Contents
- Crisis communication plans
- Purpose and Placement within the ICT Risk Management Framework
- Scope and Applicability
- Mandatory Components of Crisis Communication Plans
- Communication Procedures
- Alignment with the ICT Business Continuity Policy (Article 24 RTS RMF)
- Testing of Crisis Communication Plans
- Governance and Responsibilities
- Documentation and Audit Requirements
- Article 14 (1) DORA
- Article 11 (2)(e), (6)(b) and (7) DORA
- Article 24 RTS RMF
Crisis communication plans
Purpose and Placement within the ICT Risk Management Framework
Crisis communication plans constitute a mandatory component of the ICT risk management framework under Article 6(1) DORA. They operationalise the communication strategy that must ensure:
- Responsible disclosure of serious ICT-related incidents or vulnerabilities
- Timely, accurate, and secure information flows during ICT disruptions
- Regulatory notification under Article 19 DORA
- Coordinated internal and external communication aligned with the ICT BCP and ICT response and recovery plans
Crisis communication is therefore a functional bridge linking incident detection (Article 10), response (Article 11), continuity (Article 12), and supervisory reporting (Article 19).
Scope and Applicability
Crisis communication plans must cover:
- Internal staff, including ICT, business continuity, incident response, crisis management, and senior management
- External stakeholders, including customers, counterparties, financial institutions, payment/clearing/settlement partners
- The public, where responsible disclosure obligations arise
- Competent authorities, under Article 19 incident reporting
- ICT third-party service providers, where their failures or dependencies affect critical or important functions
The plans apply across all ICT systems and services that could generate a serious ICT-related incident or materially affect the continuity of critical or important functions.
Mandatory Components of Crisis Communication Plans
Responsible Disclosure Requirements (Art. 14(1) DORA)
Crisis communication plans must enable:
- Responsible disclosure of serious ICT-related incidents or vulnerabilities
- Assessment of when disclosure becomes required
- Identification of affected customer segments and counterparties
- Templates and approval processes for customer and public statements
- Coordination with legal, compliance, data protection, and supervisory reporting functions
- Measures to avoid creating additional security risks or premature disclosures that hinder containment
Integration with ICT Response and Recovery (Art. 11(2)(e) DORA)
Plans must specify:
- How communication aligns with the activation of ICT response and recovery arrangements
- How updated situation reports reach all internal roles (technical teams, management, business lines)
- Communication channels available during disruptions (out-of-band communication)
- Escalation steps in line with the entity’s governance model
- How communication supports containment measures and recovery activities
Crisis Management Function (Art. 11(7) DORA)
For financial entities other than microenterprises, plans must be supported by a crisis management function responsible for:
- Coordinating internal and external crisis communication
- Authorising external disclosures
- Defining communication workflows during activation of ICT BCP or ICT response/recovery plans
- Ensuring communication coherence across ICT, business continuity, legal, compliance, and senior management
The crisis management function must be clearly defined in terms of structure, authority, and escalation mandates.
Communication Procedures
Crisis communication plans must contain:
Activation and Deactivation Criteria
Aligned with Article 24(1)(a)(iv) RTS RMF:
- Conditions under which crisis communication is triggered
- Thresholds linked to ICT incident classification (Article 10)
- Criteria for partial vs. full activation
- Deactivation steps once stability, recovery targets, or supervisory closure are reached
Communication Channels and Tools
Plans must define:
- Primary and backup channels (email, SMS, secure messaging, hotlines, intranet, crisis portals)
- Out-of-band communication in case of main channel compromise
- Sender authentication procedures
- Security measures to prevent leakage, misinformation or unauthorised access
Stakeholder-Specific Communication Procedures
Procedures must be tailored for:
- Internal staff (operational, crisis teams, management)
- Customers and business partners
- Financial infrastructures and interdependent institutions
- ICT third-party service providers (especially where dependencies matter)
- Competent authorities (Article 19 notifications, ongoing updates)
- The public (press releases, website updates, social media protocols)
Alignment with the ICT Business Continuity Policy (Article 24 RTS RMF)
Crisis communication plans must be fully aligned with the ICT BCP and must:
- Fit within the overall recovery time and recovery point objectives (RTO/RPO)
- Reflect the scenarios considered in Article 26(2) (cyber-attacks, loss of premises, ICT failures, third-party outages, natural disasters, political risks, insider attacks, pandemic events)
- Include procedures for communication during switchover to redundant capacity, backup activation, or secondary sites
- Complement the communication policy under Article 14(2) (staff communication differentiation)
- Ensure consistency between resilience plans, communication actions, and legal/supervisory reporting obligations
Testing of Crisis Communication Plans
Under Article 11(6)(b) DORA:
- Crisis communication plans must be tested at least annually
- Testing must include cyber-attack scenarios and switchover scenarios for entities other than microenterprises
- Tests must challenge:
- clarity of roles
- message accuracy under time pressure
- functionality of primary and backup communication channels
- communication flow under degraded ICT conditions
- the coordination between crisis management, ICT, business, and supervisory reporting functions
Results must feed into regular reviews of the ICT BCP and ICT response/recovery plans.
Governance and Responsibilities
Management body obligations under Article 5(2):
- Approval and periodic review of crisis communication plans
- Oversight of implementation and adequacy
- Ensuring sufficient resources (skills, tools, budget)
- Ensuring alignment with the ICT risk management framework and overall business continuity policy
Clear assignment is required for:
- Crisis communication officers
- Crisis management function members
- Media/PR units
- Legal and compliance advisors
- ICT and security operations teams
- Supervisory reporting officers (Article 19)
Documentation and Audit Requirements
Financial entities must document:
- The crisis communication plan itself (policies, procedures, templates, roles, flows)
- All test plans, scenarios, and results
- Updates following tests, incidents, audits, or supervisory reviews
- Records of real crisis communication events
- Evidence that stakeholders were informed appropriately
- Compliance with mandatory reporting deadlines under Article 19
Internal audit must review:
- Adequacy of crisis communication arrangements
- Compliance with Articles 14, 11(2)(e), 11(6)(b), 11(7) DORA
- Integration with ICT BCP, response and recovery plans, and incident handling