Article 8, Identification, Digital Operational Resilience Act (DORA)

Overview

1. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation.

2. Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.

3. Financial entities, other than microenterprises, shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets.

4. Financial entities shall identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets.

5. Financial entities shall identify and document all processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that provide services that support critical or important functions.

6. For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs.

7. Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems.

Summary Of Article 8

Article 8 of the Digital Operational Resilience Act (DORA) outlines the identification and documentation of ICT-supported business functions and assets as part of the ICT risk management framework. Financial entities must classify and document all ICT functions, roles, information assets, and dependencies, updating this classification annually or as needed. Continuous identification of ICT risk sources, including cyber threats and vulnerabilities, is mandatory, along with yearly reviews of risk scenarios.

Entities must perform risk assessments after major infrastructure changes, mapping critical assets, configurations, and interdependencies. This includes identifying processes reliant on third-party ICT providers and maintaining updated inventories of assets and dependencies. Legacy ICT systems require annual risk assessments, especially when integrating new technologies. These provisions aim to ensure a comprehensive understanding of ICT risks and dependencies, bolstering resilience against disruptions.