Source: OJ L, 2024/1774, 25.6.2024

Current language: EN

Article 3 ICT risk management

Summary What does Article 3 of the RTS on ICT risk management framework say?

This article sets out the detailed requirements for ICT risk management policies and procedures that financial entities must develop, document, and implement.

It builds directly on the broader ICT risk management framework established under DORA (Regulation (EU) 2022/2554), translating its high-level obligations into concrete procedural requirements.

The article covers the full lifecycle of ICT risk management: from establishing a risk tolerance level and conducting risk assessments, through implementing treatment measures, to handling residual risks that remain after those measures are applied.

A notable element is the structured approach to residual risk, which must be inventoried, justified, assigned to responsible owners, and reviewed at least annually.

The article also requires ongoing monitoring of the threat landscape and vulnerabilities, and ensures that any changes to the financial entity's business or digital resilience strategy feed back into the risk management process.

Important points:

  • Develop, document, and implement ICT risk management policies and procedures covering the entire risk lifecycle, from assessment through treatment to residual risk management.
  • Maintain an inventory of accepted residual ICT risks with written justifications, and review those accepted risks at least once a year to confirm the reasons for acceptance remain valid.
  • Continuously monitor changes to the ICT risk and cyber threat landscape, internal and external vulnerabilities, and ensure shifts in business or digital resilience strategy are reflected in the risk management framework.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

  1. Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following:

    1. an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554;

    2. a procedure and a methodology to conduct the ICT risk assessment, identifying:

      1. vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions;

      2. the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i);

    3. the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a);

    4. for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c):

      1. provisions on the identification of those residual ICT risks;

      2. the assignment of roles and responsibilities regarding:

        1. the acceptance of the residual ICT risks that exceed the financial entity’s risk tolerance level referred to in point (a);

        2. for the review process referred to in point (iv) of this point (d);

      3. the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance;

      4. provisions on the review of the accepted residual ICT risks at least once a year, including:

        1. the identification of any changes to the residual ICT risks;

        2. the assessment of available mitigation measures;

        3. the assessment of whether the reasons justifying the acceptance of residual ICT risks are still valid and applicable at the date of the review;

    5. provisions on the monitoring of:

      1. any changes to the ICT risk and cyber threat landscape;

      2. internal and external vulnerabilities and threats:

      3. ICT risk of the financial entity that enables promp detection of changes that could affect its ICT risk profile;

    6. provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account.

  2. For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure:

    1. the monitoring of the effectiveness of the ICT risk treatment measures implemented;

    2. the assessment of whether the established risk tolerance levels of the financial entity have been attained;

    3. the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod