Skip to content

ICT Risk Management

Status: Work in progress

ICT Risk Management Framework (Art. 5-16)

DORA requires a comprehensive ICT risk management framework approved by the organisation’s management.

Governance requirements

Requirement	Description	Article
Board accountability	Management bears ultimate responsibility for ICT risk management	Art. 5
ICT strategy	Documented Digital Operational Resilience Strategy	Art. 6
Risk tolerance	Defined and approved by the board	Art. 6
Annual review	At least annual review	Art. 6

Framework components

ICT Asset Management (Art. 8)

Inventory requirements

Complete inventory of ICT assets
Classification by criticality
Dependency mapping
Regular updates

Asset categories

Category	Examples
Hardware	Servers, network devices, endpoints
Software	Applications, OS, middleware
Data	Databases, storage, backups
Services	Cloud services, SaaS, outsourcing

Security measures (Art. 9)

Technical measures

Encryption of data at rest and in transit
Network segmentation
Multi-factor authentication
Patch management
Vulnerability management

Organisational measures

Security awareness training
Incident response procedures
Change management
Access control policies

Business Continuity (Art. 11-12)

Requirements

Area	Requirement
BCP	Documented Business Continuity Plan
DRP	Disaster Recovery Plan for critical systems
RTO/RPO	Defined and tested
Testing	At least annual BCP/DRP tests

ICT Business Impact Analysis

For each critical process:

Identify dependent ICT systems
Determine RTO/RPO
Identify single points of failure
Define recovery priorities

Next steps

Sources