Guidelines on Information Technology Management for Supervised Financial Market Entities

1 Approved by the decision of the Management Board of the Central Bank of the Republic of Azerbaijan dated 28 October 2025 Protocol № 37 Guidelines on the management of information technologies in supervised entities in financial markets

1. General provisions 1.1. These Guidelines have been developed in accordance with the COBIT 2019 (Control Objectives for Information and Related Technologies) Standard prepared by ISACA (Information Systems Audit and Control Association), an international professional information technology (hereinafter – IT) association, and with advanced international practices on information technology management (hereinafter – ITM). 1.2. The main purpose of these Guidelines is to establish and enhance ITM in accordance with international standards in banks, non-bank credit institutions (excluding credit unions), insurers, licensed entities in the securities market, joint-stock investment funds and investment fund managers, the national postal operator, payment institutions, electronic money institutions, payment system operators, credit bureaus, and the central depository (hereinafter – supervised entities), in order to support the efficient functioning and stability of the financial sector.
2. Main definitions 2.1. The definitions used for the purposes of these Guidelines bear the following meanings: 2.1.1.IT function – structural units responsible for carrying out and managing the supervised entity’s IT-related activities. 2.1.2.IT Resources – technological tools and components used to support operations of the supervised entity and achieve its business objectives. 2.1.3.IT Processes – a set of standardized activities that ensure the management and organization of IT-related functions in the supervised entity. 2.1.4. ITM – the management of the organizational structure, resources, and processes related to IT in a manner aligned with supervised entity’s objectives and needs.

2 2.2. Other definitions used in these Guidelines bear the meanings defined in normative legal acts and in regulations of the Central Bank of the Republic of Azerbaijan (hereinafter – the Central Bank). 3. IT functions and management in a supervised entity 3.1. Depending on its strategy, market share, management structure, objectives, and services provided, a supervised entity may establish its IT function either independently from other business functions or by using third-party services. 3.2. A responsible officer is appointed to oversee the IT function supported by third parties. This person should have expertise in the implementation of technological and digital solutions. 3.3. The primary objective of ITM is to support the achievement of the business’s strategic goals by ensuring the proper use of IT resources in the supervised entity and to: 3.3.1. ensure that IT processes are effectively established and managed in compliance with legislation, including regulations of the Central Bank, international standards, and best practices. 3.3.2. implement necessary processes and solutions to ensure the IT continuity. 3.3.3. develop rules and processes for measuring the efficiency of investments and costs in IT resources. 3.3.4. ensure proper assignment of decision-making authorities in IT processes. 3.3.5. conduct analysis and improvements using various automation systems and tools to assess the maturity level of IT processes. 3.4. To ensure effective implementation of ITM, the IT function may be controlled and managed by the following persons: 3.4.1. A member of the executive body with IT expertise who oversees (curates) the IT function (if the executive body is collegial). 3.4.2. A Chief Information Officer (if any in the supervised entity), with in-depth knowledge of the application of technological and digital solutions, the development and management of digital products, with at least five (5) years of practical experience in the field and at least three (3) years of managerial experience. 3.5. Heads of the IT function of the supervised entity, together with the executive body member referred to in sub-item 3.4.1 and the Chief Information Officer referred to in sub-item 3.4.2, constitute the IT management team of the entity. 3.6. Depending on its strategy, market share, management structure, objectives, and services, a supervised entity may establish a collegial IT body or another authorized decision-making body for collective decision-making, which may include IT function leaders, IT specialists, heads of other structural units, and/or other staff. Other members of the executive body (if collegial) may also be part of the IT collegial body. The chair of

3 the IT collegial body may be elected from among the members of the IT management. Authorized staff from risk management, information security, finance, and other relevant departments may also be included in the IT collegial body. 3.7. The IT collegial body implements measures to ensure that IT is maintained at a high technological standard, including the execution of IT strategy, IT funding, resource allocation, and planning. 3.8. The IT collegial body: 3.8.1. oversees the execution of tasks derived from the IT strategy. 3.8.2. submits proposals to the executive body and the Supervisory Board (Board of Directors) (if any). 3.8.3. monitors the execution of the IT budget. 3.8.4. submits proposals regarding IT procurement. 3.8.5. monitors the IT change management process. 3.8.6. oversees the resilience of information systems. 3.8.7. supports research and development activities in the IT field. 3.8.8. oversees IT infrastructure and technical-administrative operations. 3.8.9. oversees the resolution of IT incidents in IT processes and review and approve action plans to prevent recurrence. 3.9. The IT collegial body referred to in Item 3.6 may also address issues related to information and cybersecurity or, alternatively, a separate collegial body may be established specifically for information and cybersecurity matters. 4. IT Strategy 4.1. The IT strategy is a component of the supervised entity’s overall strategy that defines the key directions of its IT activities. The IT strategy systematically addresses the support of technology for business, required technological capabilities, resource allocation, and the development directions of the IT domain in the supervised entity. 4.2. The primary objective of the IT strategy is to serve as a roadmap shaping the future development of IT in the supervised entity, directing technology to generate maximum value for the entity, and integrating it as an essential element in strategic management decisions. 4.3. The development of the IT strategy involves the following key stages: 4.3.1. Analysis of the supervised entity’s overall business strategy. 4.3.2. Assessment of existing technological capabilities and infrastructure. 4.3.3. Forward-looking and competitive planning of entity’s technologies and technological architecture. 4.3.4. Consultations with stakeholders and collection of proposals.

4 4.3.5. Identification of digital development directions. 4.3.6. Consideration of information and system security. 4.3.7. Preparation of the implementation plan, prioritization of initiatives, development of financing mechanisms, risk management, and performance indicators. 4.4. Regular communication of the IT strategy with IT personnel is ensured, and the status of its implementation is monitored. 4.5. Depending on the supervised entity’s market share, management structure, objectives, and services, the IT strategy may be approved either as a separate document or as part of the overall strategy. 5. Minimal core ITM processes 5.1. As part of the ITM and based on the COBIT 2019 standard, supervised entities implement the following minimal core processes: 5.1.1. Risk management. 5.1.2. Availability and performance management. 5.1.3. IT change management. 5.1.4. IT change acceptance and transition management. 5.1.5. Asset management. 5.1.6. Continuity management. 5.1.7. Monitoring of performance and compliance. 5.1.8. Management of the internal control system. 5.1.9. Supplier management. 5.2. In addition to the processes listed in Item 5.1, supervised entities may assess and enhance other processes based on the COBIT 2019 standard, in accordance with their strategy, market share, operational characteristics, and regulatory requirements. 6. ITM monitoring, assessment and reporting 6.1. Based on the minimal core processes defined in Item 5.1, supervised entities monitor and assess ITM and establish an appropriate internal reporting system. 6.2. To ensure technological availability, monitor its status, adequately assess the impact of system outages, and implement corrective measures, supervised entities are advised to establish relevant processes and ensure internal accountability. Taleh Kazimov Governor The Central Bank of the Republic of Azerbaijan