COMMISSION DELEGATED REGULATION (EU) 2024/1774
of 13 March 2024
supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 1, and in particular Article 15, fourth subparagraph, and Article 16(3), fourth subparagraph, thereof,
Whereas:
Recitals
HAS ADOPTED THIS REGULATION:
Article 1 Overall risk profile and complexity TITLE II Further harmonisation of ICT risk management tools, methods, processes, and policies in accordance with Article 15 of regulation (EU) 2022/2554 Chapter I ICT Security policies, procedures, protocols, and tools Article 2 General elements of ICT security policies, procedures, protocols, and tools Article 6 Encryption and cryptographic controls Article 8 Policies and procedures for ICT operations Article 9 Capacity and performance management Article 16 ICT systems acquisition, development, and maintenance Chapter II Human resources policy and access control Chapter III ICT-related incident detection and response Article 23 Anomalous activities detection and criteria for ICT-related incidents detection and response Article 24 Components of the ICT business continuity policy Article 25 Testing of the ICT business continuity plans Chapter V Report on the ICT risk management framework review Article 27 Format and content of the report on the review of the ICT risk management framework TITLE III Simplified ICT risk management framework for financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 Chapter I Simplified ICT risk management framework Article 29 Information security policy and measures Article 30 Classification of information assets and ICT assets Article 37 ICT systems acquisition, development, and maintenance Article 39 Components of the ICT business continuity plan Chapter IV Report on the review of the simplified ICT risk management framework Article 41 Format and content of the report on the review of the simplified ICT risk management framework
