Contents
- ICT-related incident management policy
- Development, Documentation and Implementation (Article 22 RTS RMF)
- Mandatory Content Elements (Article 22(a)–(e) RTS RMF)
- Anomalous Activities Detection Requirements (Article 23 RTS RMF)
- (a) Roles and Responsibilities (Article 23(1))
- (b) Detection Mechanisms (Article 23(2))
- (c) Identification and Alerting (Article 23(2)(b))
- (d) Prioritisation of Alerts (Article 23(2)(c))
- (e) Recording and Evaluation of Anomalous Activities (Article 23(2)(d))
- (f) Protection of Recordings (Article 23(3))
- (g) Logging Requirements (Article 23(4))
- Criteria Triggering Incident Detection and Response (Article 23(5)–(6) RTS RMF)
- Article 22 and 23 RTS RMF
Development, Documentation and Implementation (Article 22 RTS RMF)
- Financial entities must develop, document, and implement an ICT-related incident management policy.
- This policy forms part of the mechanisms necessary to detect anomalous activities, including ICT network performance issues and ICT-related incidents.
Mandatory Content Elements (Article 22(a)–(e) RTS RMF)
(a) Documentation of the ICT-Related Incident Management Process
- The policy must document the ICT-related incident management process referred to in Article 17 DORA.
(b) List of Relevant Contacts
The policy must establish a list of relevant internal and external contacts directly involved in ICT operations security, including contacts responsible for:
(i) Detection and Monitoring of Cyber Threats
- Internal and external functions involved in threat detection and threat monitoring.
(ii) Detection of Anomalous Activities
- Staff or teams responsible for detecting anomalous behaviours and ICT network performance issues.
(iii) Vulnerability Management
- Internal or external contacts responsible for vulnerability monitoring, reporting and remediation coordination.
(c) Technical, Organisational and Operational Mechanisms
The policy must establish, implement and operate mechanisms that support the ICT-related incident management process, including mechanisms enabling prompt detection of anomalous activities and behaviours, in accordance with Article 23 RTS RMF.
(d) Evidence Retention Requirements
The policy must require retention of all evidence relating to ICT-related incidents:
- for no longer than necessary for the purposes for which the data are collected;
- retention must be commensurate with the criticality of affected business functions, supporting processes, ICT assets and information assets;
- retention must comply with Article 15 of Commission Delegated Regulation (EU) 2024/1772 and any applicable Union-law retention requirements.
All retained evidence must be stored in a secure manner.
(e) Analysis of Significant or Recurring Incidents
- The policy must establish mechanisms to analyse significant or recurring ICT-related incidents, as well as patterns in the number and occurrence of such incidents.
Anomalous Activities Detection Requirements (Article 23 RTS RMF)
(a) Roles and Responsibilities (Article 23(1))
- The policy must define clear roles and responsibilities for detecting and responding to ICT-related incidents and anomalous activities.
(b) Detection Mechanisms (Article 23(2))
The mechanisms must enable the collection, monitoring and analysis of:
(i) Internal and External Factors
- including logs collected pursuant to Article 12 RTS RMF, information from business and ICT functions, and user-reported problems.
(ii) Internal and External Cyber Threats
- including threat-actor scenarios and threat-intelligence-based scenarios.
(iii) ICT-Related Incident Notifications from ICT Third-Party Providers
- any notifications concerning incidents detected in the ICT service provider’s systems and networks that may affect the financial entity.
(c) Identification and Alerting (Article 23(2)(b))
- The mechanisms must identify anomalous activities and behaviours.
- Tools must generate automated alerts for anomalous activities and behaviours, at least for ICT assets and information assets supporting critical or important functions.
- These tools must include pre-defined rule-based alerts detecting anomalies in completeness and integrity of data sources or log collection.
(d) Prioritisation of Alerts (Article 23(2)(c))
- Alerts must be prioritised to allow management of ICT-related incidents within expected resolution times, during and outside working hours.
(e) Recording and Evaluation of Anomalous Activities (Article 23(2)(d))
- Financial entities must record, analyse and evaluate information on anomalous activities and behaviours, automatically or manually.
(f) Protection of Recordings (Article 23(3))
- Recordings of anomalous activities must be protected against tampering and unauthorised access at rest, in transit and, where relevant, in use.
(g) Logging Requirements (Article 23(4))
For each detected anomalous activity, logs must enable:
- identification of the date and time of occurrence;
- identification of the date and time of detection;
- identification of the type of anomalous activity.
Criteria Triggering Incident Detection and Response (Article 23(5)–(6) RTS RMF)
(a) Triggering Criteria (Article 23(5))
The policy must require consideration of the following criteria to trigger the ICT-related incident detection and response processes under Article 10(2) DORA:
- indications of malicious activity or system/network compromise;
- data losses affecting availability, authenticity, integrity or confidentiality;
- adverse impact on transactions or operations;
- ICT systems’ or network unavailability.
(b) Criticality Consideration (Article 23(6))
- The policy must require consideration of the criticality of the services affected when determining whether detection and response processes must be triggered.