Policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests
Applicability (Article 24(5) DORA)
- This requirement applies to financial entities other than microenterprises.
- It forms part of the digital operational resilience testing regime under Chapter IV of DORA.
Mandatory Policies and Procedures (Article 24(5) DORA)
Financial entities must establish:
Procedures and Policies to Prioritise Issues
- Arrangements that define how issues identified during digital operational resilience testing are prioritised.
Procedures and Policies to Classify Issues
- Arrangements that classify identified weaknesses, deficiencies or gaps based on factors such as:
– severity,
– impact,
– likelihood of exploitation,
– criticality of affected ICT assets,
– relevance to critical or important functions.
Procedures and Policies to Remedy Issues
- Processes to ensure that all identified issues are remedied in a timely, controlled and documented manner.
Internal Validation Methodologies (Article 24(5) DORA)
Financial entities must establish internal validation methodologies to:
- ascertain that all identified weaknesses, deficiencies, or gaps have been fully addressed;
- ensure that remediation measures are effective, complete, and aligned with the entity’s ICT risk management framework.