ICT Risk-Management Framework
The ICT risk-management framework is the documented set of strategies, policies, procedures, and tools that DORA Article 6 requires every financial entity to maintain in order to identify, protect against, detect, respond to, and recover from ICT-related risk. The management body is accountable for it.
Detailed explanation
The framework is the foundation of DORA's first pillar and the backbone of an entity's whole compliance programme. Article 6 requires it to be sound, comprehensive, and well-documented, and to be reviewed at least annually as well as after major incidents or significant changes. In practice it must cover the identification and classification of ICT-supported business functions and assets, protective measures and controls, continuous monitoring to detect anomalous activity, ICT business-continuity and disaster-recovery plans that are tested regularly, and mechanisms to learn from incidents and evolve. Crucially, DORA makes this a governance obligation rather than a purely technical one: the management body must approve the framework, allocate sufficient budget, retain enough ICT knowledge to challenge it, and bear ultimate responsibility. Smaller and less complex entities may apply a simplified framework proportionate to their risk. Because almost every other DORA requirement, incident classification, resilience testing, third-party oversight, draws on the assets and critical functions defined here, a weak framework tends to surface as gaps everywhere else.
In context
This term relates to the ICT Risk Management pillar and is grounded in DORA Article 6.