One of the requirements imposed on financial entities under Article 11 of Regulation 2022/2554 on operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (hereinafter “DORA” or “the Regulation”), is the obligation to implement a comprehensive ICT business continuity strategy.
As part of the ICT business continuity strategy, financial entities are required to:
1) implement ICT response and recovery plans, subject to independent internal audit reviews;
2) implement and maintain ICT business continuity plans (particularly for critical or essential functions* outsourced to, or subject to arrangements with, third-party ICT service providers);
3) Periodically test the plans indicated in (1) – (2) above:
a) at least once a year,
b) after making significant changes to ICT systems supporting critical or essential functions;
4) conduct a business impact analysis of its exposure to serious business disruption (business impact analysis);
5) implement, maintain and test emergency information action plans (including a communications policy for internal employees and external stakeholders, and the appointment of a public and media relations officer);
6) maintain readily available records of activities carried out before and during a disruption – in the event that the plans indicated in (1) – (2) are activated;
According to Article 11(10) of DORA, for financial entities other than microenterprises, competent authorities may request a list of estimated total annual costs and losses caused by major ICT incidents.
-
-
- By July 17, 2024. The ESAs (i.e., EBA, ESMA and EIOPA), through the Joint Committee, are to develop common guidelines on estimating the total annual costs and losses referred to above.
-
—————————————————————————————————————————–
* Pursuant to Article 3(1)(22) of the Regulation, “critical or significant function” means a function, the disruption of which would materially affect the financial performance of a financial entity, the safety or continuity of its services and operations, or the discontinuance or defective or failed operation of which would materially affect the financial entity’s continued compliance with the terms and obligations of its authorization or its other obligations under applicable financial services regulations
