As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall:

1. document the ICT-related incident management process referred to in Article 17 of Regulation (EU) 2022/2554;
2. establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on:
   1. the detection and monitoring of cyber threats;
   2. the detection of anomalous activities;
   3. vulnerability management;
3. establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation;
4. retain all evidence relating to ICT-related incidents for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assets, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772 ⁽¹²⁾ and with any applicable retention requirement pursuant to Union law;
5. establish and implement mechanisms to analyse significant or recurring ICT-related incidents and patterns in the number and the occurrence of ICT-related incidents.

For the purposes of point (d), financial entities shall retain the evidence referred to in that point in a secure manner.