Article 10 Digital Operational Resilience Act (DORA), Response And Recovery

Article 10 of the Digital Operational Resilience Act (DORA) focuses on the critical aspects of response and recovery in managing ICT-related incidents within financial entities. This section outlines the essential requirements and procedures that financial institutions must adhere to when responding to incidents and recovering from disruptions in their ICT systems. Effective response and recovery strategies are pivotal in mitigating the impact of incidents, maintaining operational continuity, and safeguarding the integrity of financial services amid increasing cyber threats and technological dependencies.

Establishment of ICT Business Continuity Policy: Within the ICT risk management framework as defined in Article 5(1) and aligned with the identification requirements in Article 7, financial entities must develop a dedicated and comprehensive ICT Business Continuity Policy. This policy should integrate seamlessly into the overall operational business continuity strategy of the financial entity.

Implementation of ICT Business Continuity Policy: Financial entities are required to implement the ICT Business Continuity Policy through dedicated, appropriate, and well-documented arrangements, plans, procedures, and mechanisms. These efforts aim to:

• Record all ICT-related incidents.

• Ensure continuity of critical functions during disruptions.

• Respond swiftly, appropriately, and effectively to ICT-related incidents, including cyber-attacks, minimizing damage and prioritizing resumption of activities and recovery actions.

• Activate specific plans for containment measures and utilize processes and technologies tailored to different types of ICT incidents, as well as recovery procedures in accordance with Article 11.

• Estimate initial impacts, damages, and losses.

• Establish communication and crisis management actions to disseminate updated information to internal staff and external stakeholders as per Article 13, and report to competent authorities under Article 17.

Implementation of ICT Disaster Recovery Plan: As part of the ICT risk management framework under Article 5(1), financial entities must implement an associated ICT Disaster Recovery Plan. This plan, particularly for financial entities other than microenterprises, should undergo independent audit reviews.

Testing and Maintenance of ICT Business Continuity Plans: Financial entities must establish, maintain, and periodically test appropriate ICT business continuity plans, especially for critical functions outsourced or managed through arrangements with ICT third-party service providers.

Testing Requirements: As part of comprehensive ICT risk management:

• Test the ICT Business Continuity Policy and ICT Disaster Recovery Plan annually and after significant changes to ICT systems.

• Conduct crisis communication plan tests as outlined in Article 13.

• Include scenarios of cyber-attacks and switchovers between primary ICT infrastructure and redundant capacity, backups, and facilities in testing plans to meet obligations under Article 11.

Financial entities must regularly review the ICT Business Continuity Policy and ICT Disaster Recovery Plan based on test results and recommendations from audit checks or supervisory reviews.

Crisis Management Function: Financial entities other than microenterprises must establish a crisis management function. This function should outline clear procedures for managing internal and external crisis communications during activations of the ICT Business Continuity Policy or ICT Disaster Recovery Plan, compliant with Article 13.

Documentation of Disruption Events: Financial entities must maintain records of activities before and during disruption events when the ICT Business Continuity Policy or ICT Disaster Recovery Plan is activated. These records should be easily accessible.

Reporting Requirements: Financial entities falling under point (f) of Article 2(1) must provide competent authorities with copies of results from ICT business continuity tests or similar exercises conducted during the review period.

Cost and Loss Reporting: Financial entities other than microenterprises must report all costs and losses incurred due to ICT disruptions and ICT-related incidents to competent authorities.

These provisions ensure that financial entities maintain resilience against ICT disruptions, promptly respond to incidents, and communicate effectively with stakeholders and regulators during crises.