Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 30 Classification of information assets and ICT assets
Summary What does Article 30 of the RTS on ICT risk management framework say?
This article sits within the simplified ICT risk management framework applicable to a specific subset of financial entities under Article 16(1) of DORA.
It establishes the foundational mapping exercise those entities must carry out: identifying, classifying, and documenting their critical or important functions alongside the information and ICT assets that support them, including how those assets interrelate.
It also separately requires those same entities to identify which of their critical or important functions are supported by ICT third-party service providers.
This article effectively underpins much of what follows in the simplified framework, as knowing what you have and what depends on what is a prerequisite for managing risk.
Important points:
- Identify, classify, and document all critical or important functions, their supporting information and ICT assets, and the interdependencies between them, reviewing this as needed.
- Identify all critical or important functions that are supported by ICT third-party service providers.
- This obligation applies to financial entities operating under the simplified ICT risk management framework, not all financial entities covered by DORA.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed.
The financial entities referred to in paragraph 1 shall identify all critical or important functions supported by ICT third-party service providers.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT risk
Definition
ICT third-party service provider
Definition
ICT asset
Definition
network and information system
Definition
information asset
Definition
ICT services
Definition
critical or important function