DORA ICT Risk Management Framework

Financial entities shall have in place a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system. The framework shall enable financial entities to address ICT risk quickly, efficiently and comprehensively.

Financial entities shall use and maintain updated ICT systems, protocols and tools that are appropriate to the magnitude of operations supporting the conduct of their activities. ICT systems shall be capable of reliably supporting the performance of activities and the provision of services.

Financial entities shall identify, classify and document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk.

Financial entities shall have in place appropriate ICT security policies, procedures, protocols and tools. These shall aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions.

Financial entities shall put in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure.

Financial entities shall have in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy of the financial entity.

For the purposes of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss, as part of their overall business continuity policy, financial entities shall develop and document backup policies and procedures.

Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience.

Financial entities shall have in place ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. ICT security awareness programmes shall be addressed to all staff and to senior management staff.

Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. Financial entities shall record all ICT-related incidents and significant cyber threats.

Financial entities shall classify ICT-related incidents and determine their impact based on criteria such as the number of clients or financial counterparts affected, the duration of the ICT-related incident, the geographical spread, and the data losses entailed.

Financial entities shall report major ICT-related incidents to the relevant competent authority. Financial entities shall submit initial notification, intermediate report, and final report.

Financial entities shall establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework.

The testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with Articles 26 and 27. The testing programme shall include vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, and penetration tests.

Financial entities identified as significant shall carry out at least every 3 years advanced testing by means of threat-led penetration testing (TLPT). That obligation shall apply to all relevant production ICT systems and applications supporting critical or important functions.

Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework. Financial entities shall maintain and update a register of information in relation to all contractual arrangements on the use of ICT services.

The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. Contracts shall include at minimum: a clear and complete description of all functions and ICT services to be provided, the locations where the functions and ICT services are to be provided, provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data.