Art. 8 Identification | DORA regulation | DORA

Article 8 sits within the ICT risk management framework established by Article 6 and deals with identification — the foundational "know what you have" obligation.

Financial entities are required to identify, classify, document, and continuously monitor their ICT assets, information assets, risk sources, and third-party dependencies.

The article also mandates the creation and upkeep of inventories capturing these elements, and requires risk assessments whenever major changes occur to infrastructure or processes.

A specific obligation targets legacy ICT systems, requiring regular dedicated risk assessments for systems that are end-of-life but still in use.

Important points:

Identify, classify, document, and map all ICT and information assets — including remote sites, hardware, and interdependencies — and maintain live inventories that are updated upon any major change.
Continuously identify ICT risk sources and assess cyber threats and vulnerabilities, with formal reviews conducted at least yearly; financial entities other than microenterprises must also perform a risk assessment upon each major infrastructure or process change.
Financial entities other than microenterprises must conduct a specific ICT risk assessment on all legacy ICT systems at least yearly and before and after connecting them to other technologies or systems.

1. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation.
1. Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.
1. Financial entities, other than microenterprises, shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets.
1. Financial entities shall identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets.
1. Financial entities shall identify and document all processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that provide services that support critical or important functions.
1. For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs.
1. Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems.