Art. 41 Format and content of the report on the review of the simplified ICT risk management framework | RTS on ICT risk management framework | DORA

This article is the simplified ICT risk management framework equivalent of Article 27, which sets out the same reporting requirement for financial entities under the full framework.

Article 41 prescribes both the format and the mandatory content of the report that certain financial entities — those subject to the simplified framework under Article 16(1) of DORA — must submit when reviewing their ICT risk management framework.

The report must be submitted in a searchable electronic format and cover a comprehensive range of information: from contextual background and the reasons the review was triggered, through to findings, identified weaknesses, remedying measures, and overall conclusions.

Important points:

Submit the ICT risk management framework review report in a searchable electronic format, covering all mandatory content areas set out in this article.
The report must include a self-assessment of weaknesses and gaps identified, along with remedying measures and expected implementation dates — including follow-up on unresolved issues from previous reports.
Where the review was triggered by supervisory instructions or ICT-related incidents, the report must include evidence of those instructions or a list of the relevant incidents with root-cause analysis.

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall submit the report on the review of the ICT risk management framework referred to in paragraph 2 of that Article in a searchable electronic format.
1. The report referred to in paragraph 1 shall contain all of the following information:
  1. an introductory section providing:
    a description of the context of the report in terms of the nature, scale, and complexity of the financial entity’s services, activities, and operations, the financial entity’s organisation, identified critical functions, strategy, major ongoing projects or activities, and relationships, and the financial entity’s dependence on in-house and outsourced ICT services and systems, or the implications that a total loss or severe degradation of such systems would have on critical or important functions and market efficiency;
    an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity;
    information about the reported area;
    a summary of the major changes in the ICT risk management framework since the previous report;
    a summary and a description of the impact of major changes to the simplified ICT risk management framework since the previous report;
  2. where applicable, the date of the approval of the report by the management body of the financial entity;
  3. a description of the reasons for the review, including:
    where the review has been initiated following supervisory instructions, evidence of such instructions;
    where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis;
  4. the start and end date of the review period;
  5. the person responsible for the review;
  6. a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof;
  7. remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied;
  8. overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments.