ICT systems, protocols and tools

Article 7 focuses on the technical foundations of ICT risk management, requiring financial entities to use and maintain ICT systems, protocols, and tools that are reliable, resilient, and proportionate to their operational needs. This article bridges governance (Article 5-6) and the specific protection measures (Articles 8-9).

Financial entities must ensure their ICT infrastructure can support the performance and availability requirements of their critical or important functions. This includes implementing robust capacity management processes that anticipate growth, seasonal peaks, and stress scenarios. Systems must be monitored for performance degradation, and thresholds must trigger timely alerts.

The article requires regular assessments of ICT system adequacy, particularly when there are significant changes in business volumes, organizational structure, or the threat landscape. These assessments must consider both current needs and foreseeable developments, ensuring that technological obsolescence does not create unmanaged risks.

A key aspect is the requirement for resilience engineering — designing systems that can withstand disruptions and continue operating, even in degraded mode. This means building redundancy, failover capabilities, and graceful degradation into the architecture of critical systems, rather than treating these as afterthoughts.