Article 37
ICT systems acquisition, development, and maintenance
The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall:
|
(a) |
ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; |
|
(b) |
ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment; |
|
(c) |
identify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment. |