icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Page Overview
Related
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2 
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
None generated
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 20th April 2026
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application

AI Summary of Article 13 Learning and evolving

Financial entities must establish robust capabilities for monitoring and analysing vulnerabilities, cyber threats, and ICT-related incidents, ensuring a comprehensive understanding of their digital operational resilience. Following any major ICT disruptions, these entities are required to conduct thorough post-incident reviews and report improvements to competent authorities. These reviews should evaluate adherence to established procedures and effectiveness in incident response and communication.

Furthermore, entities should integrate lessons learned from resilience testing and real incidents into their ICT risk assessment processes, continuously map ICT risk evolution, and develop mandatory security awareness training for all employees, including third-party providers, to enhance cyber resilience and preparedness.

PreviousNext
Version status: Applicable | Document consolidation status: No known changes
Version date: 17 January 2025 - onwards
Version 3 of 3

Article 13 Learning and evolving

1. Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience.

2. Financial entities shall put in place post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in Article 11.

Financial entities, other than microenterprises, shall, upon request, communicate to the competent authorities, the changes that were implemented following post ICT-related incident reviews as referred to in the first subparagraph.

The post ICT-related incident reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, including in relation to the following:

(a) the promptness in responding to security alerts and determining the impact of ICT-related incidents and their severity;

(b) the quality and speed of performing a forensic analysis, where deemed appropriate;

PreviousNext