CDR 2024-1774 Title 2 Chapter 5 Article 27

Article 27 – Format and content of the report on the review of the ICT risk management framework

  1. Financial entities shall submit the report on the review of the ICT risk management framework referred to in Article 6(5) of Regulation (EU) 2022/2554 in a searchable electronic format.
  2. Financial entities shall include all of the following information in the report referred to in paragraph 1:
    1. an introductory section that:
      1. clearly identifies the financial entity that is the subject of the report, and describes its group structure, where relevant;
      2. describes the context of the report in terms of the nature, scale, and complexity of the financial entity’s services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency;
      3. summarises the major changes in the ICT risk management framework since the previous report submitted;
      4. provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity;
    2. the date of the approval of the report by the management body of the financial entity;
    3. a description of the reason for the review of the ICT risk management framework in accordance with Article 6(5) of Regulation (EU) 2022/2554.;
    4. the start and end dates of the review period;
    5. an indication of the function responsible for the review;
    6. a description of the major changes and improvements to the ICT risk management framework since the previous review;
    7. a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT risk management framework during the review period;
    8. a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following:
      1. a summary of measures taken to remediate to identified weaknesses, deficiencies and gaps;
      2. an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected;
      3. tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external;
      4. a description of the impact of the changes envisaged in the measures on the financial entity’s budgetary, human, and material resources, including resources dedicated to the implementation of any corrective measures;
      5. information on the process for informing the competent authority, where appropriate;
      6. where the weaknesses, deficiencies, or gaps identified are not subject to corrective measures, a detailed explanation of the criteria used to analyse the impact of those weaknesses, deficiencies, or gaps, to evaluate the related residual ICT risk, and of the criteria used to accept the related residual risk;
    9. information on planned further developments of the ICT risk management framework;
    10. conclusions resulting from the review of the ICT risk management framework;
    11. information on past reviews, including:
      1. a list of past reviews to date;
      2. where applicable, a state of implementation of the corrective measures identified by the last report;
      3. where the proposed corrective measures in past reviews have proven ineffective or have created unexpected challenges, a description of how those corrective measures could be improved or of those unexpected challenges;
    12. sources of information used in the preparation of the report, including all of the following:
      1. for financial entities other than microenterprises as referred to in Article 6(6) of Regulation (EU) 2022/2554, the results of internal audits;
      2. the results of compliance assessments;
      3. results of digital operational resilience testing, and where applicable the results of advanced testing, based on threat-led penetration testing (TLPT), of ICT tools, systems, and processes;
      4. external sources.

    For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testing or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidents, the report shall contain the list of all ICT-related incidents with incident root-cause analysis.

    For the purposes of point (f), the description shall contain an analysis of the impact of the changes on the financial entity’s digital operational resilience strategy, on the financial entity’s ICT internal control framework, and on the financial entity’s ICT risk management governance.