Skip to main content
DORA Auditor

ICT Risk Management under DORA

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

DORA's ICT risk-management pillar (Article 6) requires every financial entity to maintain a sound, comprehensive, and well-documented framework to identify, protect against, detect, respond to, and recover from ICT-related risk, under the accountability of the management body.

What the framework must cover

  • Strategies, policies, procedures, and tools to protect information and ICT assets.
  • Identification and classification of ICT-supported business functions and assets.
  • Continuous monitoring and detection of anomalous activity.
  • ICT business-continuity and disaster-recovery plans, tested regularly.
  • Mechanisms to learn from incidents and evolve the framework.

Governance and accountability

The management body bears ultimate responsibility. It must approve the framework, allocate budget, and maintain sufficient ICT knowledge, resilience is a board-level obligation, not solely an IT function.

Frequently asked questions

Which DORA article covers ICT risk management?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex