Contents
- ICT response and recovery plans
- Regulatory Purpose and Position in the ICT Risk Management Framework
- Components of ICT Response and Recovery Plans (Article 26(1) RTS RMF)
- Required Scenarios in ICT Response and Recovery Plans (Article 26(2) RTS RMF)
- Alternative Recovery Options (Article 26(3) RTS RMF)
- Continuity Measures for ICT Third-Party Failures (Article 26(4) RTS RMF)
- Governance and Management Body Responsibilities
- Internal Audit Requirements (Article 11(3) DORA)
- Alignment with the ICT Business Continuity Policy (Article 24 RTS RMF)
- Article 11 (3) DORA
- Article 5 (2)(e) DORA
- Article 24 u. 26 RTS RMF
ICT response and recovery plans
Regulatory Purpose and Position in the ICT Risk Management Framework
Under Article 11(3) DORA, all financial entities must implement ICT response and recovery plans as an integral part of the ICT risk management framework (Article 6(1)).
These plans operationalise the restoration and recovery capabilities that ensure:
- availability,
- integrity,
- continuity,
- and recoverability
of ICT systems supporting all functions, with mandatory coverage of critical and important functions.
For non-microenterprises, the plans are also subject to independent internal audit reviews (Article 11(3), second limb), aligning with the Article 6(6) & (7) DORA audit obligations.
The management body must approve, oversee and periodically review these plans (Article 5(2)(e) DORA).
Components of ICT Response and Recovery Plans (Article 26(1) RTS RMF)
Financial entities must develop, document and implement ICT response and recovery plans that take into account the Business Impact Analysis (BIA) results (Article 26(1) chapeau).
The plans must contain:
Activation and Deactivation Conditions
- clear criteria for activation and deactivation,
- exceptions to activation/deactivation,
- explicit linkages to crisis escalation pathways defined in the ICT business continuity policy (Article 24(1)(a)(iv)).
Actions for System Availability and Recovery
A complete specification of actions required to ensure:
- availability,
- integrity,
- continuity,
- recovery
of ICT systems and services supporting critical and important functions.
This includes operational steps, dependencies, and required resources.
Recovery Objectives
Plans must be designed to meet:
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
as defined in the ICT business continuity policy (Article 24(1)(b)(ii)(2)).
Documentation and Accessibility
Plans must be:
- fully documented,
- made available to all staff with defined roles, and
- readily accessible in emergencies (Article 26(1)(d)).
Roles and responsibilities must be explicitly specified.
Short-Term and Long-Term Recovery Options
Plans must provide:
- short-term recovery measures,
- long-term recovery solutions,
- support for partial system recovery where full failover is not feasible (Article 26(1)(e)).
Objectives and Success Criteria
Plans must articulate:
- the objectives of the ICT response and recovery actions,
- conditions under which execution is considered successful (Article 26(1)(f)).
Required Scenarios in ICT Response and Recovery Plans (Article 26(2) RTS RMF)
Plans must include relevant and up-to-date scenarios, based on threat intelligence, prior disruptions and lessons learned.
Financial entities must consider scenarios including:
- Cyber-attacks
- Switchovers between primary infrastructure and:
- redundant capacity,
- backups,
- redundant facilities.
- Degraded or failed critical functions, including deterioration in outsourced services.
- Partial or total failure of business or data centre premises.
- Major ICT asset or communications infrastructure failure.
- Non-availability of critical staff.
- Climate change, environmental events, natural disasters, pandemics, physical attacks.
- Insider attacks.
- Political or social instability, especially in third-country jurisdictions where data is processed/stored.
- Widespread power outages.
These scenarios also align with required BCP testing scenarios (Article 25(2)).
Alternative Recovery Options (Article 26(3) RTS RMF)
Where primary recovery measures are:
- not feasible in the short term,
- blocked by cost, risk, logistics,
- or unable to be deployed due to unforeseen conditions,
the plans must include alternative recovery paths.
This ensures continuity of critical or important functions even under severe constraints.
Continuity Measures for ICT Third-Party Failures (Article 26(4) RTS RMF)
As part of the ICT response and recovery plans, financial entities must:
- identify ICT third-party providers supporting critical or important functions,
- assess single points of failure or concentration risks (link to Article 28(2) DORA),
- implement continuity measures to mitigate failures of these providers.
This includes:
- backup providers,
- alternative delivery channels,
- emergency contractual arrangements,
- manual fallback processes where technologically possible.
These requirements must also be aligned with:
- the policy on the use of ICT services supporting critical or important functions (RTS TPPol),
- the register of ICT third-party dependencies (Article 28(3) DORA),
- the ex-ante risk assessment and due diligence obligations (RTS TPPol Articles 5 and 6).
Governance and Management Body Responsibilities
Under Article 5(2)(e) DORA, the management body must:
- define and approve the ICT response and recovery plans,
- oversee their implementation,
- periodically review them,
- ensure integration into the overall business continuity framework, and
- guarantee sufficient resources, staff and capabilities.
Plans may be adopted as a dedicated specific policy forming part of the entity’s broader BCM strategy.
Internal Audit Requirements (Article 11(3) DORA)
For all non-microentities:
- ICT response and recovery plans must be subject to independent internal audit reviews,
- audit frequency must reflect ICT risk (Article 6(6) DORA),
- critical findings must be incorporated into the formal follow-up and remediation process under Article 6(7) DORA.
This creates mandatory evidence trails for:
- supervisory review,
- Article 27 RTS RMF annual ICT risk management review,
- and independent assurance cycles.
Alignment with the ICT Business Continuity Policy (Article 24 RTS RMF)
ICT response and recovery plans are a mandatory sub-component of the ICT business continuity policy.
They must align with:
- governance structures,
- failure scenarios,
- recovery objectives,
- escalation and communication protocols,
- testing requirements,
- annual review and evaluation obligations.
They must support the enterprise-wide BCM arrangements, ensuring no conflict between ICT-driven and business-driven continuity actions.