{"id":155759,"date":"2024-08-26T08:56:16","date_gmt":"2024-08-26T06:56:16","guid":{"rendered":"https:\/\/www.fma.gv.at\/?page_id=155759"},"modified":"2025-01-15T11:09:43","modified_gmt":"2025-01-15T10:09:43","slug":"dora-ict-risk-management","status":"publish","type":"page","link":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/","title":{"rendered":"DORA &#8211; ICT Risk Management"},"content":{"rendered":"<?xml encoding=\"utf-8\" ?><div class=\"wp-block-cover is-light\"><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\" style=\"background-color:#cfc2c7\"><\/span><img loading=\"lazy\" decoding=\"async\" width=\"1700\" height=\"716\" class=\"wp-block-cover__image-background wp-image-50900\" alt=\"\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg\" data-object-fit=\"cover\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg 1700w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2-320x135.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2-640x270.jpg 640w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2-1536x647.jpg 1536w\" sizes=\"auto, (max-width: 1700px) 100vw, 1700px\" \/><div class=\"wp-block-cover__inner-container is-layout-constrained wp-block-cover-is-layout-constrained\">\n<p class=\"has-text-align-center has-medium-font-size wp-block-paragraph\">ICT Risk Management<\/p>\n<\/div><\/div><div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div><p class=\"wp-block-paragraph\">This web page contains the rules in relation to governance and organisation of the Digital Operational Resilience Act (DORA), following by the requirements for the risk management framework for information and communication technology (ICT risk management framework) in relation to ICT systems, protocols and tools as well as to the ICT risk management functions.<\/p><h2 class=\"wp-block-heading\"><strong>Governance and organisation<\/strong><\/h2><p class=\"wp-block-paragraph\">DORA&rsquo;s provisions start by emphasising the responsibility of the management body. A governance framework is required to be established that guarantees that ICT risks are managed effectively.<\/p><p class=\"wp-block-paragraph\">For example, appropriate resources are to be made available, a digital operational resilience strategy adopted, the corresponding risk tolerance thresholds determined, information channels established for using ICT third-party service providers or for major ICT incidents, an ICT business continuity policy and ICT response and recovery plans approved, and training measures planned for all staff members.<\/p><h2 class=\"wp-block-heading\">ICT risk management framework<\/h2><p class=\"wp-block-paragraph\">Strategies, policies, procedures, ICT protocols and tools to protect all information assets and ICT assets are to be determined to guarantee a high level of digital operational resilience.<\/p><p class=\"wp-block-paragraph\">Information about ICT risks and the ICT risk management framework are to be updated on an ongoing basis. An appropriate and independent ICT control function is to be established. In addition, the documentation about the at least annual review of the ICT risk management framework is to be submitted to the Financial Market Authority (FMA) upon request. <\/p><p class=\"wp-block-paragraph\">Furthermore, standards are to be defined about the contents of a digital operational resilience strategy, for example regarding using the ICT risk management framework to support the business strategy or for defining information security objectives. &nbsp;<\/p><h2 class=\"wp-block-heading\">ICT systems, protocols and tools<\/h2><h3 class=\"wp-block-heading\">Identification<\/h3><p class=\"wp-block-paragraph\">Inventories of ICT assets and information assets, as well as ICT-based functions, roles and responsibilities and ICT third-party service providers will be kept and updated on a regular basis as well as where there are any significant changes. The identified ICT assets and information assets shall also be subject to a risk classification. <\/p><p class=\"wp-block-paragraph\">Financial undertakings shall identify sources of risk on a continuous basis, and shall also take into account the risk in relation to other financial undertakings. A regular risk assessment shall also be conducted on legacy ICT systems.<\/p><h3 class=\"wp-block-heading\">Protection and prevention<\/h3><p class=\"wp-block-paragraph\">ICT systems should be continuously monitored. The objective is to ensure the resilience, continuity and availability of ICT systems. High standards should also be guaranteed regarding the availability, authenticity, integrity and confidentiality of data. <\/p><p class=\"wp-block-paragraph\">Numerous measures are to be implemented to achieve this objective, such as physical or logical access restrictions, strong authentication mechanisms, segmenting of networks or rules about patches and updates.<\/p><h3 class=\"wp-block-heading\">Detection<\/h3><p class=\"wp-block-paragraph\">The next step is the detection of anomalous activities. They related to ICT networks, ICT-related incidents and vulnerabilities. <\/p><p class=\"wp-block-paragraph\">Detection mechanisms permit multiple layers of control, define alert thresholds and criteria for initiating response processes.<\/p><h3 class=\"wp-block-heading\">Response and recovery<\/h3><p class=\"wp-block-paragraph\">Response and recovery measures are taken accordingly once anomalous activities are detected. For this purpose an ICT business continuity policy is to be defined for ensuring the continuity of critical or important functions as well as for defining rapid and appropriate reactions to ICT-related incidents.<\/p><p class=\"wp-block-paragraph\">ICT business continuity plans and ICT response and recovery plans are implemented based on a business impact analysis. A crisis management function coordinates, among other things, the internal and external crisis communications in the event of the activation of these plans. <\/p><p class=\"wp-block-paragraph\">The DORA Regulation (DORA) also determines requirements regarding backups and recovery procedures and methods. For example, as a rule adequate and appropriate redundant ICT capacities are to be established for ensuring business needs.<\/p><h3 class=\"wp-block-heading\">Learning and evolving<\/h3><p class=\"wp-block-paragraph\">Financial undertakings shall have adequate resources in place to gather and analyse information on vulnerabilities, cyber threats as well as technological developments. In particular, the causes of major ICT-related incidents must be identified to prevent similar incidents in the future. <\/p><p class=\"wp-block-paragraph\">Training measures must in any case be completed by all staff members and the management as well as where applicable by ICT third-party service providers.<\/p><h3 class=\"wp-block-heading\">Communications<\/h3><p class=\"wp-block-paragraph\">As a minimum major ICT-related incidents or vulnerabilities are to be disclosed towards customers and other financial undertakings in a responsible manner as well as to the general public depending on the circumstances. <\/p><p class=\"wp-block-paragraph\">Further and in some cases very specific rules are defined in the Regulatory Technical Standards to be developed in relation to the ICT risk management framework.<\/p><h2 class=\"wp-block-heading\" id=\"dora-risiko\">Questions and Answers<\/h2><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a467d302efa4\">    <h3 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a467d302efa4\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a467d302efa4\">        <span>What can be understood by a DORA emergency or crisis? <\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h3>  <\/div>  <div id=\"collapse-heading-6a467d302efa4\" class=\"collapse\" aria-labelledby=\"heading-6a467d302efa4\">    <div class=\"card-body\"><p>Article 26(2) of Delegated Regulation (EU) 2024\/1774 specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework describes scenarios to be taken into account when preparing response and recovery plans, for example including switchovers to redundant capacities, backups and redundant systems or widespread power outages, or the non-availability of a critical number of staff or staff members in charge of guaranteeing the continuity of operations.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a467d302f070\">    <h2 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a467d302f070\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a467d302f070\">        <span>Is a third function (Article 6(10) DORA) necessary for auditing the ICT risk management where CISO or internal audit function are performed by external staff?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h2>  <\/div>  <div id=\"collapse-heading-6a467d302f070\" class=\"collapse\" aria-labelledby=\"heading-6a467d302f070\">    <div class=\"card-body\"><p>It is firstly necessary to define which tasks of the CISO function are covered and whether they match those of the control function pursuant to Article 6(4) DORA. Reference is then made to the three lines of defence model stated in Article 6(4) DORA. This model must be observed in any case or designed in accordance with the principle of proportionality pursuant to Article 4 DORA.<\/p>\n<p>The respective sector-specific provisions are required for be observed and considered in the case of outsourcings.<\/p>\n<p>Precise institution-specific designs would be required to be assessed on a case-by-case basis.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a467d302f112\">    <h2 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a467d302f112\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a467d302f112\">        <span>How should the role of the Chief Information Security Officer (CISO) be structured in an organisation? Should the CISO report to the CIO or directly to the management board or the management?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h2>  <\/div>  <div id=\"collapse-heading-6a467d302f112\" class=\"collapse\" aria-labelledby=\"heading-6a467d302f112\">    <div class=\"card-body\"><p>DORA does not define rules for the CISO. It does, however, stipulate the establishment of an ICT risk control function. Under Art. 6 (4) DORA, financial entities are required to ensure an appropriate level of independence of this control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.<\/p>\n<p>The ICT risk control function may also be performed by the CISO, provided that there is an appropriate level of independence pursuant to Article&nbsp;6 (4) DORA.<\/p>\n<p>The organisational structure may only be clarified on the basis of an individual appraisal, since an appropriate segregation is to be ensured in accordance with the rules as well as in applying the principle of proportionality.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a467d302f1b1\">    <h2 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a467d302f1b1\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a467d302f1b1\">        <span>May the control function be performed by the same person within the ICT risk management function and the scope of the oversight function of ICT third-party service providers, without conflicts of interest arising? Is it possible for a CISO to perform both functions?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h2>  <\/div>  <div id=\"collapse-heading-6a467d302f1b1\" class=\"collapse\" aria-labelledby=\"heading-6a467d302f1b1\">    <div class=\"card-body\"><p>Article 3 (5) of Delegated Regulation (EU) 2024\/1773, the RTS on ICT third-party service providers clarifies that responsibility for monitoring the relevant contractual arrangements is required to be clearly defined.<\/p>\n<p>This rule does not explicitly rule out the establishment of a combined control function under Art. 6 (4) DORA, also in the function of the CISO. A case-by-case review is in any case necessary. In any case, it should be ensured that adequate resources are available.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a467d302f259\">    <h2 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a467d302f259\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a467d302f259\">        <span>How often or regularly is the annual report in accordance with Article 6 (5) DORA expected to be requested by the regulator, and how many days does the entity have to deliver the report?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h2>  <\/div>  <div id=\"collapse-heading-6a467d302f259\" class=\"collapse\" aria-labelledby=\"heading-6a467d302f259\">    <div class=\"card-body\"><p>Where requested to do so, a report about the ICT risk management framework is requested to be submitted to the FMA in a timely manner. The structure and content of the report on the review of the ICT risk management framework are defined in Article 27 of Delegated Regulation (EU) 2024\/1774 (RTS on Risk Management).<\/p>\n<p>There is currently no planned regular submission.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a467d302f2f3\">    <h2 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a467d302f2f3\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a467d302f2f3\">        <span>Is the undertaking itself allowed to classify whether a planned change in ICT functions or ICT assets is 'major'?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h2>  <\/div>  <div id=\"collapse-heading-6a467d302f2f3\" class=\"collapse\" aria-labelledby=\"heading-6a467d302f2f3\">    <div class=\"card-body\"><p>Article 8(3) DORA stipulates that a risk assessment is required to be conducted upon each major change in the network and information system infrastructure.<\/p>\n<p>The decision about whether a change is &lsquo;major&rsquo; as a rule lies with the undertaking itself. A certain reference to the criticality classifications of the affected ICT assets or ICT supported business functions should in any case be expected in such an appraisal.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a467d302f399\">    <h2 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a467d302f399\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a467d302f399\">        <span>How is &ldquo;impact tolerance&rdquo; defined, or does it serve as a delineation between an &ldquo;ICT disruption&rdquo; and an &ldquo;ICT-related incident&rdquo;?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h2>  <\/div>  <div id=\"collapse-heading-6a467d302f399\" class=\"collapse\" aria-labelledby=\"heading-6a467d302f399\">    <div class=\"card-body\"><p>We consider that the expression &ldquo;impact tolerance for ICT disruptions&rdquo; (Article 6 (8) lit b DORA) relates to <strong>all<\/strong> ICT disruptions and also includes ICT-related incidents. Under DORA rules, in the future it will be necessary to estimate the costs of incidents (regardless of what kind of incident) and to check whether the estimated costs are in line with the risk appetite throughout the undertaking (as well as the obligation in the future to be aware of and to accept the residual risk). Furthermore, non-monetary impacts (e.g. with regard to the availability, confidentiality and integrity, and reputation) must be considered when investigating the impact tolerance.<\/p>    <\/div>  <\/div><\/div><div class=\"card\">  <div class=\"card-header\" id=\"heading-6a467d302f433\">    <h2 class=\"mb-0\">      <button class=\"btn btn-link btn-block text-left p-0 d-flex align-items-center justify-content-between\" type=\"button\" data-toggle=\"collapse\" data-target=\"#collapse-heading-6a467d302f433\" aria-expanded=\"false\" aria-controls=\"collapse-heading-6a467d302f433\">        <span>Must it also be possible to conduct static and dynamic tests for external ICT systems that are developed exclusively for the bank?<\/span>        <i class=\"fa-solid fa-chevron-down text-primary\" aria-hidden=\"true\"><\/i>      <\/button>    <\/h2>  <\/div>  <div id=\"collapse-heading-6a467d302f433\" class=\"collapse\" aria-labelledby=\"heading-6a467d302f433\">    <div class=\"card-body\"><p>This rule relates to the obligation to draw up internal policies for the acquisition, (proprietary) development and maintenance of IT systems. These policies may differ for proprietary development and acquisition, but are required to contain all the elements required in relation to ICT risk management listed in Article&nbsp;16 (2) of Delegated Regulation (EU) 2024\/1774. In the case of software that has been purchased, which is &ldquo;almost exclusively developed for the bank&rdquo; it should in any case be ensured that the development service provider observes a comparable standard.<\/p>    <\/div>  <\/div><\/div><p class=\"wp-block-paragraph\">The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These &ldquo;Questions and Answers&rdquo; do not constitute the FMA&rsquo;s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&amp;As) of the three European Supervisory Authorities (EBA &ndash; European Banking Authority, ESMA &ndash; European Securities and Markets Authority, and EIOPA &ndash; European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to its up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.<\/p><h2 class=\"wp-block-heading\">Legal bases<\/h2><p class=\"wp-block-paragraph\">Information regarding the legal bases for DORA can be found on the FMA&rsquo;s <a href=\"https:\/\/fma.gv.at\/dora-digitale-operationale-resilienz-im-finanzsektor\/#dora-law\" target=\"_blank\" rel=\"noreferrer noopener\">&ldquo;<\/a><a href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/#dora-law\" target=\"_blank\" rel=\"noreferrer noopener\">DORA &ndash; Digital Operational Resilience in the Financial Sector&rdquo;<\/a> web page.<\/p><p class=\"wp-block-paragraph\"><\/p><section class=\"page-teaser\"><div class=\"container\"><div class=\"row\"><div class=\"col-12 custom-height\"><h2>Further Information about DORA<\/h2><hr><\/div><\/div><div class=\"row\"><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Landingpage.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Landingpage.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Landingpage-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Landingpage-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/\">DORA &ndash; Digital operational resilience in the financial sector<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-IKT-bezogene-Vorfaelle-2.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-IKT-bezogene-Vorfaelle-2.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-IKT-bezogene-Vorfaelle-2-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-IKT-bezogene-Vorfaelle-2-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-related-incidents\/\">DORA &ndash; ICT-related incidents<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Testen-der-digitalen-operationalen-Resilienz-3-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-digital-operational-resilience-testing\/\">DORA &ndash; Digital operational resilience testing<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Management-des-IKT-Drittparteienrisikos.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Management-des-IKT-Drittparteienrisikos.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Management-des-IKT-Drittparteienrisikos-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Management-des-IKT-Drittparteienrisikos-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-managing-of-ict-third-party-risk\/\">DORA &ndash; Managing of ICT third-party risk<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Ueberwachungsrahmen-kritischer-IKT-Drittdienstleister-2.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Ueberwachungsrahmen-kritischer-IKT-Drittdienstleister-2.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Ueberwachungsrahmen-kritischer-IKT-Drittdienstleister-2-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Ueberwachungsrahmen-kritischer-IKT-Drittdienstleister-2-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-oversight-framework-of-critical-ict-third-party-service-providers\/\">DORA &ndash; Oversight framework of critical ICT third-party service providers<\/a><\/h3><\/div><hr><\/div><\/div><div class=\"mb-4 col-lg-4\"><div class=\"inner\"><div class=\"content-text d-flex flex-column\"><div class=\"img-wrap\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"440\" src=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Informationsaustausch-2.jpg\" class=\"attachment-full size-full wp-post-image\" alt=\"\" srcset=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Informationsaustausch-2.jpg 1320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Informationsaustausch-2-320x107.jpg 320w, https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Header-DORA-Webseite-1320x440-DORA-Informationsaustausch-2-640x213.jpg 640w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\"><\/div><h3><a class=\"stretched-link\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-exchange-of-information-and-contingency-exercises\/\">DORA &ndash; Exchange of information and contingency exercises<\/a><\/h3><\/div><hr><\/div><\/div><\/div><\/div><\/section>\n","protected":false},"excerpt":{"rendered":"<p>This web page contains the rules in relation to governance and organisation of the Digital Operational Resilience Act (DORA), following &#8230;<\/p>\n","protected":false},"author":20,"featured_media":50901,"parent":52247,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"landing-page.php","meta":{"inline_featured_image":false,"footnotes":""},"class_list":["post-155759","page","type-page","status-publish","has-post-thumbnail","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>DORA - ICT Risk Management - FMA \u00d6sterreich<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DORA - ICT Risk Management - FMA \u00d6sterreich\" \/>\n<meta property=\"og:description\" content=\"This web page contains the rules in relation to governance and organisation of the Digital Operational Resilience Act (DORA), following ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/\" \/>\n<meta property=\"og:site_name\" content=\"FMA \u00d6sterreich\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-15T10:09:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1700\" \/>\n\t<meta property=\"og:image:height\" content=\"716\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@FMA_AT\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-ict-risk-management\\\/\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-ict-risk-management\\\/\",\"name\":\"DORA - ICT Risk Management - FMA \u00d6sterreich\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-ict-risk-management\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-ict-risk-management\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg\",\"datePublished\":\"2024-08-26T06:56:16+00:00\",\"dateModified\":\"2025-01-15T10:09:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-ict-risk-management\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-ict-risk-management\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-ict-risk-management\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg\",\"contentUrl\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg\",\"width\":1700,\"height\":716},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/dora-ict-risk-management\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cross-sectoral topics\",\"item\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DORA \u2013 Digital operational resilience in the financial sector\",\"item\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/cross-sectoral-topics\\\/dora\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"DORA &#8211; ICT Risk Management\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/\",\"name\":\"FMA \u00d6sterreich\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#organization\",\"name\":\"FMA - Finanzmarktaufsicht\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2017\\\/05\\\/FMA_Logo_Twitter_400x400.png\",\"contentUrl\":\"https:\\\/\\\/www.fma.gv.at\\\/wp-content\\\/uploads\\\/2017\\\/05\\\/FMA_Logo_Twitter_400x400.png\",\"width\":400,\"height\":400,\"caption\":\"FMA - Finanzmarktaufsicht\"},\"image\":{\"@id\":\"https:\\\/\\\/www.fma.gv.at\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/FMA_AT\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DORA - ICT Risk Management - FMA \u00d6sterreich","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/","og_locale":"en_US","og_type":"article","og_title":"DORA - ICT Risk Management - FMA \u00d6sterreich","og_description":"This web page contains the rules in relation to governance and organisation of the Digital Operational Resilience Act (DORA), following ...","og_url":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/","og_site_name":"FMA \u00d6sterreich","article_modified_time":"2025-01-15T10:09:43+00:00","og_image":[{"width":1700,"height":716,"url":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@FMA_AT","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/","url":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/","name":"DORA - ICT Risk Management - FMA \u00d6sterreich","isPartOf":{"@id":"https:\/\/www.fma.gv.at\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/#primaryimage"},"image":{"@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/#primaryimage"},"thumbnailUrl":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg","datePublished":"2024-08-26T06:56:16+00:00","dateModified":"2025-01-15T10:09:43+00:00","breadcrumb":{"@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/#primaryimage","url":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg","contentUrl":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2024\/07\/Cover-DORA-Webseite-1700x716-DORA-IKT-Risikomanagement-2.jpg","width":1700,"height":716},{"@type":"BreadcrumbList","@id":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-ict-risk-management\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.fma.gv.at\/en\/"},{"@type":"ListItem","position":2,"name":"Cross-sectoral topics","item":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/"},{"@type":"ListItem","position":3,"name":"DORA \u2013 Digital operational resilience in the financial sector","item":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/"},{"@type":"ListItem","position":4,"name":"DORA &#8211; ICT Risk Management"}]},{"@type":"WebSite","@id":"https:\/\/www.fma.gv.at\/en\/#website","url":"https:\/\/www.fma.gv.at\/en\/","name":"FMA \u00d6sterreich","description":"","publisher":{"@id":"https:\/\/www.fma.gv.at\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.fma.gv.at\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.fma.gv.at\/en\/#organization","name":"FMA - Finanzmarktaufsicht","url":"https:\/\/www.fma.gv.at\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fma.gv.at\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2017\/05\/FMA_Logo_Twitter_400x400.png","contentUrl":"https:\/\/www.fma.gv.at\/wp-content\/uploads\/2017\/05\/FMA_Logo_Twitter_400x400.png","width":400,"height":400,"caption":"FMA - Finanzmarktaufsicht"},"image":{"@id":"https:\/\/www.fma.gv.at\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/FMA_AT"]}]}},"toolset-meta":[],"publishpress_future_action":{"enabled":false,"date":"2026-07-09 17:01:04","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"translation_priority","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages\/155759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/comments?post=155759"}],"version-history":[{"count":11,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages\/155759\/revisions"}],"predecessor-version":[{"id":443175,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages\/155759\/revisions\/443175"}],"up":[{"embeddable":true,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/pages\/52247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/media\/50901"}],"wp:attachment":[{"href":"https:\/\/www.fma.gv.at\/en\/wp-json\/wp\/v2\/media?parent=155759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}