Article 5 Digital Operational Resilience Act (DORA), ICT Risk Management Framework

Article 5 of the Digital Operational Resilience Act (DORA) establishes the framework for ICT risk management within the financial sector, ensuring comprehensive measures to address and mitigate cyber threats.

Establishing and Maintaining a Robust ICT Risk Management Framework

Establishment of a Comprehensive ICT Risk Management Framework: Financial entities are required to develop a robust, well-documented ICT risk management framework that allows them to swiftly, efficiently, and comprehensively address ICT risks. This framework should be tailored to ensure a high level of digital operational resilience that aligns with the entity's business needs, size, and complexity.

Components of the ICT Risk Management Framework: The ICT risk management framework must encompass strategies, policies, procedures, ICT protocols, and tools necessary to effectively protect all relevant physical components and infrastructures. This includes safeguarding computer hardware, servers, premises, data centers, and sensitive designated areas against risks such as damage and unauthorized access.

Mitigation of ICT Risks: Financial entities must deploy appropriate strategies, policies, procedures, protocols, and tools as outlined in their ICT risk management framework to minimize the impact of ICT risks. They are also required to provide complete and updated information on ICT risks as mandated by competent authorities.

Implementation of Information Security Management System (ISMS): Excluding microenterprises, financial entities must implement an ISMS based on recognized international standards and regulatory guidance. Regular reviews of the ISMS ensure it remains aligned with supervisory directives and industry best practices.

Segregation of ICT Management Functions: Financial entities must ensure appropriate segregation of ICT management functions, control functions, and internal audit functions according to the three lines of defense model or an internal risk management and control model. This segregation enhances oversight and accountability.

Documentation, Review, and Continuous Improvement: The ICT risk management framework should be documented and reviewed at least annually, as well as in response to major ICT-related incidents, supervisory instructions, or findings from digital operational resilience testing or audits. Continuous improvement based on lessons learned is essential.

Regular ICT Audits: Regular audits of the ICT risk management framework by qualified ICT auditors with sufficient knowledge and expertise in ICT risk are necessary. The frequency and focus of these audits should be commensurate with the ICT risks faced by the financial entity.

Formal Follow-Up Process: A formal follow-up process, including rules for timely verification and remediation of critical ICT audit findings, must be established. This process should consider the nature, scale, and complexity of the entity's services and activities.

Digital Resilience Strategy: The ICT risk management framework should include a digital resilience strategy detailing its implementation. This strategy should:

• Explain how the framework supports the entity’s business strategy and objectives.

• Establish risk tolerance levels for ICT risks aligned with the entity’s risk appetite.

• Outline clear information security objectives.

• Describe the ICT reference architecture and necessary adjustments to achieve specific business goals.

• Specify mechanisms for detecting, protecting against, and mitigating impacts of ICT-related incidents.

• Provide evidence of reported major ICT incidents and the effectiveness of preventive measures.

• Define a holistic ICT multi-vendor strategy, outlining dependencies on third-party service providers and the rationale behind procurement decisions.

• Include plans for digital operational resilience testing and a communication strategy for managing ICT-related incidents.

Delegation of Compliance Verification: Upon approval by competent authorities, financial entities may delegate verification of compliance with ICT risk management requirements to intra-group or external entities. This delegation ensures comprehensive oversight while leveraging specialized expertise.

These provisions underpin the DORA’s objectives of strengthening ICT resilience within financial entities, promoting proactive risk management, and ensuring continuity in digital operations amidst evolving regulatory landscapes and technological advancements.