Article 4 | Delegated Regulation 2024/1774

Article 4 - Delegated Regulation 2024/1774

Article 4

ICT asset management policy

1. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets.

2. The policy on management of ICT assets referred to in paragraph 1 shall:

(a)	prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;

(b)

prescribe that the financial entity keeps records of all of the following:

(i)	the unique identifier of each ICT asset;

(ii)	information on the location, either physical or logical, of all ICT assets;

(iii)

the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;

(iv)	the identity of ICT asset owners;

(v)	the business functions or services supported by the ICT asset;

(vi)	the ICT business continuity requirements, including recovery time objectives and recovery point objectives;

(vii)

whether the ICT asset can be or is exposed to external networks, including the internet;

(viii)

the links and interdependencies among ICT assets and the business functions using each ICT asset;

(ix)	where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;

(c)	for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.

TITLE I - GENERAL PRINCIPLE (Article 1)

TITLE II - FURTHER HARMONISATION OF ICT RISK MANAGEMENT TOOLS, METHODS, PROCESSES, AND POLICIES IN ACCORDANCE WITH ARTICLE 15 OF REGULATION (EU) 2022/2554 (Article 2-27)

CHAPTER I - ICT Security policies, procedures, protocols, and tools (Article 2-18)

Section 1 (Article 2)

Section 2 (Article 3)

Section 3 - ICT asset management (Article 4-5)Article 4 - ICT asset management policy Article 5 - ICT asset management procedure

Section 4 - Encryption and cryptography (Article 6-7)

Section 5 - ICT operations security (Article 8-12)

Section 6 - Network security (Article 13-14)

Section 7 - ICT project and change management (Article 15-17)

Section 8 (Article 18)

CHAPTER II - Human resources policy and access control (Article 19-21)

CHAPTER III - ICT-related incident detection and response (Article 22-23)

CHAPTER IV - ICT business continuity management (Article 24-26)

CHAPTER V - Report on the ICT risk management framework review (Article 27)

TITLE III - SIMPLIFIED ICT RISK MANAGEMENT FRAMEWORK FOR FINANCIAL ENTITIES REFERRED TO IN ARTICLE 16(1) OF REGULATION (EU) 2022/2554 (Article 28-41)

TITLE IV - FINAL PROVISIONS (Article 42)

Metadata

Related documents

Article 4 - Delegated Regulation 2024/1774

Table of contents