Source: OJ L, 2024/1774, 25.6.2024

Current language: EN

Article 28 Governance and organisation

Summary What does Article 28 of the RTS on ICT risk management framework say?

This is a foundational governance article that applies specifically to the financial entities subject to the simplified ICT risk management framework under Article 16(1) of DORA.

It establishes that these entities must have an internal governance and control framework for ICT risk, and places overall responsibility squarely with the management body.

The management body's duties span the full breadth of ICT risk management: setting strategy, approving policies, allocating budget, ensuring staff competence, and establishing reporting arrangements.

The article also addresses outsourcing, internal audit requirements, and the independence of control functions, making it a comprehensive governance anchor for this category of financial entity.

Important points:

  • Ensure your management body bears direct, overall responsibility for the simplified ICT risk management framework, covering everything from strategy alignment and budget allocation to staff training and reporting arrangements.
  • Compliance verification tasks may be outsourced to ICT intra-group or third-party service providers, but the financial entity remains fully responsible for compliance with ICT risk management requirements.
  • The simplified ICT risk management framework must be subject to internal audit by independent auditors with sufficient ICT risk expertise, and any critical findings must be verified and remediated in a timely manner.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience.

    1. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body:

      1. bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity’s business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context;

      2. sets clear roles and responsibilities for all ICT-related tasks;

      3. sets out information security objectives and ICT requirements;

      4. approves, oversees, and periodically reviews:

        1. the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies;

        2. the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554;

      5. allocates and reviews at least once a year the budget necessary to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff;

      6. specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to;

      7. identifies and implements procedures, ICT protocols, and tools that are necessary to protect all information assets and ICT assets;

      8. ensures that the staff of the financial entity is kept up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, commensurate to the ICT risk being managed;

      9. establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience.

    1. The financial entities referred to in paragraph 1 may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT risk management requirements to ICT intra-group or ICT third-party service providers. In case of such outsourcing, financial entities shall remain fully responsible for the verification of compliance with the ICT risk management requirements.

    1. The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions.

    1. The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities’ audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.

    1. Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod