DORA8 min read

DORA ICT Risk Management Requirements

ICT risk management forms the foundation of DORA compliance. Chapter II of the regulation requires financial entities to establish, maintain, and continuously improve a comprehensive framework for identifying, protecting against, detecting, responding to, and recovering from ICT-related disruptions.

This is not simply a documentation exercise. DORA requires that ICT risk management be embedded into organizational governance, with the management body taking direct responsibility for approving and overseeing the framework.

Key Takeaways

Point Summary
Comprehensive framework Must cover identification, protection, detection, response, and recovery
Management accountability Board-level approval and oversight required
Continuous improvement Regular reviews and updates mandatory
Documentation Policies, procedures, and records must be maintained
Proportionality Implementation scales with size and risk profile

Quick Answer: DORA requires financial entities to implement a documented ICT risk management framework covering asset identification, protection measures, detection capabilities, incident response, and recovery planning. The management body must approve the framework, allocate adequate resources, and undergo regular ICT risk training. The framework must be reviewed at least annually and following major incidents.

Governance and Organization

Management Body Responsibilities

DORA places explicit obligations on the management body (board of directors, executive management, or equivalent):

Responsibility Description
Framework ownership Define, approve, oversee, and be accountable for the ICT risk management framework
Resource allocation Ensure adequate ICT budget and staffing
Training Undergo training to understand and assess ICT risks
Policy approval Approve policies for ICT services supporting critical functions
Continuity oversight Approve business continuity arrangements
Review Regularly review ICT audit findings and incident reports

This represents a significant shift from treating ICT risk as a technical matter delegated to IT departments.

ICT Risk Management Function

Non-microenterprises must establish an ICT risk management function that is:

  • Independent from operational ICT functions
  • Adequately staffed and resourced
  • Capable of reporting directly to senior management

The function is responsible for:

  • Monitoring ICT risk exposure
  • Advising on risk mitigation measures
  • Reporting to the management body
  • Coordinating incident response

Smaller entities may combine this function with other control functions, provided independence is maintained for ICT-related matters.

The ICT Risk Management Framework

Core Components

DORA Article 6 requires the framework to include:

Component Description
Strategies High-level direction for managing ICT risk
Policies Rules governing ICT security and operations
Procedures Operational processes implementing policies
Tools and protocols Technical and organizational measures
Review mechanisms Processes for evaluating framework effectiveness

Documentation Requirements

Financial entities must maintain comprehensive documentation:

  • ICT risk management strategy
  • ICT security policy (at least annually reviewed)
  • Information security procedures
  • ICT asset inventory
  • Risk assessments
  • Business impact analyses
  • Business continuity plans
  • Incident response procedures

All documentation must be kept current and accessible to supervisory authorities upon request.

Identification

The first function of the framework is identifying and documenting all ICT assets and risks.

ICT Asset Inventory

Financial entities must identify, classify, and document:

Asset Category Examples
Hardware Servers, network equipment, workstations, mobile devices
Software Operating systems, applications, databases, middleware
Network components Firewalls, routers, switches, load balancers
Data Customer data, transaction records, configuration data
ICT services Cloud services, outsourced functions, third-party integrations

The inventory must distinguish between assets supporting critical or important functions and those supporting non-critical functions.

Risk Identification

Financial entities must identify ICT risks arising from:

  • Known vulnerabilities in systems and infrastructure
  • Cyber threats relevant to the entity and sector
  • Dependencies on ICT third-party service providers
  • Concentration risks in technology supply chains
  • Single points of failure in critical systems

Business Impact Analysis

Entities must assess the potential impact of ICT disruptions on:

  • Business continuity
  • Financial losses
  • Reputational damage
  • Regulatory compliance
  • Client services

This analysis informs recovery time objectives and priorities.

Protection and Prevention

The framework must include measures to protect ICT systems and prevent incidents.

Technical Measures

Measure Description
Access control Role-based access, least privilege, regular access reviews
Authentication Strong authentication, multi-factor for privileged and remote access
Encryption Data protection at rest and in transit
Network security Segmentation, firewalls, intrusion prevention
Endpoint protection Anti-malware, endpoint detection and response
Patch management Timely application of security updates
Secure configuration Hardening standards for systems and applications

Organizational Measures

Measure Description
Security awareness Regular training for all staff
Acceptable use policies Clear rules for system and data usage
Change management Controlled process for system changes
Personnel security Background checks, confidentiality agreements
Physical security Protection of data centers and equipment

ICT Security Policies

Financial entities must establish policies covering:

  • Information security (overall framework)
  • Network security (architecture and controls)
  • Cryptography (encryption standards and key management)
  • ICT project management (security in development)
  • ICT operations (day-to-day security practices)
  • Data management (classification and handling)
  • Logical access (authentication and authorization)
  • Physical security (facilities and equipment)
  • Vendor security (third-party requirements)

Detection

Financial entities must implement capabilities to detect ICT-related incidents and anomalies.

Monitoring Requirements

Capability Description
Security monitoring Continuous monitoring of security events
Anomaly detection Identification of unusual patterns or behaviors
Log management Collection, retention, and analysis of system logs
Threat detection Identification of potential cyber attacks
Performance monitoring Detection of system degradation

Alert and Escalation

The framework must define:

  • Alert thresholds and triggers
  • Escalation procedures
  • On-call arrangements
  • Communication channels

Response and Recovery

Incident Response

Financial entities must establish incident response capabilities including:

Element Description
Response plans Documented procedures for different incident types
Roles and responsibilities Clear assignment of response duties
Communication procedures Internal and external communication protocols
Containment measures Actions to limit incident impact
Evidence preservation Procedures for forensic evidence handling
Reporting procedures Alignment with DORA incident reporting requirements

ICT Business Continuity

DORA requires comprehensive business continuity arrangements:

Element Description
Business continuity policy Management-approved policy covering ICT continuity
Business impact analysis Assessment of critical function dependencies
Recovery objectives RTO and RPO for critical functions
Continuity plans Documented procedures for maintaining operations
Recovery plans Procedures for restoring normal operations
Crisis management Governance structure for major disruptions

ICT Disaster Recovery

Disaster recovery capabilities must include:

Element Description
Backup procedures Regular, tested backups with secure storage
Recovery procedures Documented restoration processes
Alternative processing Capability to operate from secondary sites
Testing Regular testing of recovery capabilities
Plan maintenance Updates following changes or test results

Recovery Time Objectives

For critical or important functions, entities must define:

  • Recovery Time Objective (RTO): Maximum acceptable downtime
  • Recovery Point Objective (RPO): Maximum acceptable data loss

These objectives must be realistic, tested, and aligned with business requirements and risk appetite.

Learning and Evolving

Review and Improvement

The ICT risk management framework must be:

  • Reviewed at least annually
  • Updated following significant incidents
  • Improved based on lessons learned
  • Aligned with evolving threats and technologies

Post-Incident Analysis

Following major incidents, entities must conduct:

  • Root cause analysis
  • Impact assessment
  • Control effectiveness evaluation
  • Improvement identification
  • Implementation tracking

Lessons learned must feed back into the framework, improving future resilience.

Simplified Framework for Smaller Entities

Certain smaller entities (small investment firms, payment institutions meeting exemption criteria, small pension funds) may implement a simplified ICT risk management framework. This simplified version:

  • Maintains core elements but with reduced documentation
  • Focuses on proportionate measures
  • Still requires appropriate governance

Microenterprises benefit from additional flexibility but must still address ICT risks appropriately.

Common Questions

How does DORA's ICT risk management compare to ISO 27001?

ISO 27001 provides excellent coverage for many DORA ICT risk management requirements. Key differences include DORA's explicit management body accountability requirements, specific business continuity expectations, and integration with incident reporting obligations. ISO 27001 certification provides a strong foundation but may need supplementation for full DORA compliance.

What documentation is required?

At minimum: ICT risk management strategy, information security policy, ICT security procedures, asset inventory, risk assessments, business impact analyses, business continuity plans, disaster recovery plans, and incident response procedures. Proportionality applies to the depth and formality of documentation.

How often must we review the framework?

The framework must be reviewed at least annually. Additional reviews are required following significant changes (organizational, technological, or threat landscape) and after major incidents.

Can we outsource ICT risk management?

You can use external expertise to support ICT risk management, but accountability remains with the financial entity. The management body cannot delegate its oversight responsibilities.

How Bastion Helps

Bastion supports financial entities in building and maintaining DORA-compliant ICT risk management frameworks:

  • Framework development: Design and documentation of comprehensive ICT risk management frameworks
  • Gap assessment: Evaluation of existing frameworks against DORA requirements
  • Policy development: Creation of required policies and procedures
  • Risk assessment: ICT risk identification and assessment support
  • Implementation support: Assistance with control implementation
  • Review and improvement: Annual reviews and continuous improvement guidance

Ready to build your DORA-compliant ICT risk management framework? Talk to our team

Sources

← PreviousThe Five Pillars of DORA: Core Requirements ExplainedNext →DORA Incident Reporting: Timelines and Requirements
Back to DORA guides