DORA simplified RMF

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience.

2. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body:

(a) bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity’s business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context;

(b) sets clear roles and responsibilities for all ICT-related tasks;

(c) sets out information security objectives and ICT requirements;

(d) approves, oversees, and periodically reviews:

(i) the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies;

(ii) the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554;

(e) allocates and reviews at least once a year the budget necessary to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff;

(f) specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to;

(g) identifies and implements procedures, ICT protocols, and tools that are necessary to protect all information assets and ICT assets;

(h) ensures that the staff of the financial entity is kept up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, commensurate to the ICT risk being managed;

(i) establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience.

3. The financial entities referred to in paragraph 1 may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT risk management requirements to ICT intra-group or ICT third-party service providers. In case of such outsourcing, financial entities shall remain fully responsible for the verification of compliance with the ICT risk management requirements.

4. The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions.

5. The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities’ audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.

6. Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings.

Related tasks

Auditing of risk management framework

Critical

High

Normal

Low

Cyber security management

Creation and maintenance of governance and control framework

Critical

High

Normal

Low

Cyber security management

Requirement details

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall submit the report on the review of the ICT risk management framework referred to in paragraph 2 of that Article in a searchable electronic format.

2. The report referred to in paragraph 1 shall contain all of the following information:

(a) an introductory section providing:

(i) a description of the context of the report in terms of the nature, scale, and complexity of the financial entity’s services, activities, and operations, the financial entity’s organisation, identified critical functions, strategy, major ongoing projects or activities, and relationships, and the financial entity’s dependence on in-house and outsourced ICT services and systems, or the implications that a total loss or severe degradation of such systems would have on critical or important functions and market efficiency;

(ii) an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity;

(iii) information about the reported area;

(iv) a summary of the major changes in the ICT risk management framework since the previous report;

(v) a summary and a description of the impact of major changes to the simplified ICT risk management framework since the previous report;

(b) where applicable, the date of the approval of the report by the management body of the financial entity;

(c) a description of the reasons for the review, including:

(i) where the review has been initiated following supervisory instructions, evidence of such instructions;

(ii) where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis;

(d) the start and end date of the review period;

(e) the person responsible for the review;

(f) a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof;

(g) remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied;

(h) overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments.

Related tasks

Review reporting of simplified ICT risk management framework

Critical

High

Normal

Low

Cyber security management

Requirement details

The ISMS component hierachy

Framework

Requirements

Tasks

Policies

Never duplicate effort. Do it once - improve compliance across frameworks.

Start your compliance journey

How it works?

Use cases

Resources

Contact us

DORA simplified RMF

The ISMS component hierachy

Framework

Requirements

Tasks

Policies

Never duplicate effort. Do it once - improve compliance across frameworks.

Stay up-to-date on cyber security

Subscribe for our free, weekly newsletter

* Your email won't be sold nor disclosed forward. Confirmation has more info. Learn more

Start your compliance journey

Pysy kärryillä digiturvasta

Tilaa Digiturvauutiset sähköpostiisi

* Osoitetta ei myydä tai luovuteta eteenpäin. Vahvistusviestissä lisätietoja. Lue lisää

How it works?

Use cases

Resources

Contact us