CDR 2024-1774 Title 2 Chapter 4 Article 25

Article 25 – Testing of the ICT business continuity plans

  1. When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity’s business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation.
  2. Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity’s critical or important functions. That testing shall:
    1. be performed on the basis of test scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios;
    2. contain the testing of ICT services provided by ICT third-party service providers, where applicable;
    3. for financial entities, other than microenterprises, as referred to in Article 11(6), second subparagraph, of Regulation (EU) 2022/2554, contain scenarios of switchover from primary ICT infrastructure to the redundant capacity, backups and redundant facilities;
    4. be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans;
    5. contain procedures to verify the ability of the financial entities’ staff, of ICT third-party service providers, of ICT systems, and ICT services to respond adequately to the scenarios duly taken into account in accordance with Article 26(2).

    For the purposes of point (a), financial entities shall always include in the testing the scenarios considered for the development of the business continuity plans.

    For the purposes of point (b), financial entities shall duly consider scenarios linked to insolvency or failures of the ICT third-party service providers or linked to political risks in the ICT third-party service providers’ jurisdictions, where relevant.

    For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored.

  3. In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1:
    1. clearing members;
    2. external providers;
    3. relevant institutions in the financial infrastructure with which central counterparties have identified interdependencies in their business continuity policies.
  4. In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate:
    1. users of the central securities depositories;
    2. critical utilities and critical service providers;
    3. other central securities depositories;
    4. other market infrastructures;
    5. any other institutions with which central securities depositories have identified interdependencies in their business continuity policy.
  5. Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body.