Article 2 – General elements of ICT security policies, procedures, protocols, and tools

  1. Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that:
    1. ensure the security of networks;
    2. contain safeguards against intrusions and data misuse;
    3. preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques;
    4. guarantee an accurate and prompt data transmission without major disruptions and undue delays.
  2. Financial entities shall ensure that the ICT security policies referred to in paragraph 1:
    1. are aligned to the financial entity’s information security objectives included in the digital operational resilience strategy referred to in Article 6(8) of Regulation (EU) 2022/2554;
    2. indicate the date of the formal approval of the ICT security policies by the management body;
    3. contain indicators and measures to:
      1. monitor the implementation of the ICT security policies, procedures, protocols, and tools;
      2. record exceptions from that implementation;
      3. ensure that the digital operational resilience of the financial entity is ensured in case of exceptions as referred to in point (ii);
    4. specify the responsibilities of staff at all levels to ensure the financial entity’s ICT security;
    5. specify the consequences of non-compliance by staff of the financial entity with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity;
    6. list the documentation to be maintained;
    7. specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk management and control model, as applicable, to avoid conflicts of interest;
    8. consider leading practices and, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012;
    9. identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools;
    10. are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554;
    11. take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations.