1.   Financial entities shall develop, document, and implement a procedure for the management of ICT assets.

2.   The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account:

(a)	the ICT risk related to those business functions and their dependencies on the information assets or ICT assets;

(b)	how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities.