DORA RTS - ICT Risk Management Framework (2024/1774)

Regulation Number: Commission Delegated Regulation (EU) 2024/1774

Adoption Date: March 13, 2024

Publication Date: June 25, 2024 (Official Journal)

Application Date: January 17, 2025

Official Source: EUR-Lex (eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng)

📋 Executive Summary

Objective: This RTS establishes the regulatory technical standards specifying the ICT risk management tools, methods, processes and policies, as well as the simplified ICT risk management framework for small financial entities.

🎯 Scope of Application

Entities Covered

Banks and credit institutions
Insurance and reinsurance undertakings
Investment firms
Payment service providers
Electronic money institutions
Crypto-asset service providers
Credit rating agencies
Central securities depositories

🔐 Components of the ICT Risk Management Framework

1. Governance and Organization

Article 3 - Roles and Responsibilities:

The management body must approve the ICT risk strategy
Appointment of an ICT risk management function
Clear separation of responsibilities between the three lines of defense
At least annual review of the strategy by the management body

2. Identification and Classification of ICT Assets

Article 4 - Asset Inventory:

Maintain a complete and up-to-date inventory of all ICT assets
Classify assets according to their criticality to business functions
Identify interdependencies between ICT assets
Document legacy and obsolete systems

3. ICT Risk Assessment and Management

Article 5 - Assessment Methodology:

Conduct ICT risk assessments at least annually
Use recognized methodologies (ISO 27005, NIST, etc.)
Assess the likelihood and impact of threats
Prioritize risks according to their criticality
Document risk acceptance decisions

🛡️ Protection and Prevention Measures

4. Information Security (Article 6-12)

Domain	Key Requirements
Access Control	• Multi-factor authentication (MFA) • Principle of least privilege • Periodic review of access rights • Logging of privileged access
Cryptography	• Encryption of sensitive data at rest • Encryption of communications (TLS 1.2+) • Secure management of cryptographic keys • Use of approved algorithms
Vulnerability Management	• Regular vulnerability scanning • Patch management within required timeframes • Annual penetration testing minimum • Monitoring of emerging threats
Network Security	• Network segmentation • Firewalls and intrusion detection systems • Network traffic monitoring • DDoS protection

5. Physical and Environmental Security (Article 18)

Physical access control: Badges, biometrics, access logs
Environmental protection: Air conditioning, fire detection, flood protection
Power supply: Uninterruptible power supplies (UPS), backup generators
Datacenters: Geographic location, redundancy

🔄 Business Continuity and Recovery

6. ICT Continuity Policy (Article 24)

Mandatory components of the BCP/DRP policy:

Business Impact Analysis (BIA) for all critical functions
Recovery Time Objectives (RTO) defined per function
Recovery Point Objectives (RPO) for critical data
Recovery strategies for different scenarios (cyberattack, natural disaster, technical failure)
Backup sites and backup arrangements

7. Business Continuity and Disaster Recovery Plans (Article 39)

Documentation requirements:

Continuity plans for each critical function
Procedures for plan activation
Crisis organization charts with 24/7 contacts
Action checklists per scenario
Communication procedures (internal and external)

Mandatory testing:

Annual testing of continuity plans
Realistic and varied scenarios
Documentation of results and gaps
Improvement plans following testing

📊 Monitoring and Reporting

8. Continuous Monitoring (Article 20)

Monitoring Type	Frequency	Key Metrics
System availability	Real-time	Uptime, response time, latency
Security events	Real-time	Intrusion attempts, anomalies, SIEM alerts
Performance	Continuous	CPU, memory, storage, bandwidth
Control compliance	Quarterly	Compliance rate, exceptions, deviations

9. Reporting to the Management Body

Mandatory reports:

Quarterly: Dashboard of ICT key risk indicators (KRIs)
Annual: Comprehensive review of ICT risk posture
Ad-hoc: Major incidents and significant changes

Report content:

Status of identified ICT risks
Incidents occurred and their resolution
Results of tests and audits
Compliance with ICT policies
Major ICT investments and projects

🔍 Simplified Framework for Small Entities

Entities eligible for the simplified framework:

Microenterprises (less than 10 employees and turnover < 2M€)
Small non-interconnected investment firms

Authorized simplifications:

Streamlined documentation (combined policies accepted)
Less frequent testing (minimum every 2 years)
No strict separation of the three lines of defense
Simplified risk analysis
Exemption from TLPT (advanced penetration testing)

⚠️ Requirements maintained despite simplification:

Protection of sensitive data
Regular backups
Access controls
Reporting of major incidents
Basic continuity plan

✅ Compliance Checklist

Step	Required Actions	Priority
1. Governance	☐ Designate ICT risk management function ☐ Define roles and responsibilities ☐ Establish ICT risk strategy ☐ Obtain management body approval	HIGH
2. Inventory	☐ Inventory all ICT assets ☐ Classify by criticality ☐ Identify interdependencies ☐ Update inventory	HIGH
3. Risk Assessment	☐ Choose assessment methodology ☐ Conduct initial assessment ☐ Document identified risks ☐ Define treatment plans	HIGH
4. Security Controls	☐ Implement MFA ☐ Data encryption ☐ Network segmentation ☐ Security monitoring (SIEM)	MEDIUM
5. Continuity	☐ Perform BIA (Business Impact Analysis) ☐ Define RTO/RPO ☐ Write BCP/DRP plans ☐ Test the plans	HIGH
6. Documentation	☐ Comprehensive ICT policies ☐ Operational procedures ☐ Registers and logs ☐ Evidence of compliance	MEDIUM
7. Testing and Audits	☐ Vulnerability testing ☐ Penetration testing ☐ Internal audits ☐ Compliance review	MEDIUM
8. Reporting	☐ Establish KRIs/KPIs ☐ Monitoring dashboards ☐ Quarterly reports ☐ Annual review	NORMAL

💡 Practical Recommendations

For Large Institutions

Budget: Allocate 2-5% of IT budget for DORA compliance
Resources: Dedicated team with CISO, risk managers, compliance officers
Tools: Invest in GRC platform, SIEM, vulnerability management
Timeline: Compliance program over minimum 12-18 months

For Small Entities (Simplified Framework)

Focus: Prioritize essential controls (backups, antivirus, firewall)
Pooling: Join sectoral groups to share costs
Outsourcing: Outsource ICT management to DORA-compliant providers
Templates: Use pre-existing documentation templates

📚 Resources and References

Official Documents

Full text of the RTS: EUR-Lex (eur-lex.europa.eu/eli/reg_del/2024/1774)
DORA Regulation: Regulation (EU) 2022/2554
EBA Guidelines: eba.europa.eu/regulation-and-policy/digital-operational-resilience-act-dora

Reference Standards

ISO/IEC 27001:2022 - Information Security Management
ISO/IEC 27005:2022 - Information Security Risk Management
NIST Cybersecurity Framework
COBIT 2019 - IT Governance Framework

📊 RTS on ICT Risk Management Framework