DORA: ICT Risk Management
ICT Risk Management [Art 5-16]
Rule: Financial entities must establish and maintain a comprehensive ICT risk management framework with defined governance, policies, procedures, and controls.
Management Body Responsibility [Art 5]
The management body must:
| Duty | Description |
|---|---|
| Bear ultimate responsibility | Accountable for ICT risk management |
| Define and approve | ICT risk management framework, strategy, tolerance levels |
| Approve and review | Digital operational resilience strategy annually |
| Allocate budget | Ensure adequate ICT investment |
| Approve policies | ICT security, business continuity, disaster recovery |
| Stay informed | On ICT risk exposure and major incidents |
| Undergo training | Keep knowledge current on ICT risks |
ICT Risk Management Framework [Art 6]
Must include:
| Component | Requirement |
|---|---|
| Strategies | ICT risk management strategy |
| Policies | Comprehensive ICT policies |
| Procedures | Protocols for identification, protection, detection, response, recovery |
| ICT systems | All ICT systems documented and classified |
| Risk identification | Ongoing identification of ICT risk sources |
| Risk assessment | Assessment of impacts and likelihood |
| Continuous improvement | Annual review and improvement cycle |
Protection and Prevention [Art 9]
Must implement:
| Control Area | Measures |
|---|---|
| Security policies | Documented information security policy |
| Identity management | Strong authentication, access control |
| Physical security | Premises protection for ICT assets |
| Network security | Perimeter protection, encryption, segmentation |
| Encryption | For data at rest and in transit |
| Vulnerability management | Patch management, vulnerability scanning |
| Malware protection | Anti-malware, endpoint protection |
| ICT change management | Controlled changes, testing before deployment |
Detection [Art 10]
Must have mechanisms to:
- Detect anomalous activities
- Identify single points of failure
- Monitor ICT systems continuously
- Have sufficient capacity for analysis
- Report to management body promptly
Response and Recovery [Art 11-12]
ICT Response:
- Documented incident response procedures
- Roles and responsibilities defined
- Communication protocols (internal and external)
- Root cause analysis for major incidents
ICT Recovery:
- Recovery time objectives (RTOs) for critical functions
- Recovery point objectives (RPOs) for critical data
- Business continuity plans
- Regular testing of recovery capabilities
Business Continuity Policy [Art 11(1)]
Must cover:
| Element | Requirement |
|---|---|
| Scope | All critical/important functions |
| Business impact analysis | Exposure to disruptions assessed |
| Recovery objectives | RTOs and RPOs defined |
| Communication | Crisis communication plan |
| Testing | Regular testing requirements |
| Review | Annual review and update |
Backup and Restoration [Art 12]
| Requirement | Detail |
|---|---|
| Backup policies | Scope, frequency, media, retention |
| Restoration procedures | Documented, tested |
| Redundancy | ICT capacity sufficient for continuity |
| Segregation | Backup systems appropriately separated |
| Regular testing | Verify backup integrity and restoration |
Learning and Evolving [Art 13]
Must:
- Gather intelligence from ICT incidents (own and industry)
- Conduct post-incident reviews
- Integrate lessons into risk framework
- Monitor cyber threats
- Update training based on evolving threats
Communication [Art 14]
| Aspect | Requirement |
|---|---|
| Internal | Policies for staff communication during incidents |
| External | Protocols for authorities, clients, public |
| Responsible disclosure | Coordinate disclosure of vulnerabilities |
Simplified Framework for Some Entities [Art 16]
Available to:
- Small non-interconnected investment firms
- Payment/e-money institutions exempted under PSD2/EMD2
- Small institutions for occupational retirement provision
- Certain microenterprises
Simplified requirements:
- Less prescriptive governance
- Proportionate documentation
- But still must manage ICT risks appropriately
Documentation Requirements
| Document | Purpose |
|---|---|
| ICT risk management framework | Overall framework description |
| ICT strategy | Strategic direction for ICT risk |
| Information security policy | Security standards and controls |
| Business continuity plan | Response to disruptions |
| Disaster recovery plan | Technical recovery procedures |
| ICT asset register | Inventory of ICT assets |
| Risk register | Identified risks and mitigations |
| Third-party register | ICT third-party contracts |