INHALT

Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework

COMMISSION DELEGATED REGULATION (EU) 2024/1774
of 13 March 2024
supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
(Text with EEA relevance)
TITLE I
GENERAL PRINCIPLE
Article 1
Overall risk profile and complexity
TITLE II
FURTHER HARMONISATION OF ICT RISK MANAGEMENT TOOLS, METHODS, PROCESSES, AND POLICIES IN ACCORDANCE WITH ARTICLE 15 OF REGULATION (EU) 2022/2554
CHAPTER I
ICT Security policies, procedures, protocols, and tools
Section 1
Article 2
General elements of ICT security policies, procedures, protocols, and tools
Section 2
Article 3
ICT risk management
Section 3
ICT asset management
Article 4
ICT asset management policy
Article 5
ICT asset management procedure
Section 4
Encryption and cryptography
Article 6
Encryption and cryptographic controls
Article 7
Cryptographic key management
Section 5
ICT operations security
Article 8
Policies and procedures for ICT operations
Article 9
Capacity and performance management
Article 10
Vulnerability and patch management
Article 11
Data and system security
Article 12
Logging
Section 6
Network security
Article 13
Network security management
Article 14
Securing information in transit
Section 7
ICT project and change management
Article 15
ICT project management
Article 16
ICT systems acquisition, development, and maintenance
Article 17
ICT change management
Section 8
Article 18
Physical and environmental security
CHAPTER II
Human resources policy and access control
Article 19
Human resources policy
Article 20
Identity management
Article 21
Access control
CHAPTER III
ICT-related incident detection and response
Article 22
ICT-related incident management policy
Article 23
Anomalous activities detection and criteria for ICT-related incidents detection and response
CHAPTER IV
ICT business continuity management
Article 24
Components of the ICT business continuity policy
Article 25
Testing of the ICT business continuity plans
Article 26
ICT response and recovery plans
CHAPTER V
Report on the ICT risk management framework review
Article 27
Format and content of the report on the review of the ICT risk management framework
TITLE III
SIMPLIFIED ICT RISK MANAGEMENT FRAMEWORK FOR FINANCIAL ENTITIES REFERRED TO IN ARTICLE 16(1) OF REGULATION (EU) 2022/2554
CHAPTER I
Simplified ICT risk management framework
Article 28
Governance and organisation
Article 29
Information security policy and measures
Article 30
Classification of information assets and ICT assets
Article 31
ICT risk management
Article 32
Physical and environmental security
CHAPTER II
Further elements of systems, protocols, and tools to minimise the impact of ICT risk
Article 33
Access Control
Article 34
ICT operations security
Article 35
Data, system and network security
Article 36
ICT security testing
Article 37
ICT systems acquisition, development, and maintenance
Article 38
ICT project and change management
CHAPTER III
ICT business continuity management
Article 39
Components of the ICT business continuity plan
Article 40
Testing of business continuity plans
CHAPTER IV
Report on the review of the simplified ICT risk management framework
Article 41
Format and content of the report on the review of the simplified ICT risk management framework
TITLE IV
FINAL PROVISIONS
Article 42
Entry into force