Article 28
Governance and organisation
The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body:
bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity’s business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context;
sets clear roles and responsibilities for all ICT-related tasks;
sets out information security objectives and ICT requirements;
approves, oversees, and periodically reviews:
the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies;
the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554;
allocates and reviews at least once a year the budget necessary to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff;
specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to;
identifies and implements procedures, ICT protocols, and tools that are necessary to protect all information assets and ICT assets;
ensures that the staff of the financial entity is kept up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, commensurate to the ICT risk being managed;
establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience.