Communication policies for staff (in relation to the ICT risk management framework)
Integration into the ICT Risk Management Framework (Article 14(2) DORA)
- Communication policies for staff form part of the ICT risk management framework under Article 6(1) DORA.
- Financial entities must implement communication policies that address both internal staff and external stakeholders.
Purpose of the Communication Policies for Staff (Article 14(2) DORA)
- The policies must ensure that communication relating to ICT risks, incidents, resilience and recovery activities is structured, role-appropriate and aligned with the broader ICT risk management and incident-response framework.
Mandatory Content Requirement (Article 14(2) DORA)
Communication policies for staff must take into account the need to differentiate between:
(i) Staff Involved in ICT Risk Management
This includes, in particular:
- staff responsible for response, and
- staff responsible for recovery.
Communication to these groups must enable timely, accurate and operationally relevant information flows.
(ii) Staff That Needs to Be Informed
This includes staff who:
- are not directly involved in ICT risk management or incident response, but
- nevertheless require information for situational awareness or operational coordination.
The communication policy must specify how such staff members are informed in a controlled and appropriate manner.