icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Page Overview
Related
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2 
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
None generated
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 20th April 2026
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application

AI Summary of Article 6 ICT risk management framework

Financial entities are mandated to establish a robust and well-documented ICT risk management framework, integrating this framework within their overall risk management system to ensure prompt and effective responses to ICT risks. This framework should encompass necessary strategies, policies, and tools to adequately safeguard all information and ICT assets.

Furthermore, responsibility for ICT risk management must be allocated to an independent control function, ensuring appropriate segregation of risk management duties. Regular audits by knowledgeable auditors are required to assess ICT risks and compliance, and a formal follow-up process must be in place to address any critical findings swiftly.

PreviousNext
Version status: Applicable | Document consolidation status: No known changes
Version date: 17 January 2025 - onwards
Version 3 of 3

Article 6 ICT risk management framework

1. Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.

2. The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.

3. In accordance with their ICT risk management framework, financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framework to the competent authorities upon their request.

PreviousNext