Pursuant to Article 16 of Regulation 2022/2554 on operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (hereinafter referred to as “DORA” or “the Regulation”), a simplified ICT risk management framework applies to small payment institutions (MIPs).
Accordingly, as of January 17, 2025, MIPs will be required to:
-
- the introduction and maintenance of a sound and documented ICT risk management framework (detailing mechanisms and measures to quickly, effectively and comprehensively manage ICT risks, including to protect relevant physical components and infrastructure);
- continuously monitor the security and performance of all ICT systems;
- minimizing the impact of ICT risks through the use of correct, resilient and updated ICT systems, protocols and tools;
- enabling rapid identification and detection of sources of ICT risk and irregularities in network and information systems, and rapid response to ICT incidents;
- identify critical dependencies on external ICT service providers;
- ensuring continuity of critical or essential functions through business continuity plans and response and recovery measures;
- conducting regular tests of the adopted plans and measures and implementing appropriate operational conclusions from the tests and post-incident analysis conclusions into the ICT risk assessment process;
- to develop ICT security awareness programs and operational digital resilience training for employees and managers.
The EU Commission’s final draft delegated regulation of March 13, 2024 (C(2024) 1532) contains regulatory technical standards (RTS) previously developed by the ESAs to ensure further harmonization of ICT risk management tools, methods, processes and policies, and to develop a simplified ICT risk management framework.
According to the developed RTS, some of the responsibilities of MIP governing bodies under the simplified ICT risk management framework will include:
-
- having overall responsibility for ensuring that the simplified ICT risk management framework enables a financial entity’s business strategy in line with its risk appetite, and ensuring that ICT risks are taken into account in this context;
- defining clear roles and responsibilities for all ICT-related tasks;
- defining information security objectives and ICT requirements;
- allocating the budget necessary to meet the operational digital resilience needs of the financial entity for all types of resources, including appropriate ICT security awareness programs and operational digital resilience and ICT skills training for all employees (+ reviewing the budget at least once a year).
The final draft of Delegated Regulation C (2024) 1532 is available at this link: https://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELLAR:9c5ec434-e130-11ee-8b2b-01aa75ed71a1
