Capacity and performance management procedures

Capacity and performance management procedures

Integration into ICT Security Policies (Article 9(1) RTS RMF; Article 9(2) DORA)

Financial entities must develop, document and implement capacity and performance management procedures as part of the ICT security policies, procedures, protocols and tools required under Article 9(2) DORA.

These procedures support the resilience, continuity and availability of ICT systems, in particular where ICT systems support critical or important functions.

Mandatory Scope of Capacity and Performance Management Procedures (Article 9(1) RTS RMF)

The procedures must address all of the following aspects:

Identification of Capacity Requirements of ICT Systems

The procedures must define how the financial entity identifies:

  • current capacity requirements, and
  • future capacity needs

of its ICT systems, based on business demand, growth trends, risk assessments and system characteristics.

Application of Resource Optimisation

The procedures must specify how the financial entity applies resource optimisation measures, including:

  • efficient allocation of ICT resources,
  • optimisation of computing, storage and network resources, and
  • alignment of resource use with business priorities and resilience requirements.

Monitoring Procedures for Availability, Efficiency and Prevention of Capacity Shortages

The procedures must include monitoring mechanisms for:

(i) Availability of Data and ICT Systems

Continuous monitoring to ensure that ICT systems and data remain available in line with resilience and continuity requirements.

(ii) Efficiency of ICT Systems

Monitoring the performance efficiency of ICT systems to detect degradation or bottlenecks.

(iii) Prevention of ICT Capacity Shortages

Monitoring to detect early indications of capacity strain or emerging shortages and to ensure timely action.

This monitoring must enable proactive management to avoid performance issues that could affect ICT-supported business functions.

Measures for Systems with Long, Complex or Resource-Intensive Procurement (Article 9(2) RTS RMF)

The procedures must ensure that financial entities take appropriate measures to address the specificities of ICT systems that:

  • have long or complex procurement or approval processes, or
  • are resource-intensive.

These measures must ensure that capacity and performance requirements continue to be met despite longer lead times or heavy resource demands.

Article 9 RTS RMF

RTS RMF

Article 9 (2) DORA

Article 9 DORA – Protection and prevention