Skip to main content
DORA Auditor

ICT Risk-Management Framework

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

The ICT risk-management framework is the documented set of strategies, policies, procedures, and tools that DORA Article 6 requires every financial entity to maintain in order to identify, protect against, detect, respond to, and recover from ICT-related risk. The management body is accountable for it.

Detailed explanation

The framework is the foundation of DORA's first pillar and the backbone of an entity's whole compliance programme. Article 6 requires it to be sound, comprehensive, and well-documented, and to be reviewed at least annually as well as after major incidents or significant changes. In practice it must cover the identification and classification of ICT-supported business functions and assets, protective measures and controls, continuous monitoring to detect anomalous activity, ICT business-continuity and disaster-recovery plans that are tested regularly, and mechanisms to learn from incidents and evolve. Crucially, DORA makes this a governance obligation rather than a purely technical one: the management body must approve the framework, allocate sufficient budget, retain enough ICT knowledge to challenge it, and bear ultimate responsibility. Smaller and less complex entities may apply a simplified framework proportionate to their risk. Because almost every other DORA requirement, incident classification, resilience testing, third-party oversight, draws on the assets and critical functions defined here, a weak framework tends to surface as gaps everywhere else.

In context

This term relates to the ICT Risk Management pillar and is grounded in DORA Article 6.

Related terms

Sources

  1. DORA Article 6, EUR-Lex