ICT risk management
ICT risk management framework, policies, procedures, governance bodies, identification of critical functions.
Compliance · DORA
Digital operational resilience for the financial sector.
Regulation (EU) 2022/2554 (Digital Operational Resilience Act). Harmonized European framework for ICT resilience of financial entities and their critical technology service providers.
Context
Who it applies to
Credit institutions, investment firms, payment and electronic money institutions, trading venue operators, central securities depositories, central counterparties, insurance and reinsurance undertakings, insurance intermediaries, crypto-asset service providers, and other entities under Art. 2 of the regulation. Applicable from 17 January 2025. Critical ICT third-party providers are subject to a dedicated oversight regime.
What the assessment covers
What the assessment covers
Incident management and reporting
Classification, thresholds, notification to the authority within prescribed windows, periodic reporting.
Resilience testing
Digital operational resilience testing, threat-led penetration testing for significant entities, multi-year testing programme.
ICT third-party risk management
Supplier register, mandatory contractual clauses, exit strategy, concentration assessment.
Cyber threat intelligence
Information sharing on threats, participation in sectoral intelligence communities.
Governance and accountability
Role of the management body, training, accountability, oversight of ICT functions.
Same method
Same methodology, applied to the specific regulation.
The methodology common to all certifications — the open-source platform, the documents delivered, the 0–5 maturity model, the work phases — is described once on the main Compliance page.
Have a deadline to face on this regulation?
We start with a scoping: classification of the organization, perimeter, responsible people, availability of existing evidence. From there the rest is sized.