Source: OJ L, 2024/1774, 25.6.2024

Current language: EN

Article 31 ICT risk management

Summary What does Article 31 of the RTS on ICT risk management framework say?

This article sits within the simplified ICT risk management framework applicable to the smaller financial entities referenced in Article 16(1) of DORA, and it sets out the core risk management obligations those entities must embed into that framework.

Rather than prescribing a fully elaborate governance structure, it focuses on the practical cycle of risk management: establishing tolerance levels, identifying and assessing risks, defining mitigation strategies for risks that fall outside those tolerances, and monitoring their effectiveness.

Notably, the article also requires these entities to reassess ICT and information security risks following major changes or major incidents, and to continuously monitor threats and vulnerabilities relevant to their critical or important functions.

Important points:

  • Include risk tolerance levels, risk identification and assessment, mitigation strategies, and ongoing monitoring within your simplified ICT risk management framework.
  • Carry out and document ICT risk assessments periodically, with the frequency aligned to your ICT risk profile, and reassess risks following major system changes or major ICT-related incidents.
  • Set out alert thresholds and criteria to trigger ICT-related incident response processes.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following:

      1. a determination of the risk tolerance levels for ICT risk, in accordance with the risk appetite of the financial entity;

      2. the identification and assessment of the ICT risks to which the financial entity is exposed;

      3. the specification of mitigation strategies at least for the ICT risks that are not within the risk tolerance levels of the financial entity;

      4. the monitoring of the effectiveness of the mitigation strategies referred to in point (c);

      5. the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident.

    1. The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities’ ICT risk profile.

    1. The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions.

    1. The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT-related incident response processes.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod