Related pillars:II. ICT-Related Incident ManagementIII. Digital Operational Resilience TestingIV. ICT Third-Party Risk ManagementV. Information Sharing
Pillar IArt. 5-16

ICT Risk Management Framework

Establishes comprehensive requirements for financial entities to identify, protect against, detect, respond to, and recover from ICT-related disruptions. Mandates a robust governance framework with clear roles, policies, and continuous improvement processes for managing technology risk across the organization.

Key Themes

What this pillar covers

1

Governance and organizational structure

2

ICT risk identification and classification

3

Protection and prevention measures

4

Detection and response capabilities

5

Recovery and restoration planning

12 Articles

Articles in Pillar I

Explore the 12 articles that make up ICT Risk Management Framework, from Art. 5-16.

12 articles

5

Governance and organisation

Places ultimate responsibility for ICT risk management on the management body of the financial entity. Requires the management body to define, approve, oversee and be accountable for the implementation of the ICT risk management framework, including setting the appropriate level of ICT risk tolerance.

governancemanagement-bodyaccountability+1 moreBanksInvestmentInsurance+4
6

ICT risk management framework

Requires financial entities to maintain a sound, comprehensive and well-documented ICT risk management framework. The framework must include strategies, policies, procedures and tools necessary to protect all ICT assets and infrastructure and to duly manage ICT risk in accordance with the entity's risk appetite.

frameworkrisk-managementpolicies+1 moreBanksInvestmentInsurance+4
7

ICT systems, protocols and tools

Requires financial entities to use and maintain updated ICT systems, protocols, and tools that are appropriate to the scale of operations and adequate to support critical or important functions. Mandates capacity management, resilience engineering, and regular assessments of ICT system adequacy.

systemsinfrastructurecapacity+1 moreBanksInvestmentInsurance+4
8

Identification

Requires financial entities to identify, classify and adequately document all ICT-supported business functions, information assets, and ICT assets, including those on remote sites. Mandates maintaining an inventory of all ICT assets and mapping dependencies and interconnections.

identificationasset-inventorydependencies+1 moreBanksInvestmentInsurance+4
9

Protection and prevention

Requires financial entities to design and implement ICT security policies, procedures and technical controls to ensure the protection, prevention and resilience of ICT systems. Covers access management, encryption, network security, patch management and change management.

protectionsecurityencryption+2 moreBanksInvestmentInsurance+4
10

Detection

Requires financial entities to establish mechanisms to promptly detect anomalous activities, including network performance issues, ICT-related incidents, and potential single points of failure. Detection capabilities must be tested regularly as part of the resilience testing programme.

detectionmonitoringanomaly-detection+1 moreBanksInvestmentInsurance+4
11

Response and recovery

Requires financial entities to establish ICT business continuity policies and ICT response and recovery plans. Plans must be tested at least annually and must cover all critical or important functions including those supported by ICT third-party service providers.

responserecoverybusiness-continuity+3 moreBanksInvestmentInsurance+4
12

Backup policies and procedures, restoration and recovery procedures and methods

Establishes requirements for backup policies covering scope, frequency, and recovery methods. Requires that backup and restoration procedures are regularly tested and that backup systems are physically and logically separated from source systems to prevent simultaneous compromise.

backuprestorationdata-integrity+1 moreBanksInvestmentInsurance+4
13

Learning and evolving

Requires financial entities to have capabilities and staff to gather information on vulnerabilities, cyber threats, and ICT-related incidents. Mandates post-incident reviews after significant disruptions and integration of lessons learned into the ICT risk management framework through continuous improvement processes.

learningcontinuous-improvementpost-incident-review+2 moreBanksInvestmentInsurance+4
14

Communication

Requires financial entities to establish communication plans for ICT-related incidents, including internal escalation procedures, external stakeholder notification, and regulatory reporting. Mandates a designated spokesperson and clear communication protocols for crisis situations.

communicationcrisis-managementdisclosure+1 moreBanksInvestmentInsurance+4
15

Further harmonisation of ICT risk management tools, methods, processes and policies

Empowers the European Supervisory Authorities (ESAs) to develop regulatory technical standards (RTS) further specifying the elements of the ICT risk management framework. These RTS detail the components of ICT security policies, business continuity management, and audit review requirements.

RTSharmonisationstandards+1 moreBanksInvestmentInsurance+4
16

Simplified ICT risk management framework

Provides a simplified ICT risk management framework for certain smaller or less complex financial entities. While maintaining core requirements for risk identification, protection, detection, and recovery, it allows proportionate implementation with reduced documentation and governance obligations.

simplified-frameworkproportionalitysmaller-entitiesBanksInvestmentInsurance+4
Test your readiness for ICT Risk Management Framework