Contents
- Inventory of all ICT supported business functions, roles and responsibilities
Inventory of all ICT supported business functions, roles and responsibilities
Integration into the ICT Risk Management Framework (Article 8(1) DORA)
As part of the ICT risk management framework required under Article 6(1) DORA, financial entities must:
- identify,
- classify, and
- adequately document
all ICT-supported business functions, roles, responsibilities, information assets and ICT assets.
This obligation is foundational to the digital operational resilience architecture and applies to all financial entities (with no exemption for microenterprises).
Scope of the Required Inventory (Article 8(1) DORA)
The inventory must cover all of the following elements:
ICT-Supported Business Functions
- All business functions that depend on ICT assets must be identified, classified and documented.
Roles and Responsibilities
- All roles and responsibilities associated with ICT-supported business functions must be documented.
Information Assets and ICT Assets Supporting Those Functions
The inventory must include:
- all information assets, and
- all ICT assets,
supporting the respective business functions.
Dependencies Relevant to ICT Risk
- The inventory must document the roles and dependencies between the business functions, information assets and ICT assets in relation to ICT risk.
Review Obligation (Article 8(1) DORA)
Financial entities must:
- review the adequacy of the classification and documentation as needed, and
- at least once per year.
The review must ensure that all ICT-supported functions, assets, roles and responsibilities remain accurate and reflect changes in the operational or ICT risk environment.
Contextual Requirements from Article 6 DORA
The inventory under Article 8(1) is a core component of the broader ICT risk management framework established under Article 6(1)–(10) DORA. Specifically:
Documentation and Review (Article 6(5))
The entire ICT risk management framework — including the Article 8(1) inventory — must be:
- documented,
- reviewed at least annually, and
- updated following major ICT-related incidents, supervisory instructions or digital operational resilience testing conclusions.
Independence and Governance (Article 6(4))
The inventory supports the separation of roles across:
- ICT risk management,
- control functions, and
- internal audit.
Auditability (Article 6(6)–(7))
The inventory forms part of the documentation subject to:
- regular ICT internal audits (Article 6(6)), and
- formal follow-up processes for critical audit findings (Article 6(7)).
Support for Digital Operational Resilience Strategy (Article 6(8))
The inventory provides the basis for:
- impact tolerance (Article 6(8)(b)),
- ICT reference architecture analysis (Article 6(8)(d)),
- incident-detection mechanisms (Article 6(8)(e)),
- evidence on digital operational resilience (Article 6(8)(f)).