Contents
- Report on the ICT risk management framework review
- Obligation to Review and Report (Article 6(5) DORA)
- Format of the Report (Article 27(1) RTS RMF)
- Mandatory Content Elements (Article 27(2)(a)–(l) RTS RMF)
- (a) Introductory Section (Article 27(2)(a))
- Date of Approval (Article 27(2)(b))
- Reason for the Review (Article 27(2)(c))
- Review Period (Article 27(2)(d))
- Responsible Function (Article 27(2)(e))
- Major Changes and Improvements (Article 27(2)(f))
- Summary of Findings and Assessment of Weaknesses (Article 27(2)(g))
- Measures to Address Identified Weaknesses (Article 27(2)(h))
- Planned Further Developments (Article 27(2)(i))
- Conclusions (Article 27(2)(j))
- Information on Past Reviews (Article 27(2)(k))
- Sources of Information (Article 27(2)(l))
- Article 6 (5) DORA
- Article 27 RTS RMF
Report on the ICT risk management framework review
Obligation to Review and Report (Article 6(5) DORA)
- The ICT risk management framework must be documented and reviewed:
- at least once a year, or
- periodically in the case of microenterprises, and
- upon the occurrence of major ICT-related incidents, and
- following supervisory instructions or conclusions derived from:
- relevant digital operational resilience testing, or
- audit processes.
- The framework must be continuously improved on the basis of lessons derived from implementation and monitoring.
- A report on the review of the ICT risk management framework must be submitted to the competent authority upon its request.
Format of the Report (Article 27(1) RTS RMF)
- The report must be submitted in a searchable electronic format.
Mandatory Content Elements (Article 27(2)(a)–(l) RTS RMF)
The report must contain all of the following information.
(a) Introductory Section (Article 27(2)(a))
The introductory section must include:
(i) Identification of the Financial Entity
- Clear identification of the financial entity that is the subject of the report.
- Description of the group structure, where relevant.
(ii) Context of the Report
- Description of the nature, scale and complexity of the entity’s:
- services,
- activities, and
- operations.
- Description of:
- its organisation,
- identified critical functions,
- strategy,
- major ongoing projects or activities,
- relationships and dependencies on in-house and contracted ICT services and systems.
- Explanation of the implications that a total loss or severe degradation of such systems would have on:
- critical or important functions, and
- market efficiency.
(iii) Major Changes Since Previous Report
- Summary of major changes in the ICT risk management framework since the previous report submitted.
(iv) Executive Level Summary
- An executive summary of:
- the current and near-term ICT risk profile,
- the threat landscape,
- the assessed effectiveness of controls, and
- the security posture of the financial entity.
Date of Approval (Article 27(2)(b))
- The date of approval of the report by the management body.
Reason for the Review (Article 27(2)(c))
- A description of the reason for the review of the ICT risk management framework in accordance with Article 6(5) DORA.
For this point:
- Where the review was initiated following supervisory instructions or conclusions from digital operational resilience testing or audit processes:
- the report must contain explicit references to such instructions or conclusions, allowing identification of the reason for initiating the review.
- Where the review was initiated following ICT-related incidents:
- the report must contain a list of all ICT-related incidents and the corresponding root-cause analysis.
Review Period (Article 27(2)(d))
- The start and end dates of the review period.
Responsible Function (Article 27(2)(e))
- An indication of the function responsible for the review.
Major Changes and Improvements (Article 27(2)(f))
- A description of the major changes and improvements to the ICT risk management framework since the previous review.
For this point, the description must include:
- an analysis of the impact of the changes on:
- the financial entity’s digital operational resilience strategy;
- the ICT internal control framework;
- the ICT risk management governance.
Summary of Findings and Assessment of Weaknesses (Article 27(2)(g))
- A summary of the findings of the review.
- A detailed analysis and assessment of the severity of:
- weaknesses,
- deficiencies, and
- gaps
in the ICT risk management framework during the review period.
Measures to Address Identified Weaknesses (Article 27(2)(h))
A description of the measures to address identified weaknesses, deficiencies and gaps, including:
(i) Summary of Remediation Measures
- A summary of measures taken to remediate identified weaknesses, deficiencies and gaps.
(ii) Implementation Dates and Progress
- The expected date for implementing the measures.
- Dates related to internal control of implementation.
- Information on the state of progress as at the date of drafting the report.
- Explanation, where applicable, if there is a risk that deadlines may not be respected.
(iii) Tools and Responsible Functions
- Identification of the tools to be used and the function responsible for carrying out the measures.
- Clarification whether the tools and functions are internal or external.
(iv) Impact on Resources
- Description of the impact of the envisaged changes on:
- budgetary resources,
- human resources, and
- material resources,
including resources dedicated to implementing corrective measures.
(v) Process for Informing the Competent Authority
- Information on the process for informing the competent authority, where appropriate.
(vi) Accepted Residual Risks
- Where weaknesses, deficiencies or gaps are not subject to corrective measures:
- a detailed explanation of:
- the criteria used to analyse the impact of those weaknesses, deficiencies or gaps;
- the criteria used to evaluate the related residual ICT risk;
- the criteria used to accept the related residual risk.
- a detailed explanation of:
Planned Further Developments (Article 27(2)(i))
- Information on planned further developments of the ICT risk management framework.
Conclusions (Article 27(2)(j))
- Conclusions resulting from the review of the ICT risk management framework.
Information on Past Reviews (Article 27(2)(k))
The report must include:
(i) List of Past Reviews
- A list of past reviews conducted to date.
(ii) State of Implementation of Prior Corrective Measures
- Where applicable, the state of implementation of corrective measures identified by the last report.
(iii) Ineffective Measures or Unexpected Challenges
- Where proposed corrective measures in past reviews have proven ineffective or have created unexpected challenges:
- a description of how those corrective measures could be improved, or
- a description of those unexpected challenges.
Sources of Information (Article 27(2)(l))
The report must list the sources of information used in its preparation, including:
(i) Internal Audit Results
- For financial entities other than microenterprises (as referred to in Article 6(6) DORA), the results of internal audits.
(ii) Compliance Assessments
- The results of compliance assessments.
(iii) Digital Operational Resilience Testing
- Results of digital operational resilience testing, and where applicable, the results of advanced testing based on TLPT of ICT tools, systems and processes.
(iv) External Sources
- Relevant external sources.