DORA RTS: what are the upcoming requirements regarding the digital operational resilience of financial entities? 

What are the specific requirements regarding ICT risk management?

DORA requires financial entities to have a sound, comprehensive and well-documented ICT risk management framework, which should ensure a high level of digital operational resilience by enabling entities to address ICT risks quickly and efficiently. The ICT risk management framework, which must include several strategies, policies, procedures and tools, must be reviewed at least once a year,⁶ upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. 

The ESAs’ final report on the RTS on ICT risk management tools sets out the general and simplified frameworks⁷ that financial entities must implement in terms of ICT risk management. According to the RTS, financial entities must, inter alia:

• Have in place an internal governance and control framework with clear responsibilities to enable an effective and sound ICT risk management framework 
• Ensure that roles and responsibilities relating to ICT security are correctly allocated and maintained
• Identify and remedy vulnerabilities, and ensure that both the financial entities and their ICT third-party service providers adhere to a coherent, transparent, and responsible vulnerability management framework
• Set out the consequences of non-compliance with ICT security policies or procedures
• Develop and implement several ICT-related policies 
• Establish an ICT incident management process, in order to be able to detect, manage and report ICT incidents

As part of the ICT security policies and procedures, financial entities are required to develop, document and implement, inter alia:

The RTS also establishes that financial entities must develop and implement access control and identity management policies, which, respectively, cover the authentication methods and physical access control and ensure the unique identification and authentication of natural persons and systems accessing the financial entities’ information.

In terms of safeguards against intrusions and data misuse, the RTS determines that financial entities must develop, document and implement procedures, protocols and tools regarding:

• Logging: Including the identification of the events to be logged, the retention period of the logs and the measures to secure and handle the log data
• Network security management: Including the segregation and segmentation of ICT systems and networks, the identification and implementation of network access controls to prevent and detect connections to the financial entity’s network by any unauthorized device or system, or any endpoint not meeting the financial entity’s security requirements; the encryption of network connections passing over corporate networks, public networks, domestic networks, third-party networks and wireless networks, for communication protocols used, the procedures to limit, lock and terminate system and remote sessions after a predefined period of inactivity
• Securing information in transit: Such as ensuring the availability, authenticity, integrity and confidentiality of data during network transmission, the prevention and detection of data leakage and the secure transfer of information between the financial entity and external parties
• ICT project management: Including a policy which must define the elements to ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity’s ICT systems
• ICT systems acquisition, development, and maintenance: Including identifying security practices and methodologies relating to the acquisition, development and maintenance of ICT systems, defining measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development, maintenance and deployment in the production environment, developing, documenting and implementing an ICT systems’ acquisition, development and maintenance procedure
• ICT change management: Including procedures containing, inter alia, the mechanisms to ensure independence between the functions that approve changes and those responsible for requesting and implementing them, identification of fallback procedures and responsibilities, identification of the potential impact of a change on existing ICT security measures and assessment of whether it requires the adoption of additional ICT security measures
• Physical and environmental security: The policy must include, inter alia, measures to protect the premises, data centers and ICT assets

Business continuity and recovery

Financial entities must have in place an ICT business continuity policy and ICT response and recovery plans. The ICT business continuity policy must contain, inter alia, provisions on governance and organization and a description of the criteria to (de)activate ICT business continuity plans. These plans must be tested taking into account the entity’s business impact analysis and the ICT risk assessment. Through these tests, entities must assess whether they are able to ensure the continuity of the critical or important functions. 

In turn, the ICT response and recovery plans must:

• Identify and develop relevant scenarios (including those of severe business disruptions and increased likelihood of occurrence of disruption) based on current information on threats and on lessons learned from previous occurrences of business disruptions
• Specify the conditions prompting the (de)activation of the ICT response and recovery plans
• Describe what actions must be taken to ensure the availability, integrity, continuity and recovery of at least the entity’s ICT systems and services supporting critical or important functions

Measures to mitigate failures of ICT third-party service providers of ICT services supporting critical or important functions to the financial entity must also be implemented. In this sense, in addition to the other policies, financial entities must adopt a written policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. The policy must take into account, inter alia, the type of ICT services included in the contractual arrangement, the location of the ICT third-party service provider, the nature of data shared with the ICT third-party service providers, whether the ICT third-party service providers are part of the same group of the financial entity, and the potential impact of disruptions on the continuity and availability of the financial entity’s activities.

ICT-related incidents management policy

Financial entities must set clear roles and responsibilities to effectively detect and respond to ICT-related incidents and anomalous activities. The detection and response process must be triggered in the following cases:

What triggers ICT-related incident detection and response processes?

Entities must also have in place an ICT-related incident policy which:

• Documents the ICT-related incident management process
• Establishes a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations’ security
• Establishes, implements and operates technical, organizational and operational mechanisms to support the ICT-related incident management process
• Retains all evidence relating to ICT-related incidents for a period no longer than necessary for the purposes for which the data is collected, commensurate with the criticality of the affected business functions
• Establishes and implements mechanisms to analyze significant or recurring ICT-related incidents and patterns in the number and the occurrence of ICT-related incidents

Whenever an ICT-related incident is identified, it must be classified considering the below criteria:

• The number of clients/counterparts/transactions affected
• The reputational impact⁸
• The duration of an incident (including from the moment the incident occurs until it is solved and the service downtime)
• The locations affected
• Data losses
• Whether critical services were affected
• Direct and indirect costs and losses

The RTS determines that incidents considered as major:

• Must have had any impact on critical services and either: 

a) Are any successful, malicious and unauthorized access to network and information systems, which may result to data losses or 

b) Meet two or more materiality thresholds specified below: