ICT assets within financial entities. Here's a breakdown of its key elements:
1. Developing a Procedure for ICT Asset Management
Requirement: Financial entities are required to create, document, and implement a clear procedure for managing their ICT assets. This procedure is essential for ensuring that all assets are handled consistently and effectively throughout their lifecycle.
Purpose: The goal is to ensure that all ICT assets are properly managed, from acquisition to disposal, in a way that aligns with the entity's broader security and operational objectives.
2. Criticality Assessment Criteria
The procedure must include specific criteria for assessing the importance, or criticality, of both information assets and ICT assets that support key business functions. This assessment helps prioritize resources and protections based on the significance of the assets.
a. ICT Risk Related to Business Functions
The assessment should consider the risks associated with the business functions that rely on these ICT assets. This includes evaluating how the failure or compromise of an ICT asset might disrupt important business processes.
b. Impact on Confidentiality, Integrity, and Availability
The assessment should also account for how the loss of confidentiality (protection from unauthorized access), integrity (accuracy and reliability), and availability (accessibility when needed) of these assets would affect the financial entity's business operations. This helps determine the level of protection and resources needed to secure each asset.
Summary
In essence, Article 5 mandates financial entities to establish a detailed procedure for managing ICT assets, which includes assessing the criticality of each asset based on the risks they pose to business functions and the potential consequences of their loss. This ensures that financial entities focus their security efforts on the most critical assets, maintaining the integrity, availability, and confidentiality of their operations.
Encryption and cryptographic controls
Article 6 mandates financial entities to establish a well-defined risk-based policy on encryption and cryptographic controls that is integrated with their overall ICT security framework. The policy must cover various aspects of encryption, including data at rest, data in transit, network encryption, and cryptographic key management.
-
TL;DR
Article 6 mandates financial entities to establish a well-defined policy on encryption and cryptographic controls that is integrated with their overall ICT security framework. This policy must cover various aspects of encryption, including data at rest, data in transit, network encryption, and cryptographic key management. The policy should be based on risk assessments, updated regularly in response to new threats, and, where necessary, include alternative mitigation measures with proper documentation.
FULL VERSION
Article 6 of this regulation focuses on the requirements for financial entities to establish and maintain a comprehensive policy on encryption and cryptographic controls as part of their broader ICT security framework. Here's a detailed breakdown:
1. Policy Development and Implementation
Requirement: Financial entities must create, document, and implement a policy that addresses encryption and cryptographic controls.
Integration: This policy should be a component of the broader ICT security policies, procedures, protocols, and tools required by the regulation.
2. Designing the Policy
Basis: The encryption policy should be designed based on the results of a data classification and ICT risk assessment that has been approved.
Rules to Include:
Data Encryption: This includes rules for encrypting data when it is at rest (stored data) and in transit (data being transferred).
Encryption of Data in Use: Where encryption of active data (data in use) isn't feasible, the data should be processed in a secure and isolated environment, or equivalent measures should be taken to ensure its security.
Network Encryption: Rules for encrypting internal network connections and any traffic with external parties should be outlined.
Cryptographic Key Management: Rules must be established for the proper use, protection, and lifecycle management of cryptographic keys, which are detailed further in Article 7.
3. Criteria for Cryptographic Techniques
Selection Criteria: The policy should include criteria for selecting cryptographic techniques and usage practices, considering:
Leading Practices and Standards: As defined in relevant EU regulations, including international standards for cryptography.
ICT Asset Classification: Based on the classification of ICT assets, the entity should choose the appropriate cryptographic techniques.
Mitigation Measures: If the financial entity cannot use the most reliable cryptographic techniques or adhere to leading practices and standards, it must adopt other measures to mitigate and monitor risks, ensuring resilience against cyber threats.
4. Updating Cryptographic Technology
Requirement: The policy should also include provisions for updating or changing cryptographic technology based on advancements in cryptanalysis (the study of breaking cryptographic systems).
Resilience: The updates or changes should ensure that the cryptographic methods continue to be effective against emerging cyber threats. If the technology cannot be updated, similar to the previous point, mitigation measures should be implemented.
5. Recording Mitigation Measures
Documentation: If mitigation measures are adopted instead of leading practices or updates, the entity must record these measures.
Explanation: A detailed explanation for adopting these alternative measures must be provided, ensuring accountability and transparency.
Summary
Article 6
mandates financial entities to establish a well-defined policy on encryption and cryptographic controls that is integrated with their overall ICT security framework. This policy must cover various aspects of encryption, including data at rest, data in transit, network encryption, and cryptographic key management. The policy should be based on risk assessments, updated regularly in response to new threats, and, where necessary, include alternative mitigation measures with proper documentation.
Cryptographic key management
Article 7 handles cryptographic key management policies. Companies must manage keys throughout their lifecycle, ensuring they are securely generated, stored, transmitted, and retired. Protective controls must be in place to safeguard keys against various risks, and methods for replacing compromised keys must be established. Additionally, a register of certificates must be maintained and kept current, and certificates must be renewed before they expire to ensure continuous security.
-
TL;DR
Article 7 handles cryptographic key management policies. Companies must manage keys throughout their lifecycle, ensuring they are securely generated, stored, transmitted, and retired. Protective controls must be in place to safeguard keys against various risks, and methods for replacing compromised keys must be established. Additionally, a register of certificates must be maintained and kept current, and certificates must be renewed before they expire to ensure continuous security.
FULL VERSION
This section outlines the requirements for cryptographic key management in financial entities, emphasizing the importance of managing and protecting cryptographic keys throughout their entire lifecycle. Here’s a breakdown of the key points:
1. Lifecycle Management
Requirement: Financial entities must establish a policy for managing cryptographic keys that covers all stages of their lifecycle. This includes:
Generating: Creating new cryptographic keys.
Renewing: Updating keys periodically.
Storing: Securely storing keys.
Backing Up: Creating backup copies of keys in case the primary key is lost or damaged.
Archiving: Safely storing keys that are no longer in active use but may be needed for reference.
Retrieving: Accessing stored keys when necessary.
Transmitting: Securely transferring keys between systems or parties.
Retiring and Revoking: Deactivating keys when they are no longer needed or if they have been compromised.
Destroying: Securely erasing keys that are no longer required.
2. Protection of Cryptographic Keys
Controls: Financial entities must implement protective measures to ensure cryptographic keys are safeguarded throughout their lifecycle. This includes protection against:
Loss: Preventing accidental or intentional loss of keys.
Unauthorized Access: Ensuring only authorized personnel can access keys.
Disclosure: Preventing unauthorized parties from gaining knowledge of the keys.
Modification: Ensuring keys cannot be altered by unauthorized individuals.
Design Basis: These controls should be designed based on the results of data classification and ICT risk assessments to ensure they are appropriate for the entity's specific risk environment.
3. Key Replacement
Contingency Methods: Entities must develop methods for replacing cryptographic keys in cases where they are lost, compromised, or damaged. This ensures that operations can continue securely even if an issue with the keys arises.
4. Certificate Register
Register Maintenance: Financial entities are required to maintain a register that lists all certificates and devices that store certificates. This is particularly important for ICT assets that support critical or important functions.
Up-to-Date Information: The register must be kept current, ensuring that all relevant details are always accurate.
5. Certificate Renewal
Prompt Renewal: Financial entities must ensure that certificates are renewed promptly, well before they expire. This helps avoid any disruption in services or security vulnerabilities that could occur if a certificate were to lapse.
Summary:
The cryptographic key management policy in financial entities must comprehensively manage keys throughout their lifecycle, ensuring they are securely generated, stored, transmitted, and retired. Protective controls must be in place to safeguard keys against various risks, and methods for replacing compromised keys must be established. Additionally, a register of certificates must be maintained and kept current, and certificates must be renewed before they expire to ensure continuous security.
Policies and procedures for ICT operations
Article 8 establishes a framework for managing ICT operations and assets. The goal for these policies and procedures is to enhance and secure resilience against ICT-related risks, smooth operations, and maintain the integrity, availability, and confidentiality of systems and data.
-
TL;DR
Article 8 establishes a framework for managing ICT operations and assets. The goal for these policies and procedures is to enhance and secure resilience against ICT-related risks, smooth operations, and maintain the integrity, availability, and confidentiality of systems and data.
FULL VERSION
Article 8 of this regulation focuses on establishing policies and procedures for ICT operations within financial entities. These policies and procedures are part of a broader ICT security framework required by Regulation (EU) 2022/2554. The primary goal is to ensure that ICT assets are managed securely and efficiently, with clear guidelines on operations, monitoring, control, and restoration. The policies must cover various aspects of ICT operations, including secure installation, backup processes, error handling, and separation of environments.
Breakdown of Key Requirements:
1. Development of ICT Operations Policies and Procedures:
Requirement: Financial entities must develop, document, and implement policies and procedures specifically focused on ICT operations.
Purpose: These policies should define how the financial entity operates, monitors, controls, and restores its ICT assets. Additionally, all ICT operations should be documented clearly.
2. Content of ICT Operations Policies and Procedures:
The policies must cover several specific areas:
a. ICT Assets Description:
Secure Installation and Maintenance: Guidelines for the secure installation, configuration, and deinstallation of ICT systems.
Information Asset Management: Requirements for managing information assets used by ICT systems, including both automated and manual processes.
Legacy Systems: Identification and control of legacy ICT systems that may still be in use but could pose risks due to outdated technology.
b. Controls and Monitoring of ICT Systems:
Backup and Restore: Requirements for backing up ICT systems and restoring them when necessary.
Scheduling: Consideration of dependencies among ICT systems when scheduling tasks.
Audit Trails and Logs: Protocols for managing audit trails and system logs to track operations and detect issues.
Minimizing Disruptions: Ensuring that internal audits and testing minimize disruptions to normal business operations.
Separation of Environments: Strict separation between production environments and other environments like development and testing to avoid contamination and risks.
Testing in Production: If testing occurs in a production environment, it should be limited, well-justified, and properly approved.
c. Error Handling:
Procedures and Protocols: Clear procedures for handling errors in ICT systems.
Support and Escalation Contacts: Both internal and external contacts should be established for dealing with operational or technical issues.
System Recovery: Procedures for restarting, rolling back, and recovering ICT systems in case of disruption.
3. Separation of Environments:
Requirement: Financial entities must ensure that production environments are separated from development, testing, and other non-production environments. This includes the separation of accounts, data, and connections.
Testing in Production: When testing in a production environment is necessary, it must be clearly identified, justified, and approved. Measures must also be taken to maintain the security and integrity of the production environment during these activities.
Key Considerations:
Security Focus: The policies and procedures must prioritize security in all aspects, including encryption, access controls, and data protection.
Documentation and Accountability: All ICT operations and related procedures must be documented, and there should be clear accountability at every stage.
Regular Updates: The policies and procedures must be regularly reviewed and updated in line with the evolving ICT landscape and emerging threats.
Conclusion:
Article 8 establishes a comprehensive framework for managing ICT operations within financial entities. By adhering to these requirements, financial entities can enhance their resilience against ICT-related risks, ensure smooth operations, and maintain the integrity, availability, and confidentiality of their systems and data.
Capacity and performance management
Article 9 mandates to proactively manage the capacity and performance of ICT systems by identifying capacity needs, optimizing resources, and continuously monitoring system performance, availability and efficiency.
-
TL;DR
Article 9 mandates to proactively manage the capacity and performance of ICT systems. By identifying capacity needs, optimizing resources, and continuously monitoring system performance, availability and efficiency of ICT systems is secured by preventing capacity shortages, and addressing the unique challenges of more complex or resource-intensive ICT systems. This is crucial for ensuring operational continuity and mitigating the risk of disruptions.
FULL VERSION
Article 9 focuses on ensuring that financial entities have effective procedures in place to manage the capacity and performance of their ICT systems. This is a key part of maintaining digital operational resilience and is integrated into the broader ICT security framework mandated by Regulation (EU) 2022/2554.
Key Points:
Development of Procedures:
Financial entities are required to develop, document, and implement procedures that focus on managing the capacity and performance of their ICT systems.
These procedures are part of the overall ICT security policies, protocols, and tools required by the regulation.
Objectives of Capacity and Performance Management Procedures: The procedures should address the following objectives:
a. Identification of Capacity Requirements:Financial entities must have procedures to identify the capacity needs of their ICT systems. This involves understanding the system's demand and ensuring that the infrastructure can handle current and future loads.
b. Resource Optimisation:
Procedures must include measures for optimizing resources. This means using ICT resources efficiently to avoid wastage and ensure that the systems are running optimally.
c. Monitoring and Improvement:
Financial entities need to continuously monitor their ICT systems to maintain and improve performance in three key areas:
Availability of Data and ICT Systems: Ensuring that systems and data are always accessible when needed.
Efficiency of ICT Systems: Making sure that systems operate smoothly and without unnecessary delays.
Prevention of Capacity Shortages: Avoiding situations where the ICT system runs out of resources, leading to slowdowns or failures.
Special Considerations for Complex Systems:
The procedures must take into account the specificities of certain ICT systems, particularly those that have:
Long or Complex Procurement or Approval Processes: Systems that require extended timelines for procurement or changes.
Resource-Intensive Systems: Systems that demand significant resources, which may include high computing power, storage, or bandwidth.
For these systems, financial entities need to adopt appropriate measures to ensure that their capacity and performance are managed effectively, despite the complexities involved.
Conclusion:
Article 9 ensures that financial entities proactively manage the capacity and performance of their ICT systems. By identifying capacity needs, optimizing resources, and continuously monitoring system performance, financial entities can maintain the availability and efficiency of their systems, prevent capacity shortages, and address the unique challenges of more complex or resource-intensive ICT systems. This is crucial for ensuring operational continuity and mitigating the risk of disruptions.
Vulnerability and patch management
Article 10 instructs companies to establish a systematic approach to managing vulnerabilities in their ICT systems. A proactive approach with procedures that include vulnerability information and automated scanning tools is recommended in order to stay ahead of potential threats and ensure that vulnerabilities are quickly identified and addressed. The frequency and depth of these activities should be tailored to the criticality and risk associated with each ICT asset, ensuring that resources are focused where they are most needed.
-
TL;DR
Article 10 instructs companies to establish a systematic approach to managing vulnerabilities in their ICT systems. By developing procedures that include reliable information resources and automated scanning tools, financial entities can stay ahead of potential threats and ensure that vulnerabilities are quickly identified and addressed, thereby reducing the risk of cyberattacks. The frequency and depth of these activities should be tailored to the criticality and risk associated with each ICT asset, ensuring that resources are focused where they are most needed.
FULL VERSION
Article 10 outlines the requirements for vulnerability and patch management within financial entities. This is a critical aspect of ICT security, ensuring that potential weaknesses in systems are identified and addressed in a timely manner to prevent exploitation by cyber threats.
Key Points:
Vulnerability Management Procedures:
Financial entities must develop, document, and implement procedures specifically for managing vulnerabilities in their ICT systems. These procedures are part of the broader ICT security framework required by Regulation (EU) 2022/2554.
The goal of these procedures is to identify, assess, and mitigate vulnerabilities that could be exploited by attackers.
Key Components of Vulnerability Management: The vulnerability management procedures must include the following key components:
a. Information Resources:Financial entities are required to identify and update relevant and trustworthy information resources. These resources are essential for staying informed about the latest vulnerabilities affecting their ICT assets.
This involves tracking updates from reputable sources like security vendors, cybersecurity agencies, and industry reports to ensure awareness of emerging threats.
b. Automated Vulnerability Scanning:
The procedures must ensure the performance of automated vulnerability scanning and assessments on ICT assets. Automation helps to continuously monitor and identify vulnerabilities as they emerge.
The frequency and scope of these scans should be proportional to the classification of the ICT assets (as per Article 8(1) of Regulation (EU) 2022/2554) and the overall risk profile of the assets. In other words, more critical or higher-risk assets require more frequent and thorough scans.
Conclusion:
Article 10 mandates financial entities to establish a systematic approach to managing vulnerabilities in their ICT systems. By developing procedures that include reliable information resources and automated scanning tools, financial entities can stay ahead of potential threats and ensure that vulnerabilities are quickly identified and addressed, thereby reducing the risk of cyberattacks. The frequency and depth of these activities should be tailored to the criticality and risk associated with each ICT asset, ensuring that resources are focused where they are most needed.
Data and system security
Article 11 emphasizes the importance of comprehensive data and system security by implementing detailed procedures that cover everything from access restrictions to secure data deletion. The article also stresses the need for close oversight of third-party providers, ensuring that security responsibilities are clearly defined and that the company maintains control over its security posture.
-
TL;DR
Article 11 emphasizes the importance of comprehensive data and system security by implementing detailed procedures that cover everything from access restrictions to secure data deletion. The article also stresses the need for close oversight of third-party providers, ensuring that security responsibilities are clearly defined and that the company maintains control over its security posture.
FULL VERSION
Article 11 of the regulation focuses on data and system security for financial entities. It outlines the requirements for developing, documenting, and implementing procedures to secure data and ICT systems. These procedures form part of the broader ICT security framework required by Regulation (EU) 2022/2554.
Key Points:
Data and System Security Procedure:
Financial entities must establish a data and system security procedure as part of their ICT security policies. This procedure should ensure the protection of data and ICT systems based on their classification, as outlined in Article 8(1) of Regulation (EU) 2022/2554.
Essential Security Measures: The procedure must include the following security measures and considerations:
a. Access Restrictions:Implement access restrictions in line with the classification of data and systems. This ensures that protection levels are appropriate for the sensitivity of the data.
b. Secure Configuration Baseline:
Establish a secure configuration baseline for ICT assets to minimize exposure to cyber threats. Regular checks should be performed to ensure these baselines are effectively deployed.
c. Software Security:
Ensure that only authorized software is installed on ICT systems and endpoint devices, reducing the risk of unauthorized or malicious software.
d. Protection Against Malicious Code:
Implement security measures to guard against malicious codes, such as viruses and malware, ensuring system integrity.
e. Authorized Data Storage:
Ensure that only authorized data storage media, systems, and devices are used to store or transfer the financial entity's data.
f. Portable and Private Endpoint Devices:
Introduce security measures for portable and private devices, including remote management and wiping solutions, ensuring devices cannot be modified or bypassed without authorization.
g. Secure Data Deletion:
Develop processes to securely delete data that is no longer needed, whether stored on-premises or externally.
h. Secure Disposal of Storage Devices:
Ensure that storage devices containing confidential information are securely disposed of or decommissioned.
i. Data Loss and Leakage Prevention:
Implement measures to prevent data loss and leakage from systems and devices.
j. Teleworking and Private Devices:
Ensure that teleworking and the use of private devices do not compromise the ICT security of the financial entity.
k. Third-Party ICT Services:
For ICT assets or services operated by third-party providers, ensure that digital operational resilience is maintained, in line with data classification and ICT risk assessments.
Considerations for Third-Party Providers: When dealing with third-party ICT service providers, financial entities must ensure:
Vendor settings are implemented.
Clear roles and responsibilities are defined between the financial entity and the service provider, ensuring the entity retains full responsibility.
The financial entity maintains adequate competence in managing and securing the services used.
Appropriate technical and organizational measures are in place to minimize risks related to the third-party infrastructure, following leading practices and standards.
Conclusion:
Article 11 emphasizes the importance of comprehensive data and system security for financial entities. By implementing detailed procedures that cover everything from access restrictions to secure data deletion, financial entities can protect their ICT assets and data from a range of cyber threats. The article also stresses the need for close oversight of third-party providers, ensuring that security responsibilities are clearly defined and that the financial entity maintains control over its security posture.
Logging
Article 12 outlines the requirements for logging to enhance security and operational resilience. Proper logging is a critical tool for investigating incidents, maintaining system integrity, and fulfilling regulatory obligations.
-
TL;DR
Article 12 outlines the requirements for logging to enhance security and operational resilience. By identifying key events, ensuring detailed and protected logging, and implementing measures to detect and address logging failures, systems can be effectively monitored for suspicious activities and compliance with security standards can be ensured. Proper logging is a critical tool for investigating incidents, maintaining system integrity, and fulfilling regulatory obligations.
FULL VERSION
Article 12 of the regulation focuses on logging as a critical component of safeguarding financial entities against intrusions and data misuse. Logging refers to the recording of events and activities within an ICT system, which can later be reviewed to detect anomalies, investigate incidents, and ensure compliance with security policies.
Key Points:
Logging Procedures, Protocols, and Tools:
Financial entities must develop, document, and implement comprehensive logging procedures, protocols, and tools. These measures are essential for monitoring ICT systems and ensuring security.
Key Components of Logging Procedures: The logging procedures must include the following elements:
a. Identification of Events:Identify which events need to be logged, determine the appropriate retention period for these logs, and establish security measures to protect and handle the log data. The purpose of creating the logs should guide these decisions.
b. Level of Detail:
Ensure that the level of detail in the logs is sufficient to serve their intended purpose, particularly in detecting anomalous activities. This aligns with Article 24, which focuses on monitoring and detecting irregular behavior.
c. Required Logged Events:
The logging procedures must include events related to the following:
Logical and Physical Access Control: Events involving access to systems and identity management (as mentioned in Article 21).
Capacity Management: Monitoring resources to ensure systems function optimally.
Change Management: Tracking changes made to systems and configurations.
ICT Operations: Recording activities related to the operation of ICT systems.
Network Traffic: Monitoring network traffic and ICT network performance.
d. Protection of Logs:
Implement measures to protect logging systems and log information from tampering, deletion, or unauthorized access. This protection must apply to logs when they are stored (at rest), transferred (in transit), and, where relevant, used.
e. Detection of Logging Failures:
Establish measures to detect any failures in logging systems, ensuring that these failures are promptly identified and addressed.
f. Time Synchronization:
Ensure the synchronization of clocks across all ICT systems to a reliable reference time source. This is important for maintaining consistent timestamps across logs, which is crucial for accurate incident investigation. This synchronization should be documented and comply with applicable regulatory requirements under Union or national law.
Retention Period Considerations:
When determining the retention period for logs, financial entities should consider several factors:
Business and information security objectives.
The specific reason for recording the event.
The results of the ICT risk assessment.
Conclusion:
Article 12 outlines the requirements for logging within financial entities to enhance security and operational resilience. By identifying key events, ensuring detailed and protected logging, and implementing measures to detect and address logging failures, financial entities can effectively monitor their systems for suspicious activities and ensure compliance with security standards. Proper logging is a critical tool for investigating incidents, maintaining system integrity, and fulfilling regulatory obligations.
Network security management
Article 13 emphasizes the importance of network security management. By implementing robust network segmentation, encryption, access controls, and regular reviews, companies can protect their networks from cyber threats and ensure the integrity and availability of their ICT systems. The article also stresses the need for careful management of network services and ongoing monitoring to maintain a secure network environment.
-
TL;DR
Article 13 emphasizes the importance of network security management. By implementing robust network segmentation, encryption, access controls, and regular reviews, companies can protect their networks from cyber threats and ensure the integrity and availability of their ICT systems. The article also stresses the need for careful management of network services and ongoing monitoring to maintain a secure network environment.
FULL VERSION
Article 13 outlines the requirements for financial entities to develop, document, and implement comprehensive policies, procedures, protocols, and tools for network security management. This is crucial for safeguarding the security of networks against intrusions and data misuse.
Key Points:
Segregation and Segmentation of ICT Systems and Networks:
Financial entities must implement segregation and segmentation measures in their ICT systems and networks. This involves dividing the network into smaller segments or separate zones based on:
Criticality or Importance: The function that the ICT systems and networks support.
Classification: The classification of ICT assets as established under Article 8(1) of Regulation (EU) 2022/2554.
Risk Profile: The overall risk associated with the ICT assets using those systems and networks.
Documentation of Network Connections and Data Flows:
Financial entities must maintain detailed documentation of all network connections and the flow of data within the organization. This ensures that they have a clear understanding of how data moves through their networks.
Dedicated Network for Administration:
A separate, dedicated network must be used exclusively for the administration of ICT assets. This isolation enhances security by preventing administrative functions from being exposed to potential threats on the main network.
Network Access Controls:
Implement network access controls to prevent and detect unauthorized connections to the financial entity's network. This includes identifying and blocking unauthorized devices or systems and ensuring that endpoints meet security requirements before they can connect.
Encryption of Network Connections:
Network connections, whether on corporate, public, domestic, third-party, or wireless networks, must be encrypted. This encryption should consider the data classification, the results of ICT risk assessments, and the encryption requirements outlined in Article 6(2).
Network Design:
Networks must be designed in line with the entity's ICT security requirements, adhering to leading practices that ensure the confidentiality, integrity, and availability of the network.
Securing Traffic Between Internal Networks and External Connections:
Implement measures to secure network traffic between internal networks and external connections, including the internet. This prevents unauthorized access and data breaches.
Firewall Rules and Connection Filters:
Establish and maintain rules for firewall settings and connection filters. Financial entities must regularly review these rules to ensure they remain effective, especially for systems supporting critical or important functions, where reviews must happen at least every 6 months.
Annual Reviews:
Network architecture and network security design should be reviewed at least once a year (or periodically for microenterprises) to identify potential vulnerabilities.
Temporary Isolation Measures:
In certain situations, financial entities may need to temporarily isolate subnetworks, network components, or devices to protect against threats or contain security incidents.
Secure Configuration and Hardening of Network Components:
Financial entities must implement a secure configuration baseline for all network components. This includes hardening (enhancing security settings) of the network and devices in line with vendor instructions, applicable standards, and leading practices.
Session Management:
Implement procedures to limit, lock, or terminate system and remote sessions after a specified period of inactivity. This reduces the risk of unauthorized access when systems are left unattended.
Network Services Agreements:
For agreements with network service providers, financial entities must:
Identify and specify the ICT and information security measures, service levels, and management requirements.
Clarify whether the services are provided by an ICT intra-group service provider or an ICT third-party service provider.
Conclusion:
Article 13 emphasizes the importance of network security management for financial entities. By implementing robust network segmentation, encryption, access controls, and regular reviews, financial entities can protect their networks from cyber threats and ensure the integrity and availability of their ICT systems. The article also stresses the need for careful management of network services and ongoing monitoring to maintain a secure network environment.
Securing information in transit
Article 14 mandates financial entities to adopt comprehensive measures to secure data while it is being transmitted that includes implementing preventive measures against data leaks, enforce confidentiality agreements, and design security protocols based on data classification and risk assessment.
-
TL;DR
Article 14 mandates financial entities to adopt comprehensive measures to secure data while it is being transmitted. This includes ensuring that data remains available, authentic, intact, and confidential during transit. To achieve this, financial entities must implement preventive measures against data leaks, enforce confidentiality agreements, and design security protocols based on data classification and risk assessment. This ensures that information remains secure throughout its journey across networks.
FULL VERSION
Article 14 focuses on ensuring the security of information during transit (i.e., when data is being transferred from one location to another) for financial entities. This article mandates the development, documentation, and implementation of policies, procedures, protocols, and tools to protect the availability, authenticity, integrity, and confidentiality of data while it is being transmitted.
Key Points:
Safeguards for Information in Transit:
Financial entities must put in place specific safeguards to protect data during its transmission over networks. These safeguards are designed to ensure that data remains:
Available: The data should be accessible when needed.
Authentic: The data should be genuine and not tampered with.
Intact: The data should remain unaltered during transmission.
Confidential: The data should remain private and protected from unauthorized access.
Compliance Procedures:
Financial entities need to establish procedures to assess compliance with the above requirements. This means regularly checking and verifying that the data is indeed secure during transmission and that all protocols are being followed correctly.
Prevention and Detection of Data Leaks:
Measures should be in place to prevent and detect data leakages during the transfer of information. This includes ensuring that information is securely transferred between the financial entity and external parties (e.g., customers, third-party service providers).
Confidentiality and Non-Disclosure Requirements:
The article emphasizes the need for confidentiality or non-disclosure agreements. These agreements should reflect the specific needs of the financial entity regarding the protection of information. These requirements must be:
Implemented: Ensuring that they are put into practice.
Documented: Keeping clear records of these agreements.
Regularly Reviewed: Updating and reviewing these agreements to ensure they remain effective and relevant.
Design Based on Data Classification and Risk Assessment:
The policies, procedures, protocols, and tools to protect information in transit should be designed based on:
Data Classification: Understanding the sensitivity and importance of the data being transmitted.
ICT Risk Assessment: Evaluating the potential risks associated with the transmission of data and implementing appropriate security measures to mitigate those risks.
Conclusion:
Article 14 mandates financial entities to adopt comprehensive measures to secure data while it is being transmitted. This includes ensuring that data remains available, authentic, intact, and confidential during transit. To achieve this, financial entities must implement preventive measures against data leaks, enforce confidentiality agreements, and design security protocols based on data classification and risk assessment. This ensures that information remains secure throughout its journey across networks.
ICT project management
Article 15 mandates developing a comprehensive ICT project management policy to systematically and securely control and mitigate risks associated with the development, acquisition, and maintenance of ICT systems.
-
TL;DR
Article 15 ensures that ICT projects are managed systematically and securely. By developing a comprehensive ICT project management policy, companies can better control and mitigate risks associated with the development, acquisition, and maintenance of ICT systems. The policy must cover all aspects of project management, from governance and planning to risk assessment and testing. Additionally, the policy should ensure secure implementation and proper reporting to management, particularly for projects that affect critical or important functions.
FULL VERSION
Article 15 outlines the requirements for ICT project management within financial entities, ensuring that the acquisition, maintenance, and development of ICT systems are effectively managed. This article is part of the broader set of safeguards to protect the availability, authenticity, integrity, and confidentiality of data.
Key Points:
ICT Project Management Policy:
Financial entities are required to develop, document, and implement a comprehensive ICT project management policy. This policy serves as a framework to guide how ICT projects are managed, ensuring that they are aligned with the financial entity's overall objectives and safeguards for data security.
Key Elements of the Policy:
The ICT project management policy must cover several critical elements to ensure effective management of ICT projects:
ICT Project Objectives: Clearly defined goals and outcomes for the project.
ICT Project Governance: Establishing roles and responsibilities for project oversight, ensuring accountability.
ICT Project Planning, Timeframe, and Steps: Detailed planning of the project, including timelines and specific actions to be taken.
ICT Project Risk Assessment: Identifying and assessing potential risks associated with the project.
Relevant Milestones: Key points in the project timeline that indicate progress and achievement of objectives.
Change Management Requirements: Procedures to manage and control changes to the project scope, timeline, or objectives.
Testing and Approval Process: Ensuring that all requirements, especially security requirements, are tested and approved before deploying the ICT system in a production environment.
Secure Implementation:
The policy should ensure that ICT projects are implemented securely. This involves providing the necessary information and expertise from the business areas or functions affected by the project. By involving relevant stakeholders, the entity can ensure that the project aligns with its operational needs and security requirements.
Reporting to Management:
For ICT projects that impact critical or important functions of the financial entity, the policy must provide for regular reporting to the management body. This includes:
Reporting on the establishment and progress of such projects, as well as their associated risks.
Reporting can be done individually or in aggregation, depending on the significance of the project.
Reports should be made periodically and, when necessary, on an event-driven basis (e.g., when significant changes or issues arise).
Conclusion:
Article 15 ensures that financial entities manage ICT projects systematically and securely. By developing a comprehensive ICT project management policy, financial entities can better control and mitigate risks associated with the development, acquisition, and maintenance of ICT systems. The policy must cover all aspects of project management, from governance and planning to risk assessment and testing. Additionally, the policy should ensure secure implementation and proper reporting to management, particularly for projects that affect critical or important functions.
ICT systems acquisition, development, and maintenance
Article 16 emphasizes the importance of rigorous controls over the entire lifecycle of ICT systems. Clear policies and procedures should be established for acquisition, development, maintenance, and testing of ICT systems to make sure that they are secure, reliable, and compliant with regulatory requirements. The article also underscores the need for continuous monitoring and review, particularly in relation to source code integrity and the use of production data in testing environments.
-
TL;DR
Article 16 emphasizes the importance of rigorous controls over the entire lifecycle of ICT systems. Clear policies and procedures should be established for acquisition, development, maintenance, and testing of ICT systems to make sure that they are secure, reliable, and compliant with regulatory requirements. The article also underscores the need for continuous monitoring and review, particularly in relation to source code integrity and the use of production data in testing environments.
FULL VERSION
Article 16 of the regulation outlines the requirements for financial entities regarding the acquisition, development, and maintenance of ICT systems. This article aims to ensure that ICT systems are secure, reliable, and meet the necessary standards to protect the availability, authenticity, integrity, and confidentiality of data.
Key Points:
Policy Development (Paragraph 1):
Financial entities must develop, document, and implement a policy governing the acquisition, development, and maintenance of ICT systems.
The policy must:
Identify security practices and methodologies related to acquiring, developing, and maintaining ICT systems.
Define technical specifications and requirements for ICT systems, especially focusing on ICT security requirements.
Mitigate risks related to the unintentional alteration or intentional manipulation of ICT systems during their development, maintenance, and deployment in production environments.
Testing and Approval Procedures (Paragraph 2):
Financial entities must establish a procedure for testing and approving ICT systems before they are put into use or after they undergo maintenance. This is crucial for verifying that systems function as intended.
The level of testing should correspond to the criticality of the business processes and ICT assets involved.
For entities like central counterparties and central securities depositories, additional stakeholders (e.g., clearing members, users, other market infrastructures) should be involved in the testing process.
Source Code Review (Paragraph 3):
The procedure must include source code reviews that involve both static and dynamic testing, especially for internet-exposed systems and applications.
The reviews should:
Identify and analyze vulnerabilities in the source code.
Develop an action plan to address these vulnerabilities.
Monitor the implementation of the action plan to ensure issues are resolved.
Security Testing (Paragraph 4):
The procedure should ensure that security testing of software packages occurs no later than the integration phase. This is essential to identify security issues before the software goes live.
Data Handling in Non-Production Environments (Paragraph 5):
Non-production environments (e.g., testing environments) should only store anonymized, pseudonymized, or randomized data to protect the integrity and confidentiality of data.
Exception (Paragraph 6): In specific cases, production data may be used in non-production environments, but only for limited periods and with the necessary approvals.
Source Code Integrity (Paragraph 7):
The procedure must implement controls to protect the integrity of source code, whether developed in-house or by third-party providers.
Proprietary and Open-Source Software (Paragraph 8):
Proprietary software and, where feasible, source code from third-party providers or open-source projects must be analyzed and tested before deployment in production environments. This ensures that any software used by the financial entity meets security and performance standards.
Applicability to User-Developed ICT Systems (Paragraph 9):
The requirements of this article also apply to ICT systems developed or managed by users outside the ICT function (e.g., in other departments), using a risk-based approach. This ensures that all ICT systems, regardless of where they are developed, are subject to appropriate security controls.
Conclusion:
Article 16 emphasizes the importance of rigorous controls over the entire lifecycle of ICT systems within financial entities. By establishing clear policies and procedures for acquisition, development, maintenance, and testing, financial entities can ensure their ICT systems are secure, reliable, and compliant with regulatory requirements. The article also underscores the need for continuous monitoring and review, particularly in relation to source code integrity and the use of production data in testing environments.
ICT change management
Article 17 emphasizes the importance of controlled and secure management of ICT changes. It requires thorough planning, independent review, and clear communication of changes, as well as emergency procedures and post-change assessments.
-
TL;DR
Article 17 emphasizes the importance of controlled and secure management of ICT changes. It requires thorough planning, independent review, and clear communication of changes, as well as emergency procedures and post-change assessments. The article also highlights the need for stringent testing after significant changes, especially for central counterparties and securities depositories, involving relevant stakeholders to ensure the continued resilience and security of ICT systems.
FULL VERSION
Article 17 of the regulation focuses on ICT change management to ensure that any changes to ICT systems, whether in software, hardware, firmware, or security parameters, are implemented in a secure, controlled, and documented manner. The goal is to safeguard the availability, authenticity, integrity, and confidentiality of data during changes.
Key Points:
ICT Change Management Procedures (Paragraph 1): Financial entities must include the following elements in their ICT change management procedures:
Verification of Security Requirements (Point a):
Ensure that ICT security requirements are met before any changes are approved.
Independence of Functions (Point b):
The roles responsible for approving changes should be independent of those requesting and implementing the changes. This ensures an unbiased review of changes.
Clear Roles and Responsibilities (Point c):
Establish clear descriptions of roles for specifying, planning, and implementing changes, ensuring that:
Changes are well-planned.
Adequate transitions are designed to move from old to new systems or configurations.
Changes are tested and finalized in a controlled manner.
Quality assurance processes are in place.
Documentation and Communication (Point d):
Document and communicate change details, including:
The purpose and scope of the change.
The timeline for implementation.
The expected outcomes of the change.
Fall-Back Procedures (Point e):
Identify and document fall-back procedures and responsibilities, ensuring there are plans to:
Abort changes if necessary.
Recover from changes that were not successfully implemented.
Emergency Change Management (Points f and g):
Develop procedures for managing emergency changes with adequate safeguards.
Document, reassess, and approve emergency changes after they are implemented, including workarounds and patches.
Impact on ICT Security (Point h):
Identify the potential impact of changes on existing ICT security measures and assess if additional security measures are needed.
Testing After Significant Changes (Paragraph 2):
After significant changes to ICT systems, central counterparties and central securities depositories must subject their systems to stringent testing under simulated stressed conditions.
Central Counterparties: Should involve relevant stakeholders, such as:
Clearing members and clients.
Interoperable central counterparties.
Other interested parties.
Central Securities Depositories: Should involve:
Users.
Critical utilities and service providers.
Other central securities depositories.
Other market infrastructures.
Any other institutions identified in their ICT business continuity policy.
Conclusion:
Article 17 emphasizes the importance of controlled and secure management of ICT changes in financial entities. It requires thorough planning, independent review, and clear communication of changes, as well as emergency procedures and post-change assessments. The article also highlights the need for stringent testing after significant changes, especially for central counterparties and securities depositories, involving relevant stakeholders to ensure the continued resilience and security of ICT systems.
Physical and environmental security
Article 18 emphasizes the importance of physical and environmental security. It requires the creation of a comprehensive policy that addresses access control, protection against physical threats, and the security of ICT assets. The policy should also include clear desk and screen policies to protect sensitive information and ensure the secure handling of unattended ICT assets.
-
TL;DR
Article 18 emphasizes the importance of physical and environmental security. It requires the creation of a comprehensive policy that addresses access control, protection against physical threats, and the security of ICT assets. The policy should also include clear desk and screen policies to protect sensitive information and ensure the secure handling of unattended ICT assets.
FULL VERSION
Article 18 outlines the requirements for physical and environmental security in financial entities. The goal is to ensure the availability, authenticity, integrity, and confidentiality of data and ICT assets by protecting them from physical threats, such as attacks, accidents, and environmental hazards.
Key Points:
Physical and Environmental Security Policy (Paragraph 1):
Financial entities must specify, document, and implement a physical and environmental security policy.
The policy should be designed considering:
The cyber threat landscape.
The classification of data and assets as established in Article 8(1) of Regulation (EU) 2022/2554.
The overall risk profile of ICT and information assets.
Contents of the Security Policy (Paragraph 2): The policy must include the following elements:
Access Control Management (Point a):
Reference the section of the policy that deals with control of access management rights, as required by Article 21.
Protection from Attacks and Environmental Threats (Point b):
Implement measures to protect premises, data centers, and sensitive areas from attacks, accidents, and environmental threats or hazards.
These areas are critical because they house ICT assets and information assets.
Security of ICT Assets (Point c):
Implement measures to secure ICT assets both within and outside the premises of the financial entity.
These measures should be based on the results of the ICT risk assessment for the relevant assets.
Maintenance of ICT and Information Assets (Point d):
Ensure the availability, authenticity, integrity, and confidentiality of ICT and information assets, as well as physical access control devices through appropriate maintenance.
Desk and Screen Policies (Point e):
Implement measures to protect data, including:
A clear desk policy: ensuring that sensitive papers are not left out on desks.
A clear screen policy: ensuring that information on screens is not visible when not in use.
Protection Against Environmental Threats:
The measures to protect against environmental threats should be commensurate with the importance of the premises and the criticality of operations or ICT systems located there.
Protection of Unattended ICT Assets:
The policy should also include measures to protect ICT assets when they are unattended, ensuring they are not vulnerable to theft, damage, or unauthorized access.
Conclusion:
Article 18 emphasizes the importance of physical and environmental security in financial entities. It requires the creation of a comprehensive policy that addresses access control, protection against physical threats, and the security of ICT assets. The policy should also include clear desk and screen policies to protect sensitive information and ensure the secure handling of unattended ICT assets.
Human resources policy
Article 19 ensures that ICT security is integrated into the human resources policies. By assigning specific ICT security responsibilities, ensuring that staff and third-party providers adhere to security policies, and implementing protocols for asset return upon termination, companies can maintain a secure ICT environment and reduce the risk of data breaches or security incidents.
-
TL;DR
Article 19 ensures that ICT security is integrated into human resources policies. By assigning specific ICT security responsibilities, ensuring that staff and third-party providers adhere to security policies, and implementing protocols for asset return upon termination, companies can maintain a secure ICT environment and reduce the risk of data breaches or security incidents.
FULL VERSION
Article 19 focuses on integrating ICT security-related elements into the human resources policy of financial entities. This ensures that both employees and third-party service providers adhere to the necessary security protocols and responsibilities related to ICT assets.
Key Points:
Identification and Assignment of ICT Security Responsibilities (Point a):
Financial entities must clearly identify and assign specific responsibilities related to ICT security within their human resources policy.
This ensures that there is a clear delegation of tasks and accountability for ICT security across the organization.
Requirements for Staff and ICT Third-Party Service Providers (Point b):
The policy must include certain requirements for both the staff of the financial entity and the ICT third-party service providers who use or access the financial entity’s ICT assets. These requirements include:
Adherence to ICT Security Policies (Subpoint i):
All staff and third-party providers must be informed about and adhere to the financial entity's ICT security policies, procedures, and protocols. This ensures that everyone involved with the financial entity's ICT systems is aware of and follows the necessary security measures.
Awareness of Reporting Channels (Subpoint ii):
Staff and third-party providers must be aware of the reporting channels established by the financial entity for reporting anomalous behavior.
This includes channels for reporting potential security incidents or suspicious activities.
If applicable, the reporting channels must also comply with the requirements of Directive (EU) 2019/1937, which deals with the protection of whistleblowers who report breaches of Union law.
Return of ICT Assets Upon Termination (Subpoint iii):
When staff members leave the organization, they are required to return all ICT assets and tangible information assets that belong to the financial entity.
This helps prevent the unauthorized use of company assets and ensures that the organization's data and resources are properly secured after an employee’s departure.
Conclusion:
Article 19 ensures that ICT security is integrated into the human resources policy of financial entities. By assigning specific ICT security responsibilities, ensuring that staff and third-party providers adhere to security policies, and implementing protocols for asset return upon termination, financial entities can maintain a secure ICT environment and reduce the risk of data breaches or security incidents.
Identity management
Article 20 stresses the need to implement robust identity management practices to safeguard access to their information and ICT assets. By assigning unique identities to users, maintaining comprehensive records, and utilizing lifecycle management processes. The use of automated solutions further supports secure and efficient identity management.
-
TL;DR
Article 20 stresses the need to implement robust identity management practices to safeguard access to their information and ICT assets. By assigning unique identities to users, maintaining comprehensive records, and utilizing lifecycle management processes. The use of automated solutions further supports secure and efficient identity management.
FULL VERSION
Article 20 focuses on the identity management policies and procedures that financial entities must implement as part of their access control measures. These policies ensure that the identities of individuals and systems accessing the financial entity's information are managed securely, enabling proper user access rights assignment.
Key Points:
Development of Identity Management Policies (Paragraph 1):
Financial entities must develop, document, and implement identity management policies and procedures.
These policies should ensure the unique identification and authentication of natural persons (e.g., staff) and systems accessing the entity’s information.
This is crucial for controlling and assigning user access rights in line with the requirements outlined in Article 21.
Contents of Identity Management Policies (Paragraph 2):
The identity management policies and procedures must include the following key elements:
Unique Identity Assignment (Point a):
Each staff member of the financial entity, as well as the staff of ICT third-party service providers who access the financial entity’s information assets and ICT assets, must be assigned a unique identity corresponding to a unique user account.
This ensures that access to sensitive information is clearly tied to a specific individual, enhancing accountability and security.
Lifecycle Management of Identities and Accounts (Point b):
The policies must include a lifecycle management process for identities and accounts.
This process should cover all stages, including:
Creation of new accounts.
Changes and updates to existing accounts.
Reviews of account status.
Temporary deactivation and termination of accounts.
Effective lifecycle management ensures that user accounts are properly maintained and that access rights are updated or revoked as needed, reducing the risk of unauthorized access.
Record-Keeping (Related to Point a):
Financial entities are required to maintain records of all identity assignments.
These records must be retained even after a reorganization of the financial entity or the end of a contractual relationship, in compliance with applicable Union and national laws regarding data retention.
Automated Solutions (Related to Point b):
Where feasible and appropriate, financial entities are encouraged to use automated solutions for the lifecycle management of identities and accounts.
Automation can enhance efficiency and accuracy in managing user identities, particularly in large organizations with complex ICT systems.
Conclusion:
Article 20 ensures that financial entities implement robust identity management practices to safeguard access to their information and ICT assets. By assigning unique identities to users, maintaining comprehensive records, and utilizing lifecycle management processes, financial entities can control access rights more effectively. The use of automated solutions further supports secure and efficient identity management.
More articles coming soon. If you would like to be notified when we add more content, please contact us.
Disclaimer
Please note that this text is provided as-is and should not be relied upon as an authoritative source. Please consult the Official Journal of the European Union for the official DORA documentation.