Art. 17 ICT-related incident management process | DORA regulation | DORA

This article requires financial entities to build and operate a formal ICT-related incident management process.

It sits at the heart of the regulation's incident handling framework, feeding directly into Article 18 (which sets the classification criteria) and Article 14 (which governs crisis communications).

The article covers the full lifecycle of incident management: detection, recording, classification, escalation, communication, and response.

Notably, the obligation extends beyond ICT-related incidents to also include the recording of significant cyber threats, and root cause analysis is explicitly required to prevent recurrence.

Important points:

Define, establish and implement an ICT-related incident management process covering detection, management and notification of incidents.
Record all ICT-related incidents and significant cyber threats, and ensure root causes are identified, documented and addressed.
Major ICT-related incidents must be escalated to senior management and the management body, with explanation of the impact, response and any additional controls required.

1. Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.
1. Financial entities shall record all ICT-related incidents and significant cyber threats. Financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.
1. The ICT-related incident management process referred to in paragraph 1 shall:
  1. put in place early warning indicators;
  2. establish procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted, in accordance with the criteria set out in Article 18(1);
  3. assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios;
  4. set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate;
  5. ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of such ICT-related incidents;
  6. establish ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner.