EU DORA

DORA ICT Risk Management: A Practitioner's Guide

The short version

DORA, the EU's Digital Operational Resilience Act, requires financial entities to maintain a sound, comprehensive, and well-documented ICT risk management framework. Articles 5 to 16 set it out, with Article 6 defining the framework itself. It has to let the entity identify and classify ICT risk, protect and prevent, detect anomalous activity, respond and recover from incidents, and learn from them. The management body bears ultimate responsibility for it under Article 5.

DORA pulls digital operational resilience into one regulation for the EU financial sector, and the ICT risk management framework is its core. It is not a generic IT-risk policy; it is a defined set of functions a financial entity must have, owned at board level, and documented. This guide covers what Articles 5 to 16 require, the functions the framework must cover, and how to build it.

What DORA requires

Article 6 requires each financial entity to have a sound, comprehensive, and well-documented ICT risk management framework as part of its overall risk management. The framework must include the strategies, policies, procedures, and tools needed to protect information and ICT assets. Article 5 makes the management body responsible for it: defining, approving, and overseeing the framework, not delegating it away.

The functions the framework must cover

Articles 6 to 13 build out the framework across a lifecycle of functions.

FunctionWhat it requires
IdentificationIdentify and classify ICT-supported business functions, information assets, and ICT assets, and map their dependencies.
Protection and preventionPut in place policies and controls to protect ICT systems against the identified risks.
DetectionHave mechanisms to detect anomalous activity and ICT-related incidents promptly.
Response and recoveryMaintain ICT business continuity and response-and-recovery plans to keep operating through disruption.
Learning and evolvingGather information on vulnerabilities and incidents and feed lessons back into the framework.

How to build it

Step 1: Assign management-body responsibility

Establish that the management body defines, approves, and oversees the framework, consistent with Article 5.

Step 2: Identify and classify ICT assets and dependencies

Map the business functions, information assets, and ICT assets, and the dependencies between them.

Step 3: Build protection and detection

Put in place the policies, controls, and monitoring needed to protect those assets and detect anomalous activity.

Step 4: Establish response, recovery, and continuity

Maintain ICT business-continuity and response-and-recovery plans, and test them.

Step 5: Review, learn, and report

Feed incident and vulnerability lessons back into the framework and review it regularly.

How it fits the rest of DORA

The ICT risk management framework is the first of DORA's pillars. The others, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing, all rely on it. An entity that has not built the framework cannot satisfy the pillars that sit on top. For the full regulation, see the EU DORA compliance guide and the DORA glossary.

Primary sources

Common questions

What does DORA require for ICT risk management?
Article 6 of DORA requires each financial entity to have a sound, comprehensive, and well-documented ICT risk management framework, including the strategies, policies, procedures, and tools to protect ICT assets. Articles 5 to 16 detail it, covering identification, protection, detection, response and recovery, and learning.
Who is responsible for the ICT risk management framework under DORA?
Article 5 makes the management body responsible. It must define, approve, and oversee the framework, and it cannot delegate that responsibility away.
What functions must the DORA framework cover?
Identification and classification of ICT assets and dependencies, protection and prevention, detection of anomalous activity, response and recovery including business continuity, and learning from incidents and vulnerabilities to evolve the framework.
How does the ICT risk framework relate to the rest of DORA?
It is the first pillar. Incident reporting, resilience testing, ICT third-party risk management, and information sharing all build on it, so an entity that has not established the framework cannot satisfy the other pillars.
From the team behind this guide

An ICT risk framework that satisfies DORA

Compliance Command Center helps build and document the ICT risk management framework DORA is constructed around, across identification, protection, detection, recovery, and learning, owned at board level. Practitioners build it, with a human reviewing every deliverable.

See Compliance Command Center Talk to a Practitioner