Article 9 | Delegated Regulation 2025/305

Updated 10/05/2025

Metadata

In force

Initial Legal Act

Amendments

Article 9 - Delegated Regulation 2025/305

Article 9

ICT systems and related security arrangements

For the purposes of Article 62(2), point (j), of Regulation (EU) 2023/1114, applicants shall provide to the competent authority the following information:

(a)

technical documentation of the ICT systems, DLT infrastructure relied upon, where relevant, and the security arrangements, including a description of the arrangements and deployed ICT and human resources established to comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council (9)as follows:

(i)

a description of how the applicant ensures a sound, comprehensive and well-documented ICT risk management framework as part of its overall risk management system, including a detailed description of ICT systems, protocols and tools and of how the applicant’s procedures, policies and systems to safeguard the security, integrity, availability, authenticity and confidentiality of data comply with Regulations (EU) 2022/2554 and (EU) 2016/679;

(ii)

an identification of ICT services supporting critical or important functions, developed or maintained by the applicant, and ICT services supporting critical or important functions provided by third-party service providers, a description of such contractual arrangements (identity and geographical location of the providers, description of the outsourced activities or ICT services with their main characteristics, copy of contractual agreements) and how those arrangements comply with Article 73 of Regulation (EU) 2023/1114 and Chapter V of Regulation (EU) 2022/2554;

(iii)

a description of the applicant’s procedures, policies, arrangements and systems for security and incident management;

(b)

if available, a description of a cybersecurity audit conducted by a third-party cybersecurity auditor having sufficient experience in accordance with Commission Delegated Regulation establishing technical standards adopted pursuant to Article 26(11) fourth subparagraph of Regulation (EU) 2022/2554 covering ideally the following audits or tests:

(i)	organisational cybersecurity, physical security and secure software development lifecycle arrangements;

(ii)	vulnerability assessments and scans and, network security assessments;

(iii)

configuration reviews of ICT assets supporting critical and important functions as defined in Article 3, point (22) of Regulation (EU) 2022/2554;

(iv)

penetration tests on the ICT assets supporting critical and important functions as defined in Article 3, point (17) of Regulation (EU) 2022/2554, in accordance with all the following audit test approaches:

(1)

black box: the auditor has no information other than the IP addresses and URLs associated with the audited target. This phase is generally preceded by the discovery of information and the identification of the target by querying domain name system (DNS) services, scanning open ports, discovering the presence of filtering equipment, etc.;

(2)	grey box phase: auditors have the knowledge of a standard user of the information system (legitimate authentication, ‘standard’ workstation, etc.). The identifiers can belong to different user profiles in order to test different privilege levels;

(3)	white box phase: auditors have as much technical information as possible (architecture, source code, telephone contacts, identifiers, etc.) before starting the analysis and also access to technical contacts related to the target;

(v)	where the applicant uses and/or develops smart-contracts, a cybersecurity source code review of them;

(c)	a description of conducted audits of the ICT systems, if any, including used DLT infrastructure and security arrangements;

(d)	a description of the relevant information referred to in points (a) and (b) in non-technical language.

(9) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj).

Recitals Article 1 - General information Article 2 - Programme of operations Article 3 - Prudential requirements Article 4 - Information about governance arrangements and internal control mechanisms and conflict of interests Article 5 - Business continuity plan Article 6 - Detection and prevention of money laundering and terrorist financing Article 7 - Identity and proof of good repute, knowledge, skills and experience, and of sufficient time commitment of the members of the management body Article 8 - Information relating to shareholders or members with qualifying holdings Article 9 - ICT systems and related security arrangements Article 10 - Segregation and safekeeping of clients’ crypto-assets and funds Article 11 - Complaints-handling procedures Article 12 - Custody and administration policy Article 13 - Operating rules of the trading platform and market abuse detection Article 14 - Exchange of crypto-assets for funds or other crypto-assets Article 15 - Execution policy Article 16 - Provision of advice on crypto-assets or portfolio management of crypto-assets Article 17 - Transfer services Article 18 - Entry into force

Metadata

Related documents

Article 9 - Delegated Regulation 2025/305

Table of contents