Article 7 Digital Operational Resilience Act (DORA), Identification

Article 7 of the Digital Operational Resilience Act (DORA) focuses on the identification of important ICT systems and services within financial entities. This article aims to establish criteria and processes for identifying critical ICT systems that are essential for the continuity and security of financial operations. By defining these critical systems, DORA enhances the sector's ability to prioritize resilience measures, manage risks effectively, and ensure continuity in service delivery. This introductory overview sets the stage for understanding how financial entities categorize and safeguard their ICT assets to meet regulatory requirements and mitigate operational disruptions.

Identification and Management of ICT Risks and Dependencies

• Identification and Documentation of ICT-related Business Functions: Within the ICT risk management framework as defined in Article 5(1), financial entities must identify, classify, and comprehensively document all ICT-related business functions. This includes documenting the information assets supporting these functions, as well as the configurations and interconnections of ICT systems both internally and externally. Financial entities are required to regularly review and, at least annually, assess the adequacy of information asset classification and related documentation.

• Continuous Identification of ICT Risks and Cyber Threats: Financial entities are mandated to continuously identify all sources of ICT risks, with particular emphasis on risks originating from and affecting other financial entities. They must assess cyber threats and vulnerabilities relevant to their ICT-related business functions and information assets on an ongoing basis. Regular reviews of risk scenarios impacting the entities should be conducted at least annually.

• Risk Assessment for Changes in ICT Infrastructure: Excluding microenterprises, financial entities must perform a risk assessment whenever there is a significant change in their network and information system infrastructure, processes, or procedures that impact their functions or supporting processes and information assets.

• Mapping of Critical ICT Systems and Interdependencies: Financial entities are required to identify all ICT system accounts, including those at remote sites, network resources, and critical hardware equipment. They must map the physical equipment considered critical and document the configuration of ICT assets, along with the links and interdependencies between different ICT components.

• Documentation of Processes Dependent on ICT Third-party Service Providers: Entities must identify and document all processes dependent on ICT third-party service providers. This includes identifying interconnections with these providers within the ICT environment.

• Maintenance and Updating of Inventories: For compliance with paragraphs 1, 4, and 5, financial entities must maintain and regularly update relevant inventories related to ICT systems, information assets, critical equipment, interdependencies, and processes dependent on third-party service providers.

• Specific ICT Risk Assessment for Legacy Systems: Excluding microenterprises, financial entities must conduct a specific ICT risk assessment at least annually on all legacy ICT systems. This assessment becomes especially critical before and after integrating old and new technologies, applications, or systems.

These provisions ensure financial entities adopt a proactive stance in managing ICT risks, bolstering resilience against cyber threats, and safeguarding the continuity and security of their ICT operations and services. By implementing robust frameworks and adhering to regulatory guidelines, financial institutions can effectively mitigate risks, prioritize resilience measures, and maintain uninterrupted service delivery in the face of evolving technological challenges and cyber threats.