icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Page Overview
Related
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2 
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
None generated
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 20th April 2026
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application

AI Summary of Article 16 Simplified ICT risk management framework

This Regulation stipulates that Articles 5 to 15 will not apply to small and non-interconnected investment firms, certain payment institutions, and electronic money institutions, among others. However, these entities are required to establish a robust ICT risk management framework that encompasses comprehensive measures for managing ICT risks, ensuring system security, and continuity of critical functions.

Furthermore, the European Supervisory Authorities (ESAs) are tasked with developing detailed regulatory technical standards to enhance the ICT risk management framework, business continuity plans, and testing protocols, considering the size and risk profile of each entity. These standards aim to bolster the overall resilience of financial services in the face of ICT challenges.

PreviousNext
Version status: Applicable | Document consolidation status: No known changes
Version date: 17 January 2025 - onwards
Version 3 of 3

Article 16 Simplified ICT risk management framework

1. Articles 5 to 15 of this Regulation shall not apply to small and non-interconnected investment firms, payment institutions exempted pursuant to Directive (EU) 2015/2366; institutions exempted pursuant to Directive 2013/36/EU in respect of which Member States have decided not to apply the option referred to in Article 2(4) of this Regulation; electronic money institutions exempted pursuant to Directive 2009/110/EC; and small institutions for occupational retirement provision.

Without prejudice to the first subparagraph, the entities listed in the first subparagraph shall:

(a) put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of ICT risk, including for the protection of relevant physical components and infrastructures;

(b) continuously monitor the security and functioning of all ICT systems;

(c) minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools which are appropriate to support the performance of their activities and the provision of services and adequately protect availability, authenticity, integrity and confidentiality of data in the network and information systems;

PreviousNext