Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 15 Further harmonisation of ICT risk management tools, methods, processes and policies


Summary What does Article 15 of the DORA regulation say?

This article is a technical standard-setting mandate directed at the ESAs, instructing them to develop, in consultation with ENISA, common regulatory technical standards that flesh out the practical details of obligations already established in earlier articles of the regulation.

Rather than creating new rules itself, Article 15 acts as a delegation mechanism that builds directly on Articles 6, 9, 10, and 11, tasking the ESAs with translating those high-level requirements into concrete, workable standards covering areas such as ICT security policies, access management, incident detection, business continuity, and risk management framework reporting.

The Commission is then empowered to formally adopt these standards.

Important points:

  • The ESAs are required to develop and submit draft regulatory technical standards to the Commission by 17 January 2024.
  • When drafting these standards, the ESAs must take into account the size, risk profile, and complexity of financial entities, as well as sector-specific characteristics.
  • Power is delegated to the Commission to adopt these regulatory technical standards, giving them binding legal force across the regulation.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

  1. The ESAs shall, through the Joint Committee, in consultation with the European Union Agency on Cybersecurity (ENISA), develop common draft regulatory technical standards in order to:

    1. specify further elements to be included in the ICT security policies, procedures, protocols and tools referred to in Article 9(2), with a view to ensuring the security of networks, enable adequate safeguards against intrusions and data misuse, preserve the availability, authenticity, integrity and confidentiality of data, including cryptographic techniques, and guarantee an accurate and prompt data transmission without major disruptions and undue delays;

    2. develop further components of the controls of access management rights referred to in Article 9(4), point (c), and associated human resource policy specifying access rights, procedures for granting and revoking rights, monitoring anomalous behaviour in relation to ICT risk through appropriate indicators, including for network use patterns, hours, IT activity and unknown devices;

    3. develop further the mechanisms specified in Article 10(1) enabling a prompt detection of anomalous activities and the criteria set out in Article 10(2) triggering ICT-related incident detection and response processes;

    4. specify further the components of the ICT business continuity policy referred to in Article 11(1);

    5. specify further the testing of ICT business continuity plans referred to in Article 11(6) to ensure that such testing duly takes into account scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly considers the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider and, where relevant, the political risks in the respective providers’ jurisdictions;

    6. specify further the components of the ICT response and recovery plans referred to in Article 11(3);

    7. specifying further the content and format of the report on the review of the ICT risk management framework referred to in Article 6(5);

  2. When developing those draft regulatory technical standards, the ESAs shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations, while duly taking into consideration any specific feature arising from the distinct nature of activities across different financial services sectors.

  3. The ESAs shall submit those draft regulatory technical standards to the Commission by 17 January 2024.

  4. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first paragraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod