Article 7 Digital Operational Resilience Act (DORA), Identification

Sep 7, 2024

Article 7 of the Digital Operational Resilience Act (DORA) underscores the importance of identifying key ICT systems and services within financial entities. This article sets out the criteria and processes for pinpointing critical ICT systems essential to maintaining the continuity and security of financial operations. By clearly defining these critical systems, DORA empowers financial entities to prioritize resilience measures, effectively manage risks, and ensure consistent service delivery. This overview provides insight into how financial entities categorize and protect their ICT assets to meet regulatory standards and minimize operational disruptions.

Article 7 Digital Operational Resilience Act (DORA), Identification

Identification and Documentation of ICT-Related Business Functions

Financial entities are required to identify, classify, and thoroughly document all ICT-related business functions within their ICT risk management framework, as outlined in Articl 5(1). This documentation includes information assets that support these functions and details the configurations and interconnections of ICT systems, both internally and externally. Regular reviews of this documentation are mandatory, with assessments conducted at least annually to ensure the adequacy of information asset classification.

Continuous Identification of ICT Risks and Cyber Threats

Financial entities must continuously identify sources of ICT risks, with particular focus on risks originating from or affecting other financial entities. They are required to assess cyber threats and vulnerabilities related to their ICT business functions and information assets on an ongoing basis. These risk scenarios should be regularly reviewed, at least annually, to stay ahead of potential threats.

Risk Assessment For Changes in ICT Infrastructure

When significant changes occur in a financial entity’s network and information system infrastructure, processes, or procedures, a risk assessment must be performed. This applies to all financial entities, except microenterprises, and is essential for identifying potential impacts on functions, supporting processes, and information assets.

Mapping of Critical ICT Systems and Interdependencies

Financial entities must identify and document all ICT system accounts, including those at remote sites, network resources, and critical hardware equipment. They are also required to map the physical equipment considered critical, documenting the configuration of ICT assets and detailing the links and interdependencies between different ICT components.

DORA Compliance Framework

Documentation of Processes Dependent on ICT Third-Party Service Providers

Entities must identify and document all processes reliant on ICT third-party service providers, including interconnections with these providers within the ICT environment.

Maintenance and Updating of Inventories

To comply with paragraphs 1, 4, and 5, financial entities must maintain and regularly update inventories related to ICT systems, information assets, critical equipment, interdependencies, and processes dependent on third-party service providers.

Specific ICT Risk Assessment For Legacy Systems

For all legacy ICT systems, excluding those of microenterprises, financial entities must conduct a specific ICT risk assessment at least annually. This assessment is particularly crucial before and after integrating old and new technologies, applications, or systems.

These provisions ensure that financial entities adopt a proactive approach to managing ICT risks, enhancing resilience against cyber threats, and safeguarding the continuity and security of their ICT operations and services. By implementing robust frameworks and adhering to regulatory guidelines, financial institutions can effectively mitigate risks, prioritize resilience measures, and maintain uninterrupted service delivery amidst evolving technological challenges and cyber threats.

DORA Compliance Framework