Commission Delegated Regulation that supports DORA regulation
Full Text of CDR 2024-1774
Regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
Article 4 – ICT asset management policy
- As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets.
- The policy on management of ICT assets referred to in paragraph 1 shall:
- prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;
- prescribe that the financial entity keeps records of all of the following:
- the unique identifier of each ICT asset;
- information on the location, either physical or logical, of all ICT assets;
- the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;
- the identity of ICT asset owners;
- the business functions or services supported by the ICT asset;
- the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
- whether the ICT asset can be or is exposed to external networks, including the internet;
- the links and interdependencies among ICT assets and the business functions using each ICT asset;
- where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;
- for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.