1.   A CSD shall ensure that its information technology (IT) systems are well-documented and that they are designed to cover the CSD's operational needs and the operational risks that the CSD faces.

The CSD IT systems shall be:

2.   A CSD systems shall have sufficient capacity to process all transactions before the end of the day even in circumstances where a major disruption occurs.

A CSD shall have procedures for ensuring sufficient capacity of its IT systems, including in the case of the introduction of new technology.

3.   A CSD shall base its IT systems on internationally recognised technical standards and industry best practices.

4.   A CSD's IT systems shall ensure that any data at the disposal of the CSD is protected from loss, leakage, unauthorised access, poor administration, inadequate record-keeping, and other processing risks.

5.   A CSD's information security framework shall outline the mechanisms that the CSD have in place to detect and prevent cyber-attacks. The framework shall also outline the CSD's plan in response to cyber-attacks.

6.   The CSD shall subject its IT systems to stringent testing by simulating stressed conditions before those systems are used for the first time, after making significant changes to the systems and after a major operational disruption has occurred. A CSD shall, as appropriate, involve in the design and conduct of these tests:

7.   The information security framework shall include:

8.   The CSD shall have arrangements for the selection and substitution of IT third party service providers, CSD's timely access to all necessary information, as well as proper controls and monitoring tools.

9.   The CSD shall ensure that the IT systems and the information security framework concerning the CSD's core services are reviewed at least annually and are subject to audit assessments. The results of the assessments shall be reported to the CSD's management body and to the competent authority.