Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 13 Learning and evolving

Summary What does Article 13 of the DORA regulation say?

This article deals with learning and continuous improvement as part of the ICT risk management framework established under Article 6.

It covers the full cycle of gathering intelligence on threats, conducting post-incident reviews, feeding lessons learned back into the risk assessment process, and maintaining ongoing monitoring of the digital operational resilience strategy.

It also addresses the human side of resilience, requiring mandatory ICT security training for all staff and continuous monitoring of technological developments by all but the smallest entities.

Important points:

  • Conduct post-incident reviews after any major ICT-related incident, assessing whether procedures were followed and actions were effective, and feed those findings back into the ICT risk management framework on a continuous basis.
  • Develop and implement mandatory ICT security awareness programmes and digital operational resilience training for all employees and senior management, with ICT third-party service providers included in training schemes where appropriate.
  • Senior ICT staff are required to report to the management body at least yearly on lessons learned from testing and real-life incidents, and put forward recommendations.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience.

    1. Financial entities shall put in place post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in Article 11.

    2. Financial entities, other than microenterprises, shall, upon request, communicate to the competent authorities, the changes that were implemented following post ICT-related incident reviews as referred to in the first subparagraph.

    3. The post ICT-related incident reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, including in relation to the following:

      1. the promptness in responding to security alerts and determining the impact of ICT-related incidents and their severity;

      2. the quality and speed of performing a forensic analysis, where deemed appropriate;

      3. the effectiveness of incident escalation within the financial entity;

      4. the effectiveness of internal and external communication.

    1. Lessons derived from the digital operational resilience testing carried out in accordance with Articles 26 and 27 and from real life ICT-related incidents, in particular cyber-attacks, along with challenges faced upon the activation of ICT business continuity plans and ICT response and recovery plans, together with relevant information exchanged with counterparts and assessed during supervisory reviews, shall be duly incorporated on a continuous basis into the ICT risk assessment process. Those findings shall form the basis for appropriate reviews of relevant components of the ICT risk management framework referred to in Article 6(1).

    1. Financial entities shall monitor the effectiveness of the implementation of their digital operational resilience strategy set out in Article 6(8). They shall map the evolution of ICT risk over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understanding the level of ICT risk exposure, in particular in relation to critical or important functions, and enhance the cyber maturity and preparedness of the financial entity.

    1. Senior ICT staff shall report at least yearly to the management body on the findings referred to in paragraph 3 and put forward recommendations.

    1. Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions. Where appropriate, financial entities shall also include ICT third-party service providers in their relevant training schemes in accordance with Article 30(2), point (i).

    1. Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience. They shall keep up-to-date with the latest ICT risk management processes, in order to effectively combat current or new forms of cyber-attacks.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod