1.Competent authorities shall ensure that institutions implement policies and processes to evaluate and manage exposures to operational risk, including risks arising from outsourcing arrangements and direct and indirect crypto-asset exposures and exposures to crypto-asset service providers, and to cover low-frequency high-severity events. Institutions shall articulate what constitutes operational risk for the purposes of those policies and procedures.
2. Competent authorities shall ensure that institutions have adequate contingency and business continuity policies and plans, including ICT business continuity policies and plans and ICT response and recovery plans for the technology they use for the communication of information, and that those plans are established, managed and tested in accordance with Article 11 of Regulation (EU) 2022/2554, in order to allow institutions to keep operating in the event of severe business disruption and limit losses incurred as a consequence of such dis
…