Contents
- DOR-Strategy
- Governance & Responsibility (Article 5(2)(d) DORA)
- Purpose of the Strategy (Article 6(8) DORA)
- Mandatory Content Elements (Article 6(8)(a)–(h) DORA)
- Alignment with Business Strategy and Objectives
- ICT Risk Tolerance & Impact Tolerance
- Information Security Objectives
- ICT Reference Architecture
- Detection, Prevention & Protection Mechanisms
- Current Digital Operational Resilience Situation
- Digital Operational Resilience Testing
- Communication Strategy for ICT-Related Incidents
- Article 6 (8) i.c.w. Article 5 (2)(d) DORA
DOR-Strategy
Governance & Responsibility (Article 5(2)(d) DORA)
- The management body bears the overall responsibility for the definition, approval, oversight and implementation of the digital operational resilience strategy.
- The management body is specifically responsible for setting and approving the risk tolerance level for ICT risk, as required under Article 6(8)(b).
Purpose of the Strategy (Article 6(8) DORA)
The digital operational resilience strategy forms part of the ICT risk management framework and must explain how the framework shall be implemented.
Mandatory Content Elements (Article 6(8)(a)–(h) DORA)
Alignment with Business Strategy and Objectives
The strategy must explain how the ICT risk management framework supports the financial entity’s business strategy and objectives.
ICT Risk Tolerance & Impact Tolerance
The strategy must:
- establish the risk tolerance level for ICT risk, in line with the entity’s overall risk appetite;
- analyse the impact tolerance for ICT disruptions.
Information Security Objectives
The strategy must set out clear information security objectives, including:
- key performance indicators (KPIs);
- key risk metrics (KRIs).
ICT Reference Architecture
The strategy must explain the ICT reference architecture, including:
- any changes needed in order to achieve specific business objectives.
Detection, Prevention & Protection Mechanisms
The strategy must outline mechanisms put in place to:
- detect ICT-related incidents,
- prevent their impact,
- provide protection against them.
Current Digital Operational Resilience Situation
The strategy must evidence the current situation, specifically based on:
- the number of major ICT-related incidents reported;
- the effectiveness of preventive measures.
Digital Operational Resilience Testing
The strategy must include implementation of digital operational resilience testing, in accordance with Chapter IV DORA.
Communication Strategy for ICT-Related Incidents
The strategy must outline a communication strategy for ICT-related incidents whose disclosure is required under Article 14.