Article 38 Gestion des projets de TIC et des changements dans les TIC

This article sits within the simplified ICT risk management framework for the smaller financial entities referred to in Article 16(1) of DORA, and it sets out two closely related procedural obligations: ICT project management and ICT change management.

Rather than prescribing detailed content requirements, it focuses on the existence and implementation of these procedures, requiring that they span the full lifecycle of projects and changes respectively.

It is the simplified-framework counterpart to the more detailed project and change management provisions that apply to larger financial entities elsewhere in this regulation.

Important points:

• Develop, document, and implement an ICT project management procedure that covers all stages of ICT projects from initiation to closure, with clearly specified roles and responsibilities.
• Develop, document, and implement an ICT change management procedure ensuring all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner.
• Both obligations apply to the financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554, i.e., those subject to the simplified ICT risk management framework.