- Financial entities shall set clear roles and responsibilities to effectively detect and respond to ICT-related incidents and anomalous activities.
- The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to:
- collect, monitor, and analyse all of the following:
- internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity;
- potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity;
- ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity;
- identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions;
- prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours;
- record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually.
For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection.
- collect, monitor, and analyse all of the following:
- Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use.
- Financial entities shall log all relevant information for each detected anomalous activity enabling:
- the identification of the date and time of occurrence of the anomalous activity;
- the identification of the date and time of detection of the anomalous activity;
- the identification of the type of the anomalous activity.
- Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554:
- indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised;
- data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data;
- adverse impact detected on financial entity’s transactions and operations;
- ICT systems’ and network unavailability.
- For the purposes of paragraph 5, financial entities shall also consider the criticality of the services affected.