Updated 14/03/2025
In force

Initial Legal Act
Amendments
Search within this legal act
MiCAR ToolDelegated Regulation 2025/303
Article 4

Article 4 - Delegated Regulation 2025/303

Article 4

ICT systems and related security arrangements

For the purposes of Article 60(7), point (c), of Regulation (EU) 2023/1114, the notifying entity shall provide the competent authority the following information:

(a)

technical documentation of the ICT systems, DLT infrastructure relied upon, where relevant, and the security arrangements, including a description of the arrangements and deployed ICT and human resources established to comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council (8) including the following:

(i)

a description of how the notifying entity ensures a sound, comprehensive and well-documented ICT risk management framework as part of its overall risk management system, including a detailed description of ICT systems, protocols and tools and of how the notifying entity’s procedures, policies and systems will safeguard the security, integrity, availability, authenticity and confidentiality of data in accordance with Regulations (EU) 2022/2554 and (EU) 2016/679;

(ii)

an identification of ICT services supporting critical or important functions, developed or maintained by the notifying entity, as well as those provided by third-party service providers, a description of such contractual arrangements and how those arrangements comply with Article 73 of Regulation (EU) 2023/1114 and Chapter V of Regulation (EU) 2022/2554;

(iii)

a description of the notifying entity’s procedures, policies, arrangements and systems for security and incident management;

(b)

if available, a description of a cybersecurity audit conducted by a third-party cybersecurity auditor having sufficient experience in accordance with Commission Delegated Regulation establishing technical standards pursuant to Article 26(11) fourth subparagraph of Regulation (EU) 2022/2554 covering ideally the following audits or tests by external independent parties:

(i)

organisational cybersecurity, physical security and secure software development lifecycle arrangements;

(ii)

vulnerability assessments and network security assessments;

(iii)

configuration reviews of ICT assets supporting critical and important functions as defined in Article 3, point (22) of Regulation (EU) 2022/2554;

(iv)

penetration tests on the ICT assets supporting critical and important functions as defined in Article 3, point (17) of Regulation (EU) 2022/2554, in accordance with all the following audit test approaches:

(1)

black box: the auditor has no information other than the IP addresses and URLs associated with the audited target. This phase is generally preceded by the discovery of information and the identification of the target by querying domain name system (DNS) services, scanning open ports, discovering the presence of filtering equipment;

(2)

grey box phase: auditors have the knowledge of a standard user of the information system (legitimate authentication, ‘standard’ workstation). The identifiers can belong to different user profiles in order to test different privilege levels;

(3)

white box phase: auditors have as much technical information as possible (architecture, source code, telephone contacts, identifiers, etc.) before starting the analysis and also access to technical contacts related to the target;

(v)

where the notifying entity uses and/or develops smart-contracts, a cybersecurity source code review of them;

(c)

a description of conducted audits of the ICT systems, if any, including used DLT infrastructure and security arrangements;

(d)

a description of the relevant information referred to in points (a) and (b) in non-technical language.

(8)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj).