Contents
Policies for patches and updates
Integration into the ICT Risk Management Framework (Article 9(4)(f) DORA)
- The policies for patches and updates form part of the ICT risk management framework referred to in Article 6(1) DORA.
- Financial entities must ensure that these policies are appropriate, comprehensive, and documented.
Purpose of the Policies (Article 9(4)(f) DORA)
- The policies must ensure that patches and updates to ICT systems are managed in a manner that supports the overall protection and prevention obligations under Article 9 DORA, including:
– maintaining the resilience, continuity, and availability of ICT systems;
– ensuring high standards of availability, authenticity, integrity, and confidentiality of data.
Mandatory Requirement (Article 9(4)(f) DORA)
Comprehensive Documentation
Financial entities must maintain comprehensive documented policies governing patches and updates.
Appropriateness of Policies
The policies must be appropriate, meaning they must be suitable to the entity’s ICT environment, ICT risk profile, and the criticality and importance of the ICT systems they affect.