ICT risk management framework

Article 6 outlines the core requirements for the ICT risk management framework that every financial entity must establish and maintain. This framework serves as the central organizing structure for all ICT-related risk management activities and must be comprehensive enough to address the full lifecycle of ICT risk.

The framework must encompass strategies, policies, procedures, ICT protocols, and tools necessary to adequately protect information and ICT assets. It must address the full spectrum of risks including cyber threats, technology failures, human error, and natural disasters. The framework must be documented, reviewed at least annually, and updated following major incidents, audit findings, or significant changes in the ICT environment.

A critical requirement is the identification and classification of all ICT-supported business functions, roles, and assets. Financial entities must maintain an up-to-date inventory of their information assets and ICT assets, mapping dependencies between them. Functions must be assessed for criticality, with enhanced protections applied to those classified as critical or important.

The framework must be proportionate but robust. Even entities subject to the simplified framework under Article 16 must establish adequate governance, risk identification, protection mechanisms, detection capabilities, and recovery procedures. The framework's maturity is expected to evolve continuously, incorporating lessons learned from incidents, testing results, and emerging threat intelligence.