DORA Requirements: ICT Risk Management Framework

Article 5 of DORA places ultimate responsibility for ICT risk management squarely on the management body of each financial entity. The management body must define, approve, oversee, and be accountable for the implementation and review of all arrangements related to the ICT risk management framework. This is not a delegable obligation — while day-to-day implementation may be assigned to a dedicated ICT risk management function, accountability remains at board level.

Specifically, Article 5(2) requires the management body to set clear roles and responsibilities for all ICT-related functions, including information security. The management body must define appropriate risk tolerance levels for ICT disruptions, approve and periodically review the entity's ICT business continuity policy and disaster recovery plans, and approve and review the entity's ICT audit plans and ICT internal audit methodology.

Article 6 mandates the establishment of a comprehensive ICT risk management framework that includes strategies, policies, procedures, ICT protocols, and tools necessary to protect all information assets and ICT assets. The framework must be documented, reviewed at least annually, and improved continuously based on lessons learned from implementation, incidents, and testing. Financial entities must implement the framework in accordance with the principle of proportionality set out in Article 4, but all entities — regardless of size — must have a documented framework in place.

Article 8 establishes comprehensive requirements for identifying, classifying, and documenting ICT-supported business functions, roles, responsibilities, and all information and ICT assets supporting those functions. Financial entities must identify all sources of ICT risk, with particular attention to risks arising from inter-dependencies with other financial entities or ICT third-party service providers.

The identification process must include: mapping the entity's ICT-supported business functions, identifying and documenting all information assets and ICT assets (including remote sites, network resources, hardware, and software), identifying and documenting all processes that depend on ICT third-party service providers, identifying interconnections and interdependencies between different ICT-supported business functions and between internal ICT systems and those of third parties, and performing a business impact analysis based on severe business disruption scenarios.

Financial entities must conduct a risk assessment at least annually — or upon major changes to the network and information system infrastructure — and must maintain an up-to-date inventory of ICT assets. Article 8(4) requires entities to identify all ICT assets, including those at remote sites, and to map those considered critical for the performance of their business functions. The results feed directly into the protection, detection, and response measures required under Articles 9-13.

Article 9 requires financial entities to develop and document ICT security policies defining rules to protect the confidentiality, integrity, availability, and authenticity of data and information assets and ICT assets. These policies must be designed and implemented in accordance with the ICT risk management framework and address the risks identified under Article 8.

The protection measures mandated by DORA are extensive. Article 9(2) requires mechanisms to: promptly detect anomalous activities including ICT network performance issues and ICT-related incidents; identify all sources of ICT risk; implement logical and physical access control policies; establish strong authentication mechanisms; implement change management procedures with appropriate testing; implement patching and update policies; and deploy network security measures including network segmentation.

Article 9(3) mandates ICT solutions and processes to ensure data security including encryption of data at rest and in transit, and the use of cryptographic keys managed under a dedicated policy. Article 9(4) requires that financial entities implement policies and protocols for strong authentication mechanisms, including multi-factor authentication, that are proportionate to the classified risk levels of the ICT assets they protect. These requirements align closely with international standards but are now legally binding for all financial entities in scope.

Article 10 requires financial entities to have in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents. The detection capability must be designed to enable multiple layers of control, define alert thresholds and criteria to trigger ICT-related incident detection and response processes, and activate incident reporting procedures.

Financial entities must allocate sufficient resources and capabilities to monitor user activity, ICT operations, and ICT-related incidents. For the detection of anomalous activities, Article 10(2) requires entities to implement ICT solutions and processes capable of automated alerting. The monitoring of ICT systems must be continuous, and entities must retain logs for a duration sufficient to support post-incident forensic analysis and regulatory investigations.

Article 10(5) requires financial entities to test their detection mechanisms periodically, including through exercises and simulations. The testing of detection capabilities feeds into the broader digital operational resilience testing programme required under Chapter IV. Effective detection is the bridge between the preventive measures of Article 9 and the response and recovery obligations of Articles 11-12, forming a critical element of the continuous protection cycle mandated by DORA.

Articles 11 and 12 establish the response and recovery requirements that financial entities must implement as part of their ICT risk management framework. Article 11 requires entities to put in place a comprehensive ICT business continuity policy, including ICT disaster recovery plans, ICT response and recovery procedures, and crisis communication arrangements.

The ICT business continuity policy must address: the identification of all ICT-supported critical or important functions and assets, the specification of recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical function, the establishment of backup policies and procedures, the switching mechanisms to backup ICT systems, and the plans for restoring ICT systems to full operational capacity. Article 11(4) requires entities to maintain redundant ICT capacities with sufficient resources and capabilities to ensure business needs are met.

Article 12 mandates that financial entities establish, maintain, and periodically test their ICT business continuity plans and ICT disaster recovery plans. Testing must be performed at least annually for ICT systems supporting critical or important functions. Where deficiencies are identified, entities must address them promptly. Financial entities must also consider scenarios of severe business disruptions, including cyber-attacks and switchovers between primary ICT infrastructure and redundant capacity.

Article 11(6) addresses crisis communication: financial entities must have communication plans for responsible disclosure of major ICT-related incidents to clients, counterparts, and the public as appropriate, with designated spokespersons and procedures for communicating with media, supervisory authorities, and internal staff.

Article 13 closes the ICT risk management lifecycle with requirements for post-incident analysis, continuous improvement, and organisational learning. Financial entities must gather information on vulnerabilities, cyber threats, and ICT-related incidents — particularly the root causes and outcomes of major incidents — to feed into their risk assessments and improve their ICT risk management framework.

After each major ICT-related incident, financial entities must conduct a post-incident review to analyse the causes of disruption, identify improvements to the ICT business continuity policy or disaster recovery plans, and determine whether established procedures were followed and the actions taken were effective. The results of these reviews must be reported to the management body and used to enhance the entity's response procedures and detection capabilities.

Article 13(3) requires financial entities to monitor the effectiveness of their ICT risk management framework on a continuous basis, using indicators and metrics that include the frequency and severity of ICT-related incidents, the effectiveness of detection and response measures, the results of vulnerability assessments and penetration testing, and the outcomes of scenario-based testing. This data-driven approach to continuous improvement ensures that the ICT risk management framework remains responsive to the evolving threat landscape and the entity's changing risk profile.

Article 16 provides a simplified ICT risk management framework for microenterprises — entities with fewer than 10 employees and annual turnover or balance sheet total not exceeding EUR 2 million. This simplified framework recognises that applying the full weight of Chapter II requirements to the smallest financial entities would be disproportionate.

Under the simplified framework, microenterprises are not required to: establish the full governance arrangements of Article 5(4) including the appointment of a dedicated ICT risk management function, perform formal business impact analyses, implement the full range of ICT security policies and procedures mandated under Article 9, or establish comprehensive ICT business continuity testing programmes. Instead, they must implement a framework commensurate with their size, risk profile, and the nature of their services.

Critically, the simplified framework is not a blanket exemption. Microenterprises remain fully subject to: ICT-related incident reporting under Chapter III, the obligation to maintain a register of information on ICT third-party arrangements under Article 28(3), and the requirement to implement basic ICT risk management measures sufficient to ensure the security and resilience of their ICT systems. National competent authorities retain supervisory authority to assess whether a microenterprise's simplified approach is adequate given its actual operations and risk exposure.