Article 8 – Policies and procedures for ICT operations

  1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations.
  2. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following:
    1. an ICT assets description, including all of the following:
      1. requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system;
      2. requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual;
      3. requirements regarding the identification and control of legacy ICT systems;
    2. controls and monitoring of ICT systems, including all of the following:
      1. backup and restore requirements of ICT systems;
      2. scheduling requirements, taking into consideration interdependencies among the ICT systems;
      3. protocols for audit-trail and system log information;
      4. requirements to ensure that the performance of internal audit and other testing minimises disruptions to business operations;
      5. requirements on the separation of ICT production environments from the development, testing, and other non-production environments;
      6. requirements to conduct the development and testing in environments which are separated from the production environment;
      7. requirements to conduct the development and testing in production environments;
    3. error handling concerning ICT systems, including all of the following:
      1. procedures and protocols for handling errors;
      2. support and escalation contacts, including external support contacts in case of unexpected operational or technical issues;
      3. ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption.

    For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a).

    For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment.