Contents
- Inventory of all (critical) information assets and ICT assets
- Integration into the ICT Risk Management Framework (Article 8(1) DORA)
- Comprehensive Identification of Information Assets and ICT Assets (Article 8(4) DORA)
- Mapping and Classification of Critical ICT and Information Assets (Article 8(4) DORA)
- Documentation Requirements (Article 8(1) and 8(4) DORA)
- Inventory Maintenance and Update Requirements (Article 8(6) DORA)
- Annual Review Requirement (Article 8(1) DORA)
- Article 8 (1), 4 and 6 DORA
Inventory of all (critical) information assets and ICT assets
Integration into the ICT Risk Management Framework (Article 8(1) DORA)
As part of the ICT risk management framework under Article 6(1) DORA, financial entities must:
- identify,
- classify, and
- adequately document
all information assets and ICT assets that support ICT-supported business functions.
This documentation must also include their roles and dependencies in relation to ICT risk.
This obligation applies to all financial entities.
Comprehensive Identification of Information Assets and ICT Assets (Article 8(4) DORA)
Financial entities must identify all information assets and ICT assets, including:
- assets located on remote sites,
- network resources, and
- hardware equipment.
This identification obligation is exhaustive and applies across the entire ICT landscape of the entity.
Mapping and Classification of Critical ICT and Information Assets (Article 8(4) DORA)
The entity must:
Map Assets Considered Critical
- Identify and map assets considered critical for operations, ICT security, resilience or continuity.
Map Configurations
- Document the configuration of each identified information asset and ICT asset.
Map Interdependencies
- Map the links and interdependencies between different ICT assets and information assets.
This mapping supports the assessment of ICT risk, ICT network dependencies, and potential single points of failure.
Documentation Requirements (Article 8(1) and 8(4) DORA)
The required inventory must document:
- the asset classification,
- the configuration of assets,
- asset ownership,
- dependencies between assets and processes, and
- the role of assets in relation to ICT risk.
This documentation must be adequate, complete, and aligned with other components of the ICT risk management framework.
Inventory Maintenance and Update Requirements (Article 8(6) DORA)
Financial entities must:
Maintain Relevant Inventories
Maintain inventories of information assets and ICT assets created under paragraphs 1 and 4.
Periodically Update Inventories
Update the inventories:
- periodically, and
- every time any major change occurs as referred to in Article 8(3) DORA
(i.e., major ICT change with material impact on the risk environment).
This ensures that inventories remain current, accurate and risk-reflective.
Annual Review Requirement (Article 8(1) DORA)
The adequacy of the classification and all supporting documentation must be:
- reviewed at least once per year, and
- reviewed as needed whenever changes in the ICT environment or risk profile require it.
This review links directly to Article 6(5) DORA (annual ICT risk management framework review)