RTS (EU) 2024/1774 – ICT Risk Management
| Property | Value |
|---|---|
| Number | Delegated Regulation (EU) 2024/1774 |
| DORA Article | Art. 15 (empowerment) |
| Pillar | P1 – ICT Risk Management |
| Publication | 25.06.2024 (Official Journal of the EU) |
| Applicable since | 17.01.2025 |
| EUR-Lex | Link |
Content
The RTS specifies the complete ICT risk management framework including:
- Governance – Roles, responsibilities, reporting lines
- ICT asset inventory – Identification, classification, documentation
- Risk assessment – Methodology, thresholds, updates
- Security controls – Access control, cryptography, network security
- BCP/DRP – Business continuity, disaster recovery, RPO/RTO
- Simplified framework – For microenterprises under Art. 16
Policies (Minimum Content)
The RTS defines minimum content for the following policies:
- ICT security policy
- Access control policy (incl. MFA, PAM)
- Cryptography policy
- ICT project management policy (SDLC security)
- ICT procurement policy
- Physical security policy
- Capacity management policy
- ICT change management policy
BAUER GROUP Relevance
As an ICT service provider, BAUER GROUP must be able to demonstrate that its own internal processes comply with these standards – particularly in response to audit requests from financial sector clients.
→ Implementation details: P1: ICT Risk Management