Decision on Minimum Information-Communication System Management Standards for Financial Institutions

RS Official Gazette, No 102/2024 Pursuant to Article 15, paragraph 1 and Article 63, paragraph 3 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005 – other law, 44/2010, 76/2012, 106/2012, 14/2015, 40/2015 – CC Decision and 44/2018), the Executive Board of the National Bank of Serbia issues DECISION ON MINIMUM INFORMATION-COMMUNICATION SYSTEM MANAGEMENT STANDARDS FOR FINANCIAL INSTITUTIONS I. . INTRODUCTORY PROVISIONS

1. This Decision lays down minimum standards and requirements for safe and sound information-communication system (hereinafter: ICT system) management in banks, insurance undertakings, financial lessors, voluntary pension fund management companies, as well as in payment institutions, electronic money institutions and the public postal operator in the part of their activities regarding the provision of payment services and/or issuance of electronic money (hereinafter: financial institution). This Decision also lays down minimum standards for business continuity management and disaster recovery in a financial institution. This Decision applies to all financial institutions, unless stipulated otherwise.
2. For the purposes of this Decision:

1. ICT system means a comprehensive set of technological infrastructure (hardware and software assets), organisation, people and procedures for the collection, processing, storage, transfer, presentation and use of data and information;
2. ICT system resources means software assets, hardware assets, network assets and information assets;
3. software assets means all types of system and application software, software development tools and other software;
4. hardware assets means computer equipment, communication equipment, data storage media, and other technical equipment supporting the functioning of the information system;
5. electronic communications network has the meaning laid down in the law governing electronic communications;

2 6) information assets means data in files and databases, program code, configuration of hardware assets, technical and user documentation, general internal acts, procedures, etc.; 7) information technology (IT) means a combination of hardware and software assets enabling automatic generation, collection, processing, storage, transfer, presentation and/or use of information; 8) IT system means information technology regulated as part of a mechanism or an interconnecting network that supports the operations of a financial institution; 9) IT service means a service provided by the IT system to internal or external users; 10) ICT system users means all persons authorised to use the ICT system (employees in a financial institution, employees in other entities accessing the ICT system of a financial institution, clients of a financial institution accessing the institution’s information system through electronic interactive communication channels, etc.); 11) ICT system risk means the possibility of negative effects on the financial result and capital, achievement of business objectives, operation in accordance with regulations, and reputation of a financial institution due to inadequate information system management or other system weaknesses which negatively affect the system’s functionality or security, and/or compromise the business continuity of the financial institution; 12) risk appetite means the level and types of risks that a financial institution is willing to assume within its risk capacity to achieve its strategic objectives; 13) controls means policies, procedures, practices, technologies and organisational structures relating to the ICT system and established to reasonably ensure that the business objectives of a financial institution will be achieved and that undesired events will be prevented or detected. Controls may differ by the implementation method (administrative, technical and physical) and purpose (preventive, detective and corrective); 14) administrative controls means the adoption and implementation of policies, standards, plans, procedures and other internal acts, and the establishment of an appropriate organisational structure, for the purpose of achieving and maintaining an adequate level of ICT system functionality and security; 15) technical controls means controls implemented in hardware and software assets of the ICT system; 16) physical controls are controls protecting ICT system resources from unauthorised physical access, theft, physical damage or destruction; 17) preventive controls means controls aimed at preventing problems and incidents; 18) detective controls means controls aimed at detecting and recognising problems and incidents, and identifying problems and incidents which occurred;

3 19) corrective controls means controls aimed at limiting and eliminating problems and consequences of incidents; 20) incident means every unplanned and undesired event that may compromise the ICT system’s security or functionality; 21) ICT incident means an event or a series of linked events unplanned by the financial institutions that threaten the security of network and information systems and have an adverse impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by the financial institution; 22) ICT system security means upholding the principles of confidentiality, integrity, availability, authenticity, accountability, non￾repudiation and reliability in the ICT system; 23) operational or security incident means a singular event or a series of linked events unplanned by the financial institution that has or may have an adverse impact on the integrity, availability, confidentiality and/or authenticity of data or on payment-related services within the meaning of the law regulating payment services; 24) cyber threat means any event or action that could damage or disrupt network and information systems, processes and services, including hacker attacks, malware distribution, unauthorised network and database access, and other types of attacks; 25) confidentiality means that data and information are not disclosed or made available to unauthorised persons; 26) integrity means that data, information and processes are protected from unauthorised or unforeseen modifications, and/or that any such modifications do not remain undetected; 27) availability means that data, information and processes are available and usable upon request of the authorised party; 28) accessibility means that the services provided by a financial institution and the services relating to the provision of payment services to clients are entirely accessible and usable, in line with the acceptable levels predefined by the financial institution; 29) authenticity means that parties involved are who they claim they are; 30) accountability means that each activity in the information system may be traced uniquely to its source; 31) non-repudiation means that an activity performed in the ICT system or receipt of information cannot be denied; 32) reliability means that the ICT system consistently and expectedly performs the anticipated functions and provides correct information; 33) authorisation means granting access rights to ICT system users; 34) identification means user identity presentation upon login and in the course of activity in the ICT system; 35) authentication means user identity verification and confirmation based on the following elements or their combination:

4 – something that only the user knows (e.g. password, personal identification number, etc.), – something that only the user possesses (e.g. magnet card, chip card, token, cryptographic key, etc.), – something that only the user is (biometric characteristics such as the fingerprint, iris, voice, handwriting, etc.); 36) privileged access to the ICT system means access to ICT system resources which enables authorised users (administrators of system software, network, databases, etc.) to override technical controls; 37) remote access to the ICT system means access to ICT system resources from a remote location by using the telecommunication infrastructure over which a financial institution does not have full control; 38) operational and system logs means chronological logs about events and activities on ICT system resources (logs of operating systems, application software, databases, network devices, etc.); 39) malware means any type of program code created with the intention to gain unauthorised access to ICT system resources, collect information, cause unexpected behaviour or interruption in the functioning of this system, and/or to otherwise potentially jeopardise the confidentiality, integrity or availability of these resources (e.g. computer viruses, worms, Trojan horses, etc.); 40) critical/key business processes means business processes or functions whose inadequate functioning may significantly jeopardise the operation of a financial institution; 41) maximum acceptable outage (MAO) means the maximum acceptable period of unavailability of a business process, and/or the critical time for process recovery; 42) service delivery objective (SDO) means the adequate level of business process recovery which should be achieved within the recovery time objective; 43) recovery time objective (RTO) means a period, and/or phases in the period during which the adequate level of business process recovery is to be achieved; 44) recovery point objective (RPO) means the longest acceptable period from the last backup copy until the occurrence of unavailability of a business process and/or the longest acceptable period for which data can be lost; 45) backup copy means the copy of at least those source data (software assets and information assets) which are needed for the recovery and/or reestablishment of business processes. II. ICT SYSTEM MANAGEMENT FRAMEWORK

5 3. In accordance with the nature, scope and complexity of operations, a financial institution shall establish an adequate ICT system which meets the following minimum conditions:

1. possesses functionalities, capacity and performances enabling the provision of appropriate support to business processes;
2. provides timely, accurate and complete information important for making business decisions, efficient performance of business activities and risk management, and/or for safe and stable operation of a financial institution;
3. is designed to include adequate controls for validation of data entering the system, data being processed and data exiting the system, in order to prevent inaccuracies and inconsistencies of data and information. A financial institution shall ensure that all data processing systems important for business operation, including the reporting system, are an integral part of the ICT system.

4. In accordance with the nature, scope and complexity of operations and the complexity of the ICT system, a financial institution shall establish, supervise, regularly review and upgrade the process of managing this system, for the purpose of reducing the exposure to risks and preserving the security and functionality of the system, and shall define by a general internal act, in accordance with law, the authorisations and responsibilities of its management and supervision bodies relating to these activities.
5. In accordance with its business strategy and the nature, scope and complexity of operations, a financial institution shall adopt an ICT system development strategy, for a period of at least three years. The ICT system development strategy shall define:

1. how the ICT system should evolve to effectively support and participate in the business strategy, including the evolution of its organisational structure, ICT system changes and key dependencies with third parties;
2. evolution of the architecture of the ICT system, including third party dependencies;
3. clear ICT system security objectives. In line with the ICT system development strategy, a financial institution shall establish appropriate strategic and action plans that contain measures to be taken to achieve the objectives of the ICT system strategy. The action plans should, as a minimum, contain a description of the activities and projects referred to in Section 8 hereof, contractors, responsible persons, budgets and deadlines for the performance of planned activities.

6 A financial institution shall set up a process of regular review of implementation of the strategy referred to in paragraph 1 hereof and modify it as needed, if this is required by amendments and/or supplements to its business strategy. A financial institution shall provide the funds sufficient for the implementation of the strategy referred to in paragraph 1 hereof. A financial institution shall notify the National Bank of Serbia of any amendment and/or supplement to the ICT system development strategy within 15 days from its adoption. 6. For the purpose of adequate ICT system management, a financial institution shall provide an adequate organisational structure, with a clearly defined distribution of tasks and responsibilities of employees, and/or with established internal controls which prevent the conflict of interest. Within the organisational structure referred to in paragraph 1 hereof, a financial institution shall clearly define the tasks and responsibilities of the employees which are directly related to efficient and appropriate management of ICT system security. 7. A financial institution shall ensure the application of all general internal acts and procedures relating to the ICT system, and shall also ensure that all system users are familiar with the content of these acts and procedures, in accordance with their authorisations, responsibilities and needs. 8. A financial institution shall adopt a methodology to determine the criteria, manner and procedures for managing ICT system projects. An ICT system project is any project, or part thereof, where these systems or services are established, changed, replaced, dismissed or implemented, and it can be part of wider project or business transformation programmes. 9. A financial institution shall determine the criteria, manner and procedures for reporting to its competent body about relevant facts relating to information system functionality and security. III. ICT SYSTEM RISK MANAGEMENT 10. The provisions of the regulations on the general terms and method of managing the risks in the operations of financial institutions shall also apply to ICT system risk management, unless stipulated otherwise by this Decision. 11. Within its comprehensive risk management system, a financial institution shall establish the ICT system risk management process which

7 includes risk identification, measurement, assessment, mitigation, monitoring and control. In accordance with the nature, scope and complexity of operations, a financial institution shall ensure the independence and objectivity of the organisational part and/or persons directly responsible for monitoring and controlling the risk referred to in paragraph 1 hereof and/or of the organisational part and/or persons which are not engaged in the operational activities where the ICT system risk arises and, in particular, which do not participate and are not engaged in the operations and activities for which the organisational part for IT operations is in charge. In its general internal acts, a financial institution shall regulate the manner, dynamics and submission of reports on ICT system risks to competent bodies, so that the organisational part and/or persons referred to in paragraph 2 hereof report on the financial institution’s exposure to ICT system risks and on all regular and extraordinary activities relating to the management of these risks. 12. A financial institution shall manage the ICT system risk so as to ensure smooth management of system security and business continuity of a financial institution. ICT system risk management must cover the entire information system of a financial institution and must be integrated in all phases of system development. In its general internal acts, a financial institution shall establish the rules for managing ICT system risks, including in particular: – risk appetite in the ICT system; – methods and parameters for ICT system risk assessment based on which the risk is identified and measured (e.g. threat, vulnerability, probability, impact, etc.); – procedures to define measures to control the ICT system risk, including the introduction of new and/or modification of existing controls in order to mitigate this risk, and the taking of actions to adjust these measures as needed; – procedures for monitoring the implementation and efficiency of the applied measures to control the ICT system risk, – procedures for monitoring the number of identified operational or security incidents, including incidents reported to the National Bank of Serbia; – requirement that, before decision is made on implementing changes to the ICT system, measures should be identified and/or risks assessed of the

8 relevant part of the ICT system which arise from any major changes to this system, services and/or the process of managing this system; – requirement to identify, measure and/or assess the risk of the relevant part of the ICT system after each major operational or security instrument; – timeline for carrying out regular, comprehensive identification and assessment of the ICT system risk, at least once a year; – authorisations and responsibilities of the bodies and employees of a financial institution for ICT system risk management for all business process and decision-making levels, in a manner preventing a conflict of interest. When making an assessment of the ICT system risk, a financial institution shall take into account the classification of information assets referred to in Section 24, paragraph 1 hereof and/or the sensitivity and criticality of these assets. 13. Based on the results of the ICT system risk assessment, a financial institution shall, depending on its risk appetite, determine which measures to take to reduce these risks to an acceptable level, and, if necessary, make changes to the existing business processes, control measures, IT systems and/or IT services. A financial institution shall assess the time needed to implement the changes referred to in paragraph 1 hereof and, if needed and in line with the risk appetite of its ICT system, define temporary measures to reduce this risk, to be applied until the planned changes are implemented. 14. A payment service provider within the meaning of the law regulating payment services shall submit the results of the comprehensive assessment of the ICT system risk and of the operational and security risks relating to payment services to the National Bank of Serbia, once a year or after major changes or incidents in the ICT system. 15. A financial institution shall adequately manage the risks arising from contractual relations with legal and natural persons whose activities refer to its ICT system. A financial institution shall continuously supervise the manner and quality of performance of the contracted activities referred to in paragraph 1 hereof. IV. INTERNAL AUDIT OF THE ICT SYSTEM 16. In accordance with the nature, scope and complexity of operations, and the complexity of the ICT system, a financial institution shall cover by its internal

9 audit methodology the criteria, manner and procedures for the internal audit of this system based on the results of risk assessment. A financial institution shall make sure that the audit referred to in paragraph 1 hereof is performed by an auditor with knowledge and experience in ICT system risks. The frequency and focus of the audit referred to in paragraph 1 hereof should be commensurate with the estimated ICT system risks to which the financial institution is exposed. A financial institution shall establish a process to monitor the implementation of measures for the removal of irregularities, weaknesses and deficiencies identified during the audit referred to in paragraph 1 hereof. 17. Internal audit of the ICT system shall be performed in accordance with regulations governing the operations of financial institutions. V. ICT SYSTEM SECURITY 18. In accordance with the complexity of the ICT system, a financial institution shall adopt a general internal act to establish a framework for system security management (hereinafter: ICT system security policy). The ICT system security policy shall define in particular the principles, manner and procedures of achieving and maintaining the adequate level of system security, including the authorisations and responsibilities relating to system security and resources. A financial institution shall harmonise the ICT system security policy with changes in the environment and in the ICT system, as well as in cases of security breaches and risk assessment of the system. By means of its security policy, a financial institution shall ensure the confidentiality, integrity and availability of the logical and physical assets of the ICT system, in line with their criticality and data sensitivity, whether at rest, in transit or in use. 19. A financial institution shall establish the process of ICT system security management as a continuous process of identifying the needs for such security and achieving and maintaining an adequate level of such security. In relation to the process referred to in paragraph 1 hereof, a financial institution shall establish a system to detect events that may impact the security of the ICT system and to respond to these events appropriately.

10 As part of the process referred to in paragraph 1 hereof, a financial institution shall implement effective controls for detecting physical and logical intrusion as well as breaches of confidentiality, integrity and availability of information, and controls for detecting unwanted information leakages, presence of malware, and the use of software which contains technical vulnerabilities. 20. In accordance with the nature, scope and complexity of operations, as well as ICT system complexity, a financial institution shall:

1. carry out the distribution of tasks related to system security in such a way that the internal acts governing the organisation of its operations may clearly define security-related tasks and responsibilities of employees;
2. nominate the key employees in charge of ICT system security, taking care of the fact that their position has a significant impact on security￾related activities and decisions;
3. involve a sufficient number of employees with appropriate expertise and professional experience in ICT system security management. The persons referred to in paragraph 1 hereof shall continuously monitor the security and operational threats that could significantly impact the financial institution’s capacity to provide services and keep track of the development of technologies and trends in ICT system security in order to be aware of the potential security risks. The persons referred to in paragraph 1 hereof shall timely report to the competent bodies of the financial institution about regular and extraordinary activities taken in order to monitor information security, and in particular about detected events that have impacted or may impact the financial institution’s information security.

21. A financial institution shall identify and monitor the needs for ICT system security, at least based on the results of risk assessment and obligations arising from regulations, general internal acts, contractual relations, etc.
22. For the purpose of achieving and maintaining an adequate level of ICT system security, a financial institution shall establish adequate controls. A financial institution shall, on an ongoing basis, monitor changes in the existing operational environment, estimate their impact on the effectiveness of the existing security measures and, as needed, introduce additional measures to mitigate the ICT system security risk.
23. In accordance with the nature, scope and complexity of operations, as well as ICT system complexity, in its general internal acts a financial institution

11 shall define the manner of testing system security in order to validate the reliability and effectiveness of the established security measures. In accordance with the nature, scope and complexity of operations, as well as ICT system complexity, a financial institution shall carry out the testing referred to in paragraph 1 hereof in line with the assessment of the level of ICT system security risk (e.g. penetration tests, vulnerability scanning, network and application security tests, etc.), and ensure that the tests are conducted by persons with sufficient knowledge, skills and experience in such testing. In accordance with the nature, scope and complexity of operations, as well as with ICT system complexity and the assessed risks, a financial institution shall periodically repeat the testing referred to in paragraph 1 hereof. A payment service provider within the meaning of the law on payment services shall conduct the testing referred to in paragraph 1 of this Section at least once a year for all critical ICT system resources and/or at least once every three years for resources which are not considered critical. In the event of changes to ICT system resources, important processes and procedures, introduction of new or major changes to the existing internet￾facing critical application, as well as after major operational or security incidents, a financial institution shall conduct appropriate extraordinary testing of ICT system security. Based on the results of the tests referred to in paragraph 1 hereof, a financial institution shall adjust its ICT system security measures, and it shall do so without delay in the case of critical ICT system resources. 24. In its general internal acts, a financial institution shall determine in more detail the criteria, manner and procedures for classifying information assets according to the degree of sensitivity and criticality – in light of possible consequences of jeopardising their confidentiality, integrity and availability, and shall consistently implement such classification and accordingly ensure an adequate level of protection of these assets. A financial institution shall appoint a person and/or persons employed in that institution who shall be responsible for the management, classification and protection of information assets. 25. A financial institution shall implement adequate control of access to ICT system resources and shall, in relation to this, establish an adequate system of managing user access rights.

12 The system of managing user access rights shall include in particular the processes of registering, authorisation, identification and authentication of ICT system users, including supervision of user access rights. A financial institution shall ensure that the authorisation of ICT system users be based on the following principles: – need-to-know principle, including access to information; – least privilege principle, i.e. granting users minimum access rights that are required to efficiently execute their duties; – principle of segregation of duties, where users are not allocated a combination of access rights that may be used to circumvent controls; – where possible, users of the ICT system are allocated personalised, easily identifiable user accounts, where a single account is used by a single user, so that users can be clearly identified for the actions performed in the system and in order to ensure accountability; – there are strong controls over privileged system access by limiting and closely supervising accounts with elevated system access entitlements (e.g. system administrator accounts). Remote privileged access shall be granted only on a need-to-know basis and when strong authentication solutions are used (such as two-factor authentication); – user activities and, in particular, all activities by privileged users should be logged in system and operational logs, and these logs should be produced, monitored and retained in line with the criticality of the ICT system resources referred to in Section 24, paragraph 1 hereof, in order to timely detect unauthorised access and activities in the ICT system. A financial institution shall revise user access rights periodically and when required, but at least once a year, to ensure that users do not possess excessive privileges and that access rights are withdrawn when no longer required. When managing user access rights, a financial institution shall regulate in particular the privileged and remote access to the ICT system. 26. Based on the results of ICT system risk assessment, a financial institution shall establish an appropriate system for monitoring this system and generating operational and system logs. A financial institution shall ensure adequate protection, and specify the retention period, as well as the frequency, scope and manner of monitoring the logs referred to in paragraph 1 hereof.

13 The logs referred to in paragraph 1 hereof must contain a sufficient quantity of information to enable the identification of problems, reconstruction of events, detection of unauthorised access and activities relating to information system resources, as well as to enable the establishment of related responsibilities. 27. In its general internal acts, a financial institution shall define and apply appropriate physical security controls for the resources of the ICT system and other systems supporting this system in order to protect premises, data centres and sensitive areas from unauthorised physical access, theft, physical damage or destruction caused by human or environmental factors (static electricity, high temperature, fire, flood, etc.). A financial institution shall ensure that physical access to the ICT system is monitored and that access is only permitted to authorised individuals in accordance with their tasks and responsibilities. Physical access rights shall be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required. 28. A financial institution shall protect ICT system resources against malware by applying appropriate controls. VI. BUSINESS CONTINUITY MANAGEMENT AND DISASTER RECOVERY 29. In order to ensure smooth and continuous functioning of all its important systems and processes, and to limit losses in emergency situations, a financial institution shall establish the business continuity management process. 30. A financial institution shall ensure that business continuity management is based on the business impact analysis and risk assessment, which include in particular:

1. establishment of resources and systems needed for the performance of individual business processes, their interdependence and interrelatedness;
2. risk assessment relating to individual business processes, including the probability of occurrence of undesired events and their potential impact on business continuity, financial situation and reputation of the financial institution;
3. establishment of acceptable levels of risks and techniques for mitigation of identified risks;
4. establishment of the maximum acceptable outage (MAO) of individual business processes;

14 5) establishment of critical/key business processes and activities. In accordance with implemented activities referred to in paragraph 1 hereof, a financial institution shall adopt the recovery strategy to be implemented in case of interruption of operation, which shall contain in particular:

1. priorities of recovery of business processes, as well as resources and systems needed for their implementation;
2. service delivery objectives (SDO);
3. recovery time objectives (RTO);
4. recovery point objectives (RPO). A financial institution shall ensure that its ICT system and the services it provides by means of that system are aligned with their business impact analysis, and establish the redundancy of certain critical components of the system to prevent disruptions caused by events impacting those components.

31. Based on the activities implemented in accordance with Section 30 hereof, the managing board of a bank and a financial lessor, and/or the competent body of an insurance undertaking, voluntary pension fund management company, payment institution, electronic money institution and the public postal operator shall adopt the business continuity plan and the disaster recovery plan which primarily determine the creation of conditions for the recovery and availability of ICT system resources needed for the performance of critical/key business processes. The business continuity plan shall contain in particular:

1. description of procedures in case of interruption of operation;
2. updated list of all resources necessary for the reestablishment of business continuity;
3. list of priorities to be acted upon in case it is necessary to recover several business activities;
4. data on teams to be responsible for the reestablishment of operation in case of occurrence of unforeseen events and data on appointed members of these teams, including their clearly stipulated duties and responsibilities, and the plan of internal and external lines of communication;
5. the alternate site – in case of interruption of operation and inability to resume business processes on the primary site. The disaster recovery plan shall contain in particular:
6. procedures for ICT system recovery in case of disasters;

15 2) conditions to be met in order to implement the disaster recovery plan; 3) priorities of recovery of ICT system resources; 4) data on teams to be responsible for ICT system recovery and on the appointed members of these teams, including their clearly defined duties and responsibilities; 5) data on key service providers; 6) data on alternate sites for ICT system recovery, and/or location of secondary data centres. For the purpose of efficient implementation of the plans referred to in paragraph 1 hereof, a financial institution shall ensure that all employees are familiar with their roles and responsibilities in case of emergency situations. A financial institution shall take all necessary activities to align the plans referred to in paragraph 1 hereof with business changes, including changes in products, activities, processes and systems, changes in the environment and the business policy and strategy, as well as the experience from earlier incidents and new identified risks and threats. A financial institution shall, periodically and after the occurrence of significant changes, but at least once a year, test the plans referred to in paragraph 1 hereof, and document the results of these tests and ensure their incorporation in reporting to the competent body of a financial institution. The testing referred to in paragraph 6 hereof shall demonstrate whether a financial institution can successfully switch to alternative performance of critical business activities from the disaster recovery environment and whether they can be run in this way for a sufficiently long period of time, as well as whether regular operation and stability of the ICT system can be restored afterwards. The executive board of a bank and financial lessor, and/or the competent body of an insurance undertaking, voluntary pension fund management company, payment institution, electronic money institution and the public postal operator which manages the company's activities in line with the law, shall be responsible for the implementation of the plans referred to in paragraph 1 and paragraphs 4–7 hereof. 32. In managing business continuity, a financial institution shall also take into account the outsourced activities and the dependence on services of these persons. 33. In case of circumstances requiring the implementation of the business continuity plan and the disaster recovery plan, a financial institution shall inform

16 the National Bank of Serbia thereof, by no later than the next day following the occurrence of these circumstances. The National Bank of Serbia may require additional documentation relating to relevant facts about these circumstances and may set a deadline for the submission of such documentation. In case of events requiring the implementation of the business continuity plan and the disaster recovery plan, a financial institution shall inform all internal and external stakeholders thereof and maintain communication with them. 34. A financial institution shall establish the backup management process, and shall determine detailed procedures and responsibilities for this purpose. The procedures referred to in paragraph 1 hereof should contain the type, scope, manner and frequency of making backup data copies, manner of testing and the manner and frequency of storing these copies at a remote location, period of storing the backup copies and the manner of keeping records of such copies. Backup management must include the procedures of backup copies creation, storage and testing, as well as the restoration of data and software assets, so as to enable the reestablishment of business processes within the recovery time objective. A financial institution shall ensure that backup copies are up-to-date and adequately protected, and that recovery procedures are tested and successful. At least one up-to-date and complete backup copy must be adequately stored at an appropriate distance from the source location, based on the results of the ICT system risk assessment and taking into account the need to avoid the impact of the same risks on both locations. 35. Based on the activities taken in accordance with Section 30 hereof, a financial institution shall ensure the availability of the secondary data centre with appropriate equipment, functionality and security level, at an appropriate distance from the primary data centre, taking into account the need to avoid the impact of the same risks on both locations. VII. ICT INCIDENT MANAGEMENT AND REPORTING 36. A financial institution shall establish and implement the ICT incident management process providing a timely and efficient response in case of breach of security or functionality of ICT system resources.

17 37. In its internal acts, a financial institution shall determine the manner of classification of major ICT incidents, the manner of reporting on such incidents to the National Bank of Serbia and the criteria based on which it assesses their significance. 38. A financial institution shall also include in major ICT incidents the incidents that originate in persons related to the financial institution by ownership and/or management relations (persons holding a participation, members of the group of companies to which the institution belongs, etc.) which operate in the Republic of Serbia or abroad, as well as the incidents that originate in service providers to which the financial institution outsourced the activities, which affect the services provided by the financial institution either:

1. directly, where a payment-related service is provided by a related person or a service provider affected by the incident, or
2. indirectly, where the financial institution’s capacity to keep providing services is jeopardised in another way as a result of the incident in a related person or service provider.

39. A financial institution shall establish appropriate procedures and processes to ensure consistent and integrated monitoring, handling and follow￾up of ICT incidents, and to make sure that the root causes are identified and documented to prevent their recurrence.
40. In accordance with the nature, scope and complexity of operations within the process of ICT incident management referred to in Section 36 hereof, a financial institution shall:

1. establish early warning indicators;
2. establish procedures to identify, track, log, categorise and classify ICT incidents according to priority and severity, as well as the criticality of the affected services, in accordance with the criteria laid down in Section 42, paragraph 1 hereof;
3. assign roles and responsibilities for different types and scenarios of ICT incidents;
4. establish communication plans that include employees of the financial institution, persons related to the financial institution (stakeholders), the public and the media depending on the nature of the ICT incident;
5. establish plans for notifying clients in accordance with the incident escalation procedure, including user complaints related to the ICT system;
6. ensure reporting to and informing the competent authority about major ICT incidents, their consequences, the responses to them and additional controls to be implemented to prevent their recurrence;
7. establish response procedures for ICT incidents to mitigate the consequences and ensure that the services are made available and secure in a timely manner.

18 41. A financial institution shall classify as major those ICT incidents that, based on the assessment referred to in Section 42 hereof, are established to fulfil:

1. one or more criteria at the higher impact level; or
2. three or more criteria at the lower impact level. The criteria at the higher and at the lower impact level referred to in paragraph 1 hereof are provided in Annex 1 which is integral to this Decision. A financial institution shall make the classification referred to in paragraph 1 hereof in a timely manner, but no later than 24 hours after the detection of the incident and without undue delay after the information required for the classification of the incident is available.

Notwithstanding paragraph 3 hereof, if a financial institution needs more than 24 hours from its detection to classify an incident, it shall notify the National Bank of Serbia of the incident (initial report) in accordance with Section 44, paragraph 1 hereof. 42. A financial institution shall assess ICT incidents against the following criteria and their underlying indicators:

1. transactions or services affected by the incident – the financial institution determines the total value of the transactions affected, as well as the number of transactions compromised as a percentage of the regular volume of operations;
2. total number of clients, users of the affected services – the financial institution determines the total number of clients affected by the incident and their percentage share in the total number of the financial institution’s clients, taking into account both the number of clients and their significance and, where applicable, the number of transactions affected. The number of clients means the number of all affected clients, regardless of whether they are natural or legal persons, which are or were not able to use the service provided by the financial institution during the incident or which were negatively impacted by the incident;
3. breach of security of network or ICT system – the financial institution determines whether any malicious action has compromised the security of network or ICT systems related to the provision of payment services;
4. service downtime – the financial institution determines the period of time during which the service will likely be unavailable to the client or service user or during which the payment order cannot be fulfilled by the payment service provider, taking into account the duration of the ICT incident, downtime of the ICT system or its part or suspension in the operation or service provision

19 suspension/downtime. Downtime is counted from the moment the downtime starts, and/or from the moment it is detected until the moment it is resolved; 5) economic impact – the financial institution determines the costs associated with the ICT incident holistically and takes into account both the absolute figure and, when applicable, the relative importance of these costs in relation to the size of the financial institution, and/or its Tier 1 capital. This refers to both direct and indirect costs and losses. In particular, a financial institution takes into account expropriated funds or assets, replacement costs of hardware or software assets, other forensic and remediation costs, legal protection costs and compensations to clients, fees due to non-compliance with contractual obligations, penalties, other liabilities and lost revenues; 6) high level of internal escalation – the financial institution determines whether this incident has been or will likely be reported to members of its managing bodies; 7) other financial institutions or relevant infrastructure potentially affected – the financial institution determines the systemic implications the incident is likely to have, i.e. its potential to spill over beyond the initially affected financial institution to other financial institutions, financial market infrastructures and/or payment schemes. In particular, a financial institution assesses whether the incident has spilled over or will likely spill over to other financial institutions, whether it has affected or will likely affect the smooth functioning of financial market infrastructures and whether it has compromised or will likely compromise the sound operation of the financial system as a whole; 8) reputational impact – the financial institution determines how the incident can undermine users’ trust in the financial institution or the market as a whole. A financial institution shall consider that reputational impact has occurred if at least one of the following criteria is met: the incident received media coverage, the incident resulted in several complaints by different clients in relation to services or critical/key business relations, the financial institution will (likely) not be able to comply with regulatory requirements due to the incident, contractual obligations have been breached due to the incident, resulting in the publication of legal actions against the financial institution, and the financial institution will (likely) lose clients which have a significant impact on its operations due to the incident. In addition to the above criteria for classifying ICT incidents, a financial institution shall also consider:

1. the geographical spread of the incident with regard to the area affected by the ICT incident, particularly if it affects more than two states where the financial institution operates or outsources activities to third parties, including persons related to the financial institution;
2. data losses that the ICT incident entails, in relation to:

20 – data availability, i.e. whether the incident has rendered the data temporarily or permanently inaccessible or unusable, – data authenticity, i.e. whether the incident has compromised the trustworthiness of the source of data, – data integrity, i.e. whether the incident has resulted in non￾authorised modification of data that has rendered it inaccurate or incomplete, and – data confidentiality, i.e. whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system; 3) the criticality of the services affected, including the financial institution’s transactions and operations. A financial institution assesses whether the ICT incident affects key or important functions of the financial institution, financial services that require authorisation, registration or that are supervised by the National Bank of Serbia, or whether it represents or represented a successful, malicious and unauthorised access to the network and information systems of the financial institution. Recurring incidents, which are individually not considered to be major incidents in line with paragraph 1 hereof, shall be considered to represent a single major incident if they meet the following conditions:

1. they have occurred at least twice in six months;
2. they have the same apparent root cause;
3. they collectively meet the criteria for classification as a major incident referred to in paragraph 1 hereof. A financial institution shall assess whether there are recurring incidents on a monthly basis.

43. A financial institution shall assess an ICT incident by determining, for each individual criterion referred to in Section 42, paragraph 1 hereof, whether the relevant thresholds given in Annex 1 to this Decision are or will likely be reached before the incident is solved. For the purpose of making the assessment referred to in paragraph 1 hereof, a financial institution shall determine the value of the indicators referred to in Section 42, paragraph 1 hereof. Where a financial institution does not have actual data to support its judgment as to whether a threshold referred to in paragraph 1 hereof is or will likely be reached before the ICT incident is resolved, a financial institution should resort to estimations, particularly during the initial investigation phase. A financial institution shall carry out the assessment referred to in paragraph 1 hereof on a continuous basis during the lifetime of the ICT incident,

21 so as to identify any possible status change of the incident in terms of its significance. A financial institution shall notify the National Bank of Serbia without delay of any reclassification of an ICT incident from major to non-major operational or security incident, in accordance with Section 47, paragraphs 7,8 and 9 hereof. 44. In case of an incident that has seriously compromised or disrupted its operations and/or may potentially seriously compromise or disrupt its operations, a financial institution shall notify the National Bank of Serbia and/or submit an initial report on the ICT incident:

1. promptly upon learning of the circumstances of occurrence of such incident – if such incident occurred because the functionality of information system resources was compromised;
2. promptly upon learning of the incident – if such incident occurred because information system security was compromised;
3. promptly upon learning of the circumstances of occurrence of the incident and/or upon learning of the incident – if such incident occurred at the service provider and has or might have had a material impact on the ICT system of the financial institution or the continuity of the services it provides. A financial institution shall, upon request by the National Bank of Serbia, promptly submit to the National Bank of Serbia any additional documents complementing the information submitted in the initial, intermediate and final report and clarifications regarding already submitted documentation. A financial institution shall specify all additional information contained in the documents referred to in paragraph 2 hereof submitted to the National Bank of Serbia, either on the initiative of the financial institution or upon the request of the National Bank of Serbia. A financial institution shall at all times preserve the confidentiality and integrity of the information exchanged with the National Bank of Serbia and confirm its proper authentication towards the National Bank of Serbia. On its website, the National Bank of Serbia shall publish electronic templates (initial, intermediate and final report) and the instruction how to complete the templates.

45. A financial institution shall submit an initial report on an ICT incident to the National Bank of Serbia in accordance with Section 44, paragraph 1 hereof immediately after a non-major incident has been reclassified as a major ICT incident.

22 The initial report referred to in paragraph 1 hereof shall contain the registration number of the financial institution, name of the financial institution, contact person details (name, surname, telephone and email address), date of detecting the ICT incident, information on whether the incident is ongoing, consequences caused by the incident and other information available to the financial institution in relation to the ICT incident. If a financial institution does not have all relevant data about the incident at the time of creating the initial report referred to in paragraph 1 hereof, it may use data based on estimations. If a financial institution needs more time from the time of its detection until the time of notifying the National Bank of Serbia to classify an incident, it shall explain the reasons for this in the initial report referred to in paragraph 1 hereof. Notwithstanding paragraph 1 hereof, if a financial institution is not able to send the initial report within the envisaged deadline because the reporting channels are not available or operational, it shall send the initial report as soon as the channels become available and/or operational again, without delay, and notify the National Bank of Serbia of a major incident using available means of communication.

46. After the notification referred to in Section 45 hereof, a financial institution shall notify the National Bank of Serbia on a continuous basis of important events and other relevant information relating to the incident (incident status–intermediate report) and on the activities taken to resolve the incident and its consequences. This notification shall also contain a detailed description of the incident, information on the estimated number of users affected, estimate of the time needed to resolve the incident, potential impact on other financial institutions, as well as important events and other relevant information since the incident occurred (e.g. information on whether the incident has escalated, whether new causes have been detected and on the efficiency of the activities taken). A financial institution shall submit an intermediate report on an ICT incident to the National Bank of Serbia:

1. as soon as regular activities have been recovered and business is back to normal;
2. within no more than three working days from the day of submission of the initial report, where regular business of the financial institution has not been restored during this period.

23 A financial institution shall update the information from the initial and intermediate reports and submit it to the National Bank of Serbia without delay:

1. when it becomes aware of significant changes relating to the ICT incident since the submission of the previous reports to the National Bank of Serbia, including new causes identified or actions taken to fix the problem;
2. when the ICT incident has not been resolved within three working days from its detection;
3. upon request of the National Bank of Serbia. If a financial institution does not have all relevant data on an ICT incident at the time of creating and/or updating the reports referred to in paragraphs 2 and 3 hereof, it may use data based on estimations. Should a financial institution’s business be back to normal before four hours have passed since the ICT incident was classified as major, a financial institution shall simultaneously submit both the initial and the intermediate report within the same deadline where possible.

47. A financial institution shall submit a final report on a major ICT incident to the National Bank of Serbia within 15 days after the incident ended and/or after it is estimated that regular business of the financial institution and stable operation of the information system have been restored, and after the root cause analysis has taken place, regardless of whether risk and consequence mitigation measures have already been implemented and the final root cause has been entirely identified, as well as when there are actual figures available to replace any potential estimates referred to in Section 45, paragraph 3 and Section 46, paragraph 5 hereof. The final report shall contain final information on the incident – date when the incident started and ended, duration of the incident, type of incident (inaccessibility of hardware components, problems in the operation of software components or security incident), description of the incident, incident causes and consequences, activities taken by the financial institution during the incident, plan of preventative activities to preclude recurrence of the same incident, number of users affected, financial costs incurred in connection with the incident, impact on other financial institutions and other relevant information as needed. Notwithstanding paragraph 1 hereof, a financial institution needing an extension of the deadline for the submission of the final report shall, before the deadline has elapsed, request an extension of the submission of the final report and provide a detailed justification for the delay and a new date for the final report.

24 A financial institution shall compile the final report referred to in paragraph 1 hereof based on the actual data and update the previously submitted information based on such data. Should a financial institution be able to provide to the National Bank of Serbia all information required in the final report within the four-hour window since the incident was classified as major, the financial institution shall submit the initial, intermediate and final reports together. A financial institution shall also submit a final report on an ICT incident when, as a result of the continuous assessment of the incident referred to in Section 43, paragraph 4 hereof, it identifies that an incident already reported to the National Bank of Serbia no longer fulfils the criteria to be classified as major and is not expected to fulfil them before the incident is resolved. In the case referred to in paragraph 7 hereof, a financial institution shall submit the final report as soon as the incident is reclassified, within the deadline for the submission of the next report. 48. A financial institution shall notify the National Bank of Serbia of serious cyber threats if it deems such threats as relevant for the financial institution, service users or clients. The National Bank of Serbia may submit such information to other relevant bodies. 49. As soon as it becomes aware of a major ICT incident affecting the financial interests of clients, a financial institution shall inform its clients without delay of such incident and of the measures taken to mitigate its negative impact. VIII. ICT SYSTEM DEVELOPMENT AND MAINTENANCE 50. A financial institution shall establish the ICT system development process in line with relevant changes in the institution and in the environment, in order to ensure continuous adequacy of the system. 51. A financial institution shall implement the ICT system development process in line with the adopted ICT system development strategy and the project management methodology, taking into account functional and security requirements. When developing the ICT system in-house, a financial institution shall establish and document the development process which shall cover the analysis and design, programming, testing and migrating into production use.

25 In accordance with the complexity of the ICT system, a financial institution shall appropriately separate the production environment from other non-production environments (e.g. development, testing, staging, etc.). 52. A financial institution shall establish the process of hardware and software asset management, in all phases of their life cycle – from the point of procurement or development until the withdrawal from use. A financial institution shall ensure that hardware and software asset management includes, inter alia, the maintenance of detailed and up-to-date records of these assets, the appointment of a person and/or persons employed in that institution, who shall be responsible for the management and protection of such assets, as well as the definition of rules for their acceptable use and secure disposal upon the withdrawal from use. 53. A financial institution shall ensure adequate maintenance of hardware and software assets of the ICT system in line with the manufacturer’s recommendations, keep records of such maintenance, and ensure that the system’s security or functionality are not thereby compromised. A financial institution shall implement ICT system performance and capacity planning and monitoring processes to prevent, detect and respond to important performance issues of the ICT system and ICT capacity shortages in a timely manner. 54. A financial institution shall establish the change management process for hardware and software assets of the ICT system, so as to avoid unexpected and undesired behaviour of the system and/or to avoid compromising the system’s security or functionality. The change management for software assets of the ICT system shall in particular include the following procedures:

1. identification of initial versions of these assets;
2. initiation, analysis and approval of change requests;
3. chronological documentation of all changes in these assets and database architecture together with the time when the changes occurred;
4. informing ICT system users of the details of implemented changes. A financial institution shall ensure that all changes in hardware and software assets, including new assets and systems, be tested and approved before becoming operational, and shall also define the plan for restoring the system to the previous state.

26 In a general internal act, a financial institution shall regulate the process for managing urgent changes in hardware and software assets of the ICT system. 55. A financial institution planning data migration into the new core business application or other data centre and/or which changes the location of the data centre shall inform the National Bank of Serbia thereof at least 30 days before the planned start of the testing related to that migration. The notification referred to in paragraph 1 hereof shall contain in particular:

1. detailed descriptions of systems among which data are being transferred;
2. plan, dynamics and description of the activities regarding data migration, including the testing methodology;
3. results of risk assessment and the description of controls to be applied during data migration, with the aim to preserve the confidentiality, integrity and availability of data;
4. plan for restoring the system to the state prior to data migration which includes the dynamic of such restoration and description of activities, as well as the criteria for making the decision to implement this plan. Notwithstanding paragraph 1 hereof, a financial institution that plans data migration due to a status change in regard to which it is required to obtain prior consent and/or license of the National Bank of Serbia shall also submit to the National Bank of Serbia, simultaneously with the request for obtaining this consent and/or license, the notification with the data referred to in paragraph 2 hereof, and the bank shall also submit a request for enabling the functioning of an interim account of the legal successor (hereinafter: request for an interim account), which must be signed by the legal representative of the legal successor – so that the National Bank of Serbia can act upon the request in the cases determined in this Section. An interim account of a legal successor shall be an account of a bank which ceases to exist due to a status change, this account being opened at the National Bank of Serbia in accordance with the regulations, and/or rules of operation of the payment system in which that bank participates, which is, due to the status change, taken over by the legal successor, for the purpose of its interim functioning within the deadline set by this Decision. A financial institution which decides to implement the plan of restoration to the status prior to data migration shall promptly inform the National Bank of Serbia thereof.

27 If it decides to implement the plan of restoration to the status prior to data migration due to a status change, the bank shall notify the National Bank of Serbia thereof not later than the next business day after the day when it started data migration and not later than one hour prior to the start of the period set by the Daily Time Schedule of the NBS RTGS payment system (hereinafter: NBS RTGS system) for executing transfer orders in that system. The National Bank of Serbia shall enable the functioning of the interim account referred to in paragraph 4 hereof in the event that a bank decides to implement the plan of restoration to the status prior to data migration. Notwithstanding paragraph 7 hereof, if there are objective circumstances that may jeopardise the interests of clients of the bank implementing data migration due to status change, the National Bank of Serbia may, upon a reasoned request submitted by the bank along with the documentation referred to in paragraph 3 hereof, separately determine the deadline for the implementation of the data migration process and enable the functioning of the interim account within that deadline. The financial institution shall implement data migration due to status change no later than ten business days after the day it started to implement the plan referred to in paragraph 5 hereof, and/or within the deadline determined by the National Bank of Serbia in accordance with paragraph 8 hereof. An interim account of a legal successor referred to in this Section, as well as the actions of the National Bank of Serbia in accordance with the request for an interim account shall be regulated in more detail by the Operating Rules of the NBS RTGS Payment System. 56. A financial institution shall ensure the drafting, keeping and regular maintenance of documentation relating to the ICT system so that the documentation is correct, complete and up-to-date at all times. A financial institution shall provide all ICT system users with access to relevant documents in line with work requirements. 57. A financial institution shall ensure adequate and continuous professional development and training of employees to use the ICT system and preserve its security and functionality, as well as adopt, implement and regularly update the ICT system security awareness programme, in line with current trends. A financial institution shall ensure that, in line with the programme referred to in paragraph 1 hereof, all employees and other persons engaged

28 by the institution are trained periodically, and at least once a year, to perform their duties and responsibilities consistent with the security policies to reduce operational and security risks of the ICT system. IX. ELECTRONIC SERVICES 58. Electronic services are the services provided by insurance undertakings, voluntary pension fund management companies and financial lessors to users from a remote location via the internet (hereinafter: electronic service provider). As an integral part of ICT system risk management, an electronic service provider shall establish the process of managing the risks arising from the provision of electronic services. 59. In providing electronic services, an electronic service provider shall apply secure and efficient methods for the verification and confirmation of the identity and authorisations of persons, processes and systems. An electronic service provider shall ensure that user authentication is enabled during the use of these services, and that it consists of the combination of at least two mutually-independent elements for user identity confirmation. 60. An electronic service provider shall adopt and implement rules that shall accordingly, in line with the market practice and risk assessment, limit the number of attempts to log into the electronic services system, i.e. the number of authentication attempts, to set the longest user idle time upon logging into the system, and to define the validity period of authentication parameters. When using one time passwords for authentication (e.g. One Time Password – ОТP), an electronic service provider shall ensure that the validity time of that password is restricted to the time required to perform authentication. An electronic service provider shall set the maximum number of unsuccessful attempts to log into the electronic services system, after which that system will be permanently or temporarily blocked, and shall also set the procedures for safe re-activation of this system. An electronic service provider shall set the longest possible user idle time on the electronic services system after logging into the system, upon which the user will be automatically logged out of the system (the so-called session timeout). An electronic service provider shall make sure that appropriate confirmation of its identity is available on the electronic services distribution

29 channel so that users can verify the authenticity of the electronic service provider. An electronic service provider shall make sure that operational and system logs are available so as to ensure, to the extent applicable, the non￾repudiation and accountability of actions relating to the provision of electronic services. X. TRANSITIONAL AND FINAL PROVISIONS 61. Payment service providers shall harmonise their internal acts with the provisions of this Decision by no later than a month before the start of its application and shall submit to the National Bank of Serbia within that deadline a notification thereon and the relevant harmonised internal acts. 62. This Decision shall not apply to a bank merging with another bank, if the acquiring bank filed to the National Bank of Serbia a duly completed application for consent to the merger by acquisition at the latest by the start of application of this Decision and the planned date of registration of status change is no later than 31 December 2026. A bank which submitted to the National Bank of Serbia before the start of application of this Decision the notification and the decision of the bank’s managing body on the planned data migration to a new core business application within the meaning of the decision governing minimum standards of information system management for financial institutions shall be subject to the provisions of this Decision as of 30 June 2026. 63. The notification procedures initiated before the start of application of this Decision will be completed in line with the provisions of the Decision on Minimum Information System Management Standards for Financial Institutions (RS Official Gazette, Nos 23/2013, 113/2013, 2/2017, 88/2019, 37/2021 and 100/2023 – other decision). 64. This Decision repeals the Decision on Minimum Information System Management Standards for Financial Institutions (RS Official Gazette, Nos 23/2013, 113/2013, 2/2017, 88/2019, 37/2021 and 100/2023 – other decision). 65. This Decision shall enter into force on the eighth day following its publication in the RS Official Gazette and shall apply as of 1 January 2026. NBS EB No 85 Chairperson of the 20 December 2024 Executive Board of the National Bank of Serbia Belgrade Governor of

30 the National Bank of Serbia Dr Jorgovanka Tabaković