Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 1 Overall risk profile and complexity
When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to:
encryption and cryptography;
ICT operations security;
network security;
ICT project and change management;
the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity’s activities.
Relevant recitals
Recital 1 Principle of proportionality
Regulation (EU) 2022/2554 covers a wide variety of financial entities that differ in size, structure, internal organisation, and in the nature and complexity of their activities, and thus have increased or reduced elements of complexity or risks. To ensure that that variety is duly taken into account, any requirements as regards ICT security policies, procedures, protocols and tools, and as regards a simplified ICT risk management framework, should be proportionate to that size, structure, internal organisation, nature and complexity of those financial entities, and to the corresponding risks.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.