Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 6 ICT risk management framework
Summary What does Article 6 of the DORA regulation say?
This is a foundational article that fleshes out the ICT risk management framework introduced in Article 5, detailing what that framework must actually contain and how it must be governed.
It covers the minimum required components of the framework — strategies, policies, procedures, protocols and tools — and sets out ongoing obligations around documentation, review, internal audit, and continuous improvement.
Crucially, the article also requires financial entities to embed within the framework a digital operational resilience strategy, which must address how ICT risk is managed in practice, including incident detection, security objectives, and communication planning.
Important points:
- Maintain a sound, comprehensive and well-documented ICT risk management framework that includes strategies, policies, procedures, protocols and tools covering both digital and physical assets.
- The framework must be reviewed at least annually, subjected to regular internal audit, and followed up with a formal remediation process for critical findings.
- Outsourcing compliance verification tasks is permitted, but financial entities remain fully responsible for meeting all ICT risk management requirements.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.
The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.
In accordance with their ICT risk management framework, financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framework to the competent authorities upon their request.
Financial entities, other than microenterprises, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.
The ICT risk management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT risk management framework shall be submitted to the competent authority upon its request.
The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.
Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings.
The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented. To that end, the digital operational resilience strategy shall include methods to address ICT risk and attain specific ICT objectives, by:
explaining how the ICT risk management framework supports the financial entity’s business strategy and objectives;
establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruptions;
setting out clear information security objectives, including key performance indicators and key risk metrics;
explaining the ICT reference architecture and any changes needed to reach specific business objectives;
outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it;
evidencing the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the effectiveness of preventive measures;
implementing digital operational resilience testing, in accordance with Chapter IV of this Regulation;
outlining a communication strategy in the event of ICT-related incidents the disclosure of which is required in accordance with Article 14.
Financial entities may, in the context of the digital operational resilience strategy referred to in paragraph 8, define a holistic ICT multi-vendor strategy, at group or entity level, showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers.
Financial entities may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT risk management requirements to intra-group or external undertakings. In case of such outsourcing, the financial entity remains fully responsible for the verification of compliance with the ICT risk management requirements.
Relevant recitals
Recital 47 Flexibility in ICT risk management models
Inspired by relevant international, national and industry best practices, guidelines, recommendations and approaches to the management of cyber risk, this Regulation promotes a set of principles that facilitate the overall structure of ICT risk management. Consequently, as long as the main capabilities which financial entities put in place address the various functions in the ICT risk management (identification, protection and prevention, detection, response and recovery, learning and evolving and communication) set out in this Regulation, financial entities should remain free to use ICT risk management models that are differently framed or categorised.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
central counterparty
Definition
ICT risk
Definition
ICT third-party service provider
Definition
ICT asset
Definition
trading venue
Definition
network and information system
Definition
trade repository
Definition
microenterprise
Definition
information asset
Definition
group
Definition
major ICT-related incident
Definition
digital operational resilience
Definition
ICT services
Definition
ICT-related incident
Definition
critical or important function
Definition
central securities depository