ICT Risk Management under DORA
Last updated: 1 authoritative sourceDORA Auditor Editorial Team
DORA's ICT risk-management pillar (Article 6) requires every financial entity to maintain a sound, comprehensive, and well-documented framework to identify, protect against, detect, respond to, and recover from ICT-related risk, under the accountability of the management body.
What the framework must cover
- Strategies, policies, procedures, and tools to protect information and ICT assets.
- Identification and classification of ICT-supported business functions and assets.
- Continuous monitoring and detection of anomalous activity.
- ICT business-continuity and disaster-recovery plans, tested regularly.
- Mechanisms to learn from incidents and evolve the framework.
Governance and accountability
The management body bears ultimate responsibility. It must approve the framework, allocate budget, and maintain sufficient ICT knowledge, resilience is a board-level obligation, not solely an IT function.
Frequently asked questions
Which DORA article covers ICT risk management?
Article 6, supported by Articles 5–16 of Chapter II.