Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 17 ICT change management
As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements:
a verification of whether the ICT security requirements have been met;
mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes;
a clear description of the roles and responsibilities to ensure that:
changes are specified and planned;
an adequate transition is designed;
the changes are tested and finalised in a controlled manner;
there is an effective quality assurance;
the documentation and communication of change details, including:
the purpose and scope of the change;
the timeline for the implementation of the change;
the expected outcomes;
the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented;
procedures, protocols, and tools to manage emergency changes that provide adequate safeguards;
procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches;
the identification of the potential impact of a change on existing ICT security measures and an assessment of whether such change requires the adoption of additional ICT security measures.
After having made significant changes to their ICT systems, central counterparties and central securities depositories shall submit their ICT systems to stringent testing by simulating stressed conditions.
Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph:
clearing members and clients;
interoperable central counterparties;
other interested parties,
Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph:
users;
critical utilities and critical service providers;
other central securities depositories;
other market infrastructures;
any other institutions with which central securities depositories have identified interdependencies in their ICT business continuity policy.
Relevant recitals
Recital 17 ICT change management policies and procedures
Changes, regardless of their scale, carry inherent risks and may pose significant risks of loss of confidentiality, integrity, and availability of data, and could thus lead to severe business disruptions. To safeguard financial entities from potential ICT vulnerabilities and weaknesses that could expose them to significant risks, a rigorous verification process is necessary to confirm that all changes meet the necessary ICT security requirements. Financial entities referred to in Title II of this Regulation should therefore, as an essential element of their ICT security policies and procedures, have in place sound ICT change management policies and procedures. To uphold the objectivity and effectiveness of the ICT change management process, to prevent conflicts of interest, and to ensure that ICT changes are evaluated objectively, it is necessary to separate the functions responsible for approving those changes from the functions that request and implement those changes. To achieve effective transitions, controlled ICT change implementation, and minimal disruptions to the operation of the ICT systems, financial entities should assign clear roles and responsibilities that ensure that ICT changes are planned, adequately tested, and that quality is ensured. To ensure that ICT systems continue to operate effectively, and to provide a safety net for financial entities, financial entities should also develop and implement fall-back procedures. Financial entities should clearly identify those fall-back procedures and assign responsibilities to ensure a swift and effective response in the event of unsuccessful ICT changes.
Recital 24 Additional requirements for financial market infrastructure participants
It is necessary to lay down requirements for operational risk, and more particularly requirements for ICT project and change management and ICT business continuity management building on those that apply already to central counterparties, central securities depositories and trading venues under, respectively, Regulations (EU) No 648/2012(3)Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1, ELI: http://data.europa.eu/eli/reg/2012/648/oj)., (EU) No 600/2014(4)Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84, ELI: http://data.europa.eu/eli/reg/2014/600/oj). and (EU) No 909/2014(5)Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1, ELI: http://data.europa.eu/eli/reg/2014/909/oj). of the European Parliament and of the Council.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.