DORA ICT Risk Management Framework

Chapter II of DORA (Regulation 2022/2554) — spanning Articles 5 through 16 — establishes the foundational ICT risk management obligations for financial entities operating in the European Union. This chapter is not advisory guidance; it is directly applicable law that took effect on 17 January 2025. Every credit institution, insurance undertaking, investment firm, payment institution, and other financial entity within scope must implement an ICT risk management framework that meets the requirements laid out across these twelve articles.

The structure of Chapter II follows a deliberate logic. Article 5 sets the governance mandate, requiring the management body to take ultimate responsibility. Article 6 then prescribes the overall framework architecture. Articles 7 through 14 walk through the lifecycle phases — from asset identification and protection through detection, response, recovery, and communication. Article 15 mandates continuous learning and evolution, while Article 16 provides a proportionate, simplified framework for smaller entities.

Understanding this chapter is essential because it represents the floor, not the ceiling, of what regulators expect. The European Supervisory Authorities (ESAs) — EBA, EIOPA, and ESMA — have issued Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that further specify many of these requirements. Financial entities should treat Chapter II as the structural blueprint and the RTS/ITS instruments as the detailed engineering specifications that fill in the gaps.

Article 7 requires financial entities to identify, classify, and document all ICT-supported business functions, information assets, and ICT assets. This includes mapping the interdependencies between these assets, both internally and with ICT third-party service providers. The entity must maintain an up-to-date inventory and must review the classification of assets at least annually. For many organisations, this is where the hard work begins — years of organic IT growth, shadow IT, and undocumented integrations make comprehensive asset identification a significant undertaking.

The identification obligation extends beyond hardware and software inventories. Financial entities must identify all sources of ICT risk, including risks arising from ICT third-party dependencies. They must assess the potential impact of ICT disruptions on business functions and must map the critical business processes that depend on ICT systems. This dependency mapping is not just an internal exercise — it feeds directly into the ICT third-party risk management requirements in Chapter V (Articles 28-44).

Article 8 complements identification with explicit protection and prevention requirements. Entities must implement ICT security policies that define rules to protect the confidentiality, integrity, availability, and authenticity of data and ICT assets. These policies must cover access management, encryption, network security, and change management, among other domains. The protection measures must be proportionate to the criticality of the assets and the risk profile of the entity — but "proportionate" does not mean "optional" for any category of asset.

Articles 10 and 11 mandate that financial entities establish comprehensive ICT incident response and recovery capabilities. The response framework must include early warning indicators, clear escalation and communication procedures, and defined roles and responsibilities for incident handling teams. Entities must classify ICT-related incidents according to criteria set out in Article 18 and the related RTS, and must activate response plans proportionate to the severity classification. The goal is not just containment — DORA explicitly requires root cause analysis and post-incident review.

Recovery under Article 11 is equally prescriptive. Financial entities must develop, document, and implement ICT business continuity policies and ICT response and recovery plans. These plans must be subject to independent review, must be tested at least annually, and must cover scenarios including severe business disruptions and cyberattacks. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) must be defined for critical functions, and the entity must demonstrate that it can meet those objectives through testing. Backup policies must ensure that backups are sufficient to restore operations and that restoration procedures are periodically tested.

Articles 13 and 14 address communication obligations. Article 13 requires entities to establish communication plans for ICT-related incidents, including designated spokespersons and clear internal and external notification protocols. Critically, financial entities must have policies on disclosure of ICT-related incidents to clients and counterparties where those incidents may affect their interests. Article 14 focuses on the continuous learning cycle — entities must conduct post-incident reviews, feed lessons learned back into the ICT risk management framework, and report the root causes and remediation actions to the management body.

The response-recovery-communication triad forms a closed loop that regulators will scrutinise during supervisory reviews. An entity that can detect an incident but cannot demonstrate tested recovery procedures and structured communication protocols will be found non-compliant. The practical implication is that tabletop exercises, crisis simulation drills, and DR failover testing must become recurring operational activities, not once-a-year compliance rituals.

Article 16 provides a proportionate, simplified ICT risk management framework for certain smaller entities. The entities eligible for this simplified regime include small and non-interconnected investment firms, payment institutions exempted under PSD2, institutions exempted under AMLD, small institutions for occupational retirement provision, and certain other entities identified in Article 16(1). These entities are not exempt from DORA — they must still implement an ICT risk management framework — but the requirements are scaled to their size and risk profile.

The simplified framework requires these entities to put in place an ICT risk management framework that identifies and documents ICT-supported business functions and their risks, that protects ICT assets through appropriate measures, and that detects and responds to ICT-related incidents. However, the specific prescriptions around digital operational resilience strategy, formal testing programmes, and advanced detection capabilities are relaxed. The entity must still report major incidents and must still manage ICT third-party risk, but the depth and formality of the framework can be proportionate to their operational profile.

Financial entities considering reliance on Article 16 should exercise caution. The simplified framework is a floor, not a safe harbour. Competent authorities retain full supervisory powers and can require additional measures where they assess that the entity's ICT risk profile warrants them. Furthermore, entities that grow beyond the thresholds or lose their exemption status must transition to the full framework — and doing so retroactively under time pressure is significantly more costly than building a scalable framework from the outset. The prudent approach is to implement a framework that can scale, even if Article 16 permits a lighter touch today.