Article 17, ICT-Related Incident Management Process, Digital Operational Resilience Act (DORA)

1. Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.

2. Financial entities shall record all ICT-related incidents and significant cyber threats. Financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.

3. The ICT-related incident management process referred to in paragraph 1 shall:

(a) put in place early warning indicators;

(b) establish procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted, in accordance with the criteria set out in Article 18(1);

(c) assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios;

(d) set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate;

(e) ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of such ICT-related incidents;

(f) establish ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner.

Summary Of Article 17

Article 17 of the Digital Operational Resilience Act (DORA) establishes comprehensive requirements for financial entities to manage ICT-related incidents effectively. Entities must implement a structured incident management process to detect, address, and notify incidents promptly. All ICT-related incidents and cyber threats must be documented, with integrated monitoring and follow-up procedures in place to identify and mitigate root causes, ensuring long-term prevention.

The process mandates the use of early warning indicators and detailed protocols for tracking, categorizing, and prioritizing incidents based on severity and service impact. Entities must assign roles and responsibilities tailored to specific incident types and scenarios. Communication plans are critical, covering internal and external stakeholders, including staff, media, and clients. Escalation procedures for ICT-related complaints and counterpart information-sharing are also required.

Major incidents must be reported to senior management, with thorough explanations of impacts, responses, and necessary additional controls. Incident response measures aim to minimize operational disruption and ensure services are restored securely and swiftly. The framework emphasizes resilience, timely responses, and a structured approach to maintaining operational integrity amidst ICT-related challenges.