DORA, the EU's Digital Operational Resilience Act, requires financial entities to maintain a sound, comprehensive, and well-documented ICT risk management framework. Articles 5 to 16 set it out, with Article 6 defining the framework itself. It has to let the entity identify and classify ICT risk, protect and prevent, detect anomalous activity, respond and recover from incidents, and learn from them. The management body bears ultimate responsibility for it under Article 5.
DORA pulls digital operational resilience into one regulation for the EU financial sector, and the ICT risk management framework is its core. It is not a generic IT-risk policy; it is a defined set of functions a financial entity must have, owned at board level, and documented. This guide covers what Articles 5 to 16 require, the functions the framework must cover, and how to build it.
What DORA requires
Article 6 requires each financial entity to have a sound, comprehensive, and well-documented ICT risk management framework as part of its overall risk management. The framework must include the strategies, policies, procedures, and tools needed to protect information and ICT assets. Article 5 makes the management body responsible for it: defining, approving, and overseeing the framework, not delegating it away.
The functions the framework must cover
Articles 6 to 13 build out the framework across a lifecycle of functions.
| Function | What it requires |
|---|---|
| Identification | Identify and classify ICT-supported business functions, information assets, and ICT assets, and map their dependencies. |
| Protection and prevention | Put in place policies and controls to protect ICT systems against the identified risks. |
| Detection | Have mechanisms to detect anomalous activity and ICT-related incidents promptly. |
| Response and recovery | Maintain ICT business continuity and response-and-recovery plans to keep operating through disruption. |
| Learning and evolving | Gather information on vulnerabilities and incidents and feed lessons back into the framework. |
How to build it
Step 1: Assign management-body responsibility
Establish that the management body defines, approves, and oversees the framework, consistent with Article 5.
Step 2: Identify and classify ICT assets and dependencies
Map the business functions, information assets, and ICT assets, and the dependencies between them.
Step 3: Build protection and detection
Put in place the policies, controls, and monitoring needed to protect those assets and detect anomalous activity.
Step 4: Establish response, recovery, and continuity
Maintain ICT business-continuity and response-and-recovery plans, and test them.
Step 5: Review, learn, and report
Feed incident and vulnerability lessons back into the framework and review it regularly.
How it fits the rest of DORA
The ICT risk management framework is the first of DORA's pillars. The others, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing, all rely on it. An entity that has not built the framework cannot satisfy the pillars that sit on top. For the full regulation, see the EU DORA compliance guide and the DORA glossary.
Primary sources
- Regulation (EU) 2022/2554 (DORA), Articles 5 to 16: The ICT risk management framework, with Article 6 setting out the framework itself.