Learning and evolving

Article 13 introduces the learning and continuous improvement dimension of ICT risk management. A resilience framework that does not evolve in response to experience is destined to become obsolete. This article ensures that financial entities treat every incident, test result, and emerging threat as an opportunity to strengthen their defenses.

Post-incident reviews are mandatory following significant ICT disruptions. These reviews must analyze the root causes, assess the effectiveness of the response, identify areas for improvement, and generate actionable recommendations. The results must be reported to the management body and fed back into the ICT risk management framework, closing the loop between operational experience and governance.

Threat intelligence gathering is an explicit requirement. Financial entities must have the capabilities and dedicated staff to collect, analyze, and act upon information about cyber threats, vulnerabilities, and attack techniques relevant to their operations. This intelligence feeds into risk assessments, protection priorities, and detection rule updates.

The article also mandates ICT security awareness training for all staff, with content and frequency proportionate to their roles and access levels. Staff represent both the first and last line of defense — well-trained employees can detect phishing attempts and social engineering, while untrained staff can inadvertently open the door to significant compromises. Training programmes must be regularly updated to reflect the current threat landscape.