ICT Risk Management (DORA)

ICT risk management is the core obligation under DORA. Financial entities must establish and maintain a robust management framework for information and communication technology risks (ICT risks) with clear roles, responsibilities and processes from identification to response and recovery.

Back to Dictionary

What is ICT risk management under DORA?

ICT risk management covers the processes and controls needed to identify, assess and manage risks related to information and communication systems. Under DORA, this is not optional – financial entities are legally required to have a robust and well-documented ICT risk management framework.

DORA Chapter II (Articles 5–16) sets out the detailed requirements for ICT risk management for financial entities.

DORA's requirements for ICT risk management

DORA requires financial entities to establish:

ICT risk management framework: A documented framework comprising strategies, policies, procedures and protocols for ICT risks.
Identification: Ongoing mapping and classification of ICT assets and dependencies.
Protection and prevention: Implementation of controls that limit the consequences of ICT risks.
Detection: Mechanisms to detect anomalous activities and ICT incidents.
Response and recovery: ICT continuity plans and incident response procedures.
Learning and development: Post-incident analysis and continuous improvement.
Communication: Procedures for internal and external communication regarding ICT incidents.

Simplified requirements for micro-enterprises: DORA contains specific, simplified ICT risk management requirements for financial micro-enterprises (fewer than 10 employees and less than EUR 2 million in turnover). The fundamental requirements, however, remain the same.

The role of senior management

Under DORA, the management body (board and executive management) bears direct responsibility for ICT risk management. Senior management must:

Define and approve the ICT risk management strategy.
Set the overall risk tolerance for ICT risks.
Approve ICT audit plans and follow-up actions.
Continuously monitor and evaluate the effectiveness of the ICT risk management framework.
Allocate adequate resources for ICT security.

Frequently Asked Questions about ICT Risk Management (DORA)

What is the difference between ICT risk management under DORA and NIS2?

DORA and NIS2 share many risk management principles, but DORA is specifically tailored to the financial sector's complexity and requirements. DORA is more detailed and specifies precise requirements for ICT continuity plans, testing (TLPT) and third-party management. For financial entities subject to both frameworks, DORA's requirements generally apply as lex specialis.

Does DORA require a separate ICT risk function?

DORA requires financial entities to assign ICT risk management responsibility to a relevant control function and ensure sufficient independence from business services. For large and systemically important institutions, this may mean a dedicated ICT risk function.

What must the ICT risk management framework contain?

The framework must include strategies, policies, procedures and protocols covering all aspects of ICT risk, including asset identification, protection measures, detection mechanisms, incident response, recovery procedures and ongoing improvement processes.

How does DORA handle proportionality in ICT risk management?

DORA applies a proportionality principle, meaning that requirements are scaled according to the entity's size, risk profile and the nature, scale and complexity of its services. Micro-enterprises benefit from simplified requirements, though the fundamental obligations remain.

Must ICT risk management be reviewed regularly?

Yes. DORA requires financial entities to review and update their ICT risk management framework at least annually and following significant ICT incidents or changes. The management body must be informed of review outcomes and any necessary improvements.