DORA – ICT Risk Management

ICT Risk Management

This web page contains the rules in relation to governance and organisation of the Digital Operational Resilience Act (DORA), following by the requirements for the risk management framework for information and communication technology (ICT risk management framework) in relation to ICT systems, protocols and tools as well as to the ICT risk management functions.

Governance and organisation

DORA’s provisions start by emphasising the responsibility of the management body. A governance framework is required to be established that guarantees that ICT risks are managed effectively.

For example, appropriate resources are to be made available, a digital operational resilience strategy adopted, the corresponding risk tolerance thresholds determined, information channels established for using ICT third-party service providers or for major ICT incidents, an ICT business continuity policy and ICT response and recovery plans approved, and training measures planned for all staff members.

ICT risk management framework

Strategies, policies, procedures, ICT protocols and tools to protect all information assets and ICT assets are to be determined to guarantee a high level of digital operational resilience.

Information about ICT risks and the ICT risk management framework are to be updated on an ongoing basis. An appropriate and independent ICT control function is to be established. In addition, the documentation about the at least annual review of the ICT risk management framework is to be submitted to the Financial Market Authority (FMA) upon request.

Furthermore, standards are to be defined about the contents of a digital operational resilience strategy, for example regarding using the ICT risk management framework to support the business strategy or for defining information security objectives.  

ICT systems, protocols and tools

Identification

Inventories of ICT assets and information assets, as well as ICT-based functions, roles and responsibilities and ICT third-party service providers will be kept and updated on a regular basis as well as where there are any significant changes. The identified ICT assets and information assets shall also be subject to a risk classification.

Financial undertakings shall identify sources of risk on a continuous basis, and shall also take into account the risk in relation to other financial undertakings. A regular risk assessment shall also be conducted on legacy ICT systems.

Protection and prevention

ICT systems should be continuously monitored. The objective is to ensure the resilience, continuity and availability of ICT systems. High standards should also be guaranteed regarding the availability, authenticity, integrity and confidentiality of data.

Numerous measures are to be implemented to achieve this objective, such as physical or logical access restrictions, strong authentication mechanisms, segmenting of networks or rules about patches and updates.

Detection

The next step is the detection of anomalous activities. They related to ICT networks, ICT-related incidents and vulnerabilities.

Detection mechanisms permit multiple layers of control, define alert thresholds and criteria for initiating response processes.

Response and recovery

Response and recovery measures are taken accordingly once anomalous activities are detected. For this purpose an ICT business continuity policy is to be defined for ensuring the continuity of critical or important functions as well as for defining rapid and appropriate reactions to ICT-related incidents.

ICT business continuity plans and ICT response and recovery plans are implemented based on a business impact analysis. A crisis management function coordinates, among other things, the internal and external crisis communications in the event of the activation of these plans.

The DORA Regulation (DORA) also determines requirements regarding backups and recovery procedures and methods. For example, as a rule adequate and appropriate redundant ICT capacities are to be established for ensuring business needs.

Learning and evolving

Financial undertakings shall have adequate resources in place to gather and analyse information on vulnerabilities, cyber threats as well as technological developments. In particular, the causes of major ICT-related incidents must be identified to prevent similar incidents in the future.

Training measures must in any case be completed by all staff members and the management as well as where applicable by ICT third-party service providers.

Communications

As a minimum major ICT-related incidents or vulnerabilities are to be disclosed towards customers and other financial undertakings in a responsible manner as well as to the general public depending on the circumstances.

Further and in some cases very specific rules are defined in the Regulatory Technical Standards to be developed in relation to the ICT risk management framework.

Questions and Answers

Article 26(2) of Delegated Regulation (EU) 2024/1774 specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework describes scenarios to be taken into account when preparing response and recovery plans, for example including switchovers to redundant capacities, backups and redundant systems or widespread power outages, or the non-availability of a critical number of staff or staff members in charge of guaranteeing the continuity of operations.

It is firstly necessary to define which tasks of the CISO function are covered and whether they match those of the control function pursuant to Article 6(4) DORA. Reference is then made to the three lines of defence model stated in Article 6(4) DORA. This model must be observed in any case or designed in accordance with the principle of proportionality pursuant to Article 4 DORA.

The respective sector-specific provisions are required for be observed and considered in the case of outsourcings.

Precise institution-specific designs would be required to be assessed on a case-by-case basis.

DORA does not define rules for the CISO. It does, however, stipulate the establishment of an ICT risk control function. Under Art. 6 (4) DORA, financial entities are required to ensure an appropriate level of independence of this control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.

The ICT risk control function may also be performed by the CISO, provided that there is an appropriate level of independence pursuant to Article 6 (4) DORA.

The organisational structure may only be clarified on the basis of an individual appraisal, since an appropriate segregation is to be ensured in accordance with the rules as well as in applying the principle of proportionality.

Article 3 (5) of Delegated Regulation (EU) 2024/1773, the RTS on ICT third-party service providers clarifies that responsibility for monitoring the relevant contractual arrangements is required to be clearly defined.

This rule does not explicitly rule out the establishment of a combined control function under Art. 6 (4) DORA, also in the function of the CISO. A case-by-case review is in any case necessary. In any case, it should be ensured that adequate resources are available.

Where requested to do so, a report about the ICT risk management framework is requested to be submitted to the FMA in a timely manner. The structure and content of the report on the review of the ICT risk management framework are defined in Article 27 of Delegated Regulation (EU) 2024/1774 (RTS on Risk Management).

There is currently no planned regular submission.

Article 8(3) DORA stipulates that a risk assessment is required to be conducted upon each major change in the network and information system infrastructure.

The decision about whether a change is ‘major’ as a rule lies with the undertaking itself. A certain reference to the criticality classifications of the affected ICT assets or ICT supported business functions should in any case be expected in such an appraisal.

We consider that the expression “impact tolerance for ICT disruptions” (Article 6 (8) lit b DORA) relates to all ICT disruptions and also includes ICT-related incidents. Under DORA rules, in the future it will be necessary to estimate the costs of incidents (regardless of what kind of incident) and to check whether the estimated costs are in line with the risk appetite throughout the undertaking (as well as the obligation in the future to be aware of and to accept the residual risk). Furthermore, non-monetary impacts (e.g. with regard to the availability, confidentiality and integrity, and reputation) must be considered when investigating the impact tolerance.

This rule relates to the obligation to draw up internal policies for the acquisition, (proprietary) development and maintenance of IT systems. These policies may differ for proprietary development and acquisition, but are required to contain all the elements required in relation to ICT risk management listed in Article 16 (2) of Delegated Regulation (EU) 2024/1774. In the case of software that has been purchased, which is “almost exclusively developed for the bank” it should in any case be ensured that the development service provider observes a comparable standard.

The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to its up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.

Legal bases

Information regarding the legal bases for DORA can be found on the FMA’s DORA – Digital Operational Resilience in the Financial Sector” web page.