Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 10 Vulnerability and patch management
As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement vulnerability management procedures.
The vulnerability management procedures referred to in paragraph 1 shall:
identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities;
ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset;
verify whether:
ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity;
whether those service providers report to the financial entity at least the critical vulnerabilities and statistics and trends in a timely manner;
track the usage of:
third-party libraries, including open-source libraries, used by ICT services supporting critical or important functions;
ICT services developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider;
establish procedures for the responsible disclosure of vulnerabilities to clients, counterparties, and to the public;
prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified;
monitor and verify the remediation of vulnerabilities;
require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution.
For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis.
For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action.
For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries.
For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities.
As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document and implement patch management procedures.
The patch management procedures referred to in paragraph 3 shall:
to the extent possible identify and evaluate available software and hardware patches and updates using automated tools;
identify emergency procedures for the patching and updating of ICT assets;
test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii);
set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met.
Relevant recitals
Recital 11 Vulnerability management
The fast-evolving nature of ICT landscapes, ICT vulnerabilities and cyber threats necessitates a proactive and comprehensive approach to identifying, evaluating, and addressing ICT vulnerabilities. Without such an approach, financial entities, their customers, users, or counterparties may be severely exposed to risks, which would put at risk their digital operational resilience, the security of their networks, and the availability, authenticity, integrity, and confidentiality of data that ICT security policies and procedures should protect. Financial entities referred to in Title II of this Regulation should therefore identify and remedy vulnerabilities in their ICT environment, and both the financial entities and their ICT third-party service providers should adhere to a coherent, transparent, and responsible vulnerability management framework. For the same reason, financial entities should monitor ICT vulnerabilities using reliable resources and automated tools, verifying that ICT third-party service providers ensure prompt action on vulnerabilities in provided ICT services.
Recital 12 Patch management
Patch management should be a crucial part of those ICT security policies and procedures that, through testing and deployment in a controlled environment, are to resolve identified vulnerabilities and to prevent disruptions from the installation of patches.
Recital 13 Responsible vulnerability disclosure
To ensure timely and transparent communication of potential security threats that could impact the financial entity and its stakeholders, financial entities should establish procedures for the responsible disclosure of ICT vulnerabilities to clients, counterparts, and the public. When establishing those procedures, financial entities should consider factors, including the severity of the vulnerability, the potential impact of such vulnerability on stakeholders, and the readiness of a fix or mitigation measures.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.