Article 22 ICT-related incident management policy

1. document the ICT-related incident management process referred to in Article 17 of Regulation (EU) 2022/2554;

2. establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on:

   1. the detection and monitoring of cyber threats;

   2. the detection of anomalous activities;

   3. vulnerability management;

3. establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation;

4. retain all evidence relating to ICT-related incidents for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assets, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772(¹²)Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (OJ L, 2024/1772, 25.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1772/oj). and with any applicable retention requirement pursuant to Union law;

5. establish and implement mechanisms to analyse significant or recurring ICT-related incidents and patterns in the number and the occurrence of ICT-related incidents.

For the purposes of point (d), financial entities shall retain the evidence referred to in that point in a secure manner.