diff --git a/backend/library/libraries/rts-dora-ict-related-incidents.yaml b/backend/library/libraries/rts-dora-ict-related-incidents.yaml new file mode 100644 index 000000000..221b3c8f7 --- /dev/null +++ b/backend/library/libraries/rts-dora-ict-related-incidents.yaml @@ -0,0 +1,802 @@ +urn: urn:intuitem:risk:library:rts-dora-ict-related-incidents +locale: en +ref_id: RTS-DORA-ICT-related-incidents +name: RTS on criteria for the classification of ICT-related incidents +description: One of the objectives of Regulation (EU) 2022/2554 on digital operational + resilience for the financial sector (DORA) is to harmonise and streamline the ICT-related + incident reporting regime for financial entities (FEs) in the EU. To that end, DORA + introduces consistent requirements for FEs on management, classification and reporting + of ICT-related incidents. +copyright: EUROPEAN COMMISSION +version: 1 +provider: EUROPEAN COMMISSION +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:rts-dora-ict-related-incidents + ref_id: RTS-DORA-ICT-related-incidents + name: RTS on criteria for the classification of ICT-related incidents + description: One of the objectives of Regulation (EU) 2022/2554 on digital operational + resilience for the financial sector (DORA) is to harmonise and streamline the + ICT-related incident reporting regime for financial entities (FEs) in the EU. + To that end, DORA introduces consistent requirements for FEs on management, + classification and reporting of ICT-related incidents. + requirement_nodes: + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-i + assessable: false + depth: 1 + ref_id: Chapter I + description: Classification criteria + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-i + ref_id: Article 1 + description: Clients, financial counterparts and transactions + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-1 + ref_id: '1.1' + description: The number of clients affected by the incident as referred to in + Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the + number of all affected clients, whether natural or legal persons, that are + or were unable to make use of the service provided by the financial entity + during the incident or that were adversely impacted by the incident. That + number shall also include third parties explicitly covered by the contractual + agreement between the financial entity and the client as beneficiaries of + the affected service. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-1 + ref_id: '1.2' + description: The number of financial counterparts affected by the incident as + referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall + reflect the number of all affected financial counterparts that have concluded + a contractual arrangement with the financial entity. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-1 + ref_id: '1.3' + description: 'In relation to the relevance of clients and financial counterparts + affected by the incident as referred to in Article 18(1), point (a), of Regulation + (EU) 2022/2554, the + + financial entity shall take into account the extent to which the impact on + a client or a financial counterpart will affect the implementation of the + business objectives of the financial entity, as well as the potential impact + of the incident on market efficiency.' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-1 + ref_id: '1.4' + description: In relation to the amount or number of transactions affected by + the incident as referred to in Article 18(1), point (a), of Regulation (EU) + 2022/2554, the financial entity shall take into account all affected transactions + involving a monetary amount where at least one part of the transaction is + carried out in the Union. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-1 + ref_id: '1.5' + description: Where the actual number of clients or financial counterparts affected + or the actual number or amount of transactions affected cannot be determined, + the financial entity shall estimate those numbers or amounts based on available + data from comparable reference periods. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-i + ref_id: Article 2 + description: Reputational impact + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-2 + ref_id: '2.1' + description: 'For the purposes of determining the reputational impact of the + incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, + financial entities shall consider that a reputational impact has occurred + where at least one of the following criteria is met:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1 + ref_id: 2.1.a + description: the incident has been reflected in the media; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1 + ref_id: 2.1.b + description: the incident has resulted in repetitive complaints from different + clients or financial counterparts on client-facing services or critical business + relationships; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1 + ref_id: 2.1.c + description: the financial entity will not be able to or is likely not to be + able to meet regulatory requirements as a result of the incident; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.1 + ref_id: 2.1.d + description: the financial entity will or is likely to lose clients or financial + counterparts with a material impact on its business as a result of the incident. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-2 + ref_id: '2.2' + description: When assessing the reputational impact of the incident, financial + entities shall take into account the level of visibility that the incident + has gained or is likely to gain in relation to each criterion listed in paragraph + 1. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-i + ref_id: Article 3 + description: Duration and service downtime + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-3 + ref_id: '3.1' + description: Financial entities shall measure the duration of an incident as + referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from + the moment the incident occurs until the moment when it is resolved. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node18 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-3 + description: Where financial entities are unable to determine the moment when + the incident occurred, they shall measure the duration of the incident from + the moment it was detected. Where financial entities become aware that the + incident occurred prior to its detection, they shall measure the duration + from the moment the incident is recorded in network or system logs or other + data sources. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node19 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-3 + description: Where financial entities do not yet know when the incident will + be resolved or are unable to verify records in logs or other data sources, + they shall apply estimates. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-3 + ref_id: '3.2' + description: 'Financial entities shall measure the service downtime of an incident + as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, + from the moment the service is fully or partially unavailable to clients, + financial counterparts or other internal or external users to the moment when + regular activities or operations have been restored to the level of service + that was provided prior to the incident. Where the service downtime causes + a delay in the provision of service after regular activities or + + operations have been restored, the downtime shall be measured from the start + of the + + incident to the moment when that delayed service is fully provided.' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node21 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-3 + description: Where financial entities are unable to determine the moment when + the service downtime started, they shall measure the service downtime from + the moment it was detected. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-i + ref_id: Article 4 + description: Geographical spread + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node23 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-4 + description: 'For the purpose of determining the geographical spread with regard + to the areas affected by the incident as referred to in Article 18(1), point + (c), of Regulation (EU) 2022/2554, financial entities shall assess whether + the incident has or had an impact in other Member States, and in particular + the significance of the impact in relation to any of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:4.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node23 + ref_id: 4.a + description: clients and financial counterparts in other Member States; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:4.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node23 + ref_id: 4.b + description: branches or other financial entities within the group carrying + out activities in other Member States; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:4.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node23 + ref_id: 4.c + description: financial market infrastructures or third-party providers, which + may affect financial entities in other Member States to which they provide + services, to the extent such information is available. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-i + ref_id: Article 5 + description: Data losses + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node28 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-5 + description: 'For the purpose of determining the data losses that the incident + entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, + financial entities shall take into account the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:5.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node28 + ref_id: 5.a + description: in relation to the availability of data, whether the incident has + rendered the data on demand by the financial entity, its clients or its counterparts + temporarily or permanently inaccessible or unusable; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:5.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node28 + ref_id: 5.b + description: in relation to the authenticity of data, whether the incident has + compromised the trustworthiness of the source of data; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:5.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node28 + ref_id: 5.c + description: in relation to the integrity of data, whether the incident has + resulted in non-authorised modification of data that has rendered it inaccurate + or incomplete; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:5.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node28 + ref_id: 5.d + description: in relation to the confidentiality of data, whether the incident + has resulted in data having been accessed by or disclosed to an unauthorised + party or system. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-i + ref_id: Article 6 + description: Criticality of services affected + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node34 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-6 + description: 'For the purpose of determining the criticality of the services + affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, + financial entities shall assess whether the incident:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:6.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node34 + ref_id: 6.a + description: affects or has affected ICT services or network and information + systems that support critical or important functions of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:6.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node34 + ref_id: 6.b + description: ' affects or has affected financial services provided by the financial + entity that require authorisation, registration or that are supervised by + competent authorities;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:6.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node34 + ref_id: 6.c + description: constitutes or has constituted a successful, malicious and unauthorised + access to the network and information systems of the financial entity. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-7 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-i + ref_id: Article 7 + description: Economic impact + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-7 + ref_id: '7.1' + description: 'For the purpose of determining the economic impact of the incident + as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, + financial entities shall, without accounting for financial recoveries, take + into account the following types of direct and indirect costs and losses which + they have incurred as a result of the incident:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + ref_id: 7.1.a + description: expropriated funds or financial assets for which they are liable, + including assets lost to theft; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + ref_id: 7.1.b + description: costs for replacement or relocation of software, hardware or infrastructure; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + ref_id: 7.1.c + description: staff costs, including costs associated with replacement or relocation + of staff, recruitment of extra staff, remuneration of overtime and recovery + of lost or impaired skills; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + ref_id: 7.1.d + description: fees due to non-compliance with contractual obligations; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1.e + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + ref_id: 7.1.e + description: costs for redress and compensation to customers; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1.f + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + ref_id: 7.1.f + description: losses due to forgone revenues; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1.g + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + ref_id: 7.1.g + description: costs associated with internal and external communication; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1.h + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.1 + ref_id: 7.1.h + description: advisory costs, including costs associated with legal counselling, + forensic services and remediation services. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-7 + ref_id: '7.2' + description: 'Costs and losses referred to in paragraph 1 shall not include + costs that are necessary for the day-to-day operation of the business, in + particular the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.2.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.2 + ref_id: 7.2.a + description: costs for general maintenance of infrastructure, equipment, hardware + and software, and costs for keeping skills of staff up to date; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.2.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.2 + ref_id: 7.2.b + description: internal or external costs to enhance the business after the incident, + including upgrades, improvements and risk assessment initiatives; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.2.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.2 + ref_id: 7.2.c + description: insurance premiums. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-7 + ref_id: '7.3' + description: Financial entities shall calculate the amounts of costs and losses + based on data available at the time of reporting. Where the actual amounts + of costs and losses cannot be determined, financial entities shall estimate + those amounts. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:7.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-7 + ref_id: '7.4' + description: When assessing the economic impact of the incident, financial entities + shall sum up the costs and losses referred to in paragraph 1. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-ii + assessable: false + depth: 1 + ref_id: Chapter II + description: Major incidents and materiality thresholds + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-8 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-ii + ref_id: Article 8 + description: Major incidents + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-8 + ref_id: '8.1' + description: 'An incident shall be considered a major incident for the purposes + of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical + services as referred to in Article 6 and where either of the following conditions + is fulfilled:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.1.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.1 + ref_id: 8.1.a + description: the materiality threshold referred to in Article 9(5), point (b), + is met; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.1.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.1 + ref_id: 8.1.b + description: two or more of the other materiality thresholds referred to in + Articles 9(1) to (6) are met. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-8 + ref_id: '8.2' + description: 'Recurring incidents that individually are not considered a major + incident in accordance with paragraph 1 shall be considered as one major incident + where they meet all of the following conditions:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.2.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.2 + ref_id: 8.2.a + description: they have occurred at least twice within 6 months; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.2.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.2 + ref_id: 8.2.b + description: they have the same apparent root cause as referred to in Article + 20(b) of Regulation (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.2.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:8.2 + ref_id: 8.2.c + description: they collectively fulfil the criteria for being considered a major + incident set out in paragraph 1. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node63 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-8 + description: Financial entities shall assess the existence of recurring incidents + on a monthly basis. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node64 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-8 + description: This paragraph does not apply to microenterprises and to financial + entities listed in Article 16(1) of Regulation (EU) 2022/2554. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-9 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-ii + ref_id: Article 9 + description: Materiality thresholds for determining major incidents + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-9 + ref_id: '9.1' + description: "The materiality threshold for the criterion \u2018clients, financial\ + \ counterparts and transactions\u2019 is met where any of the following conditions\ + \ are fulfilled:" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1 + ref_id: 9.1.a + description: the number of affected clients is higher than 10 % of all clients + using the affected service; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1 + ref_id: 9.1.b + description: the number of affected clients using the affected service is higher + than 100 000; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1 + ref_id: 9.1.c + description: the number of affected financial counterparts is higher than 30 + % of all financial counterparts carrying out activities related to the provision + of the affected service; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1 + ref_id: 9.1.d + description: the number of affected transactions is higher than 10 % of the + daily average number of transactions carried out by the financial entity related + to the affected service; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1.e + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1 + ref_id: 9.1.e + description: the amount of affected transactions is higher than 10 % of the + daily average value of transactions carried out by the financial entity related + to the affected service; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1.f + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.1 + ref_id: 9.1.f + description: clients or financial counterparts which have been identified as + relevant in accordance with Article 1(3) have been affected. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node73 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-9 + description: Where the actual number of clients or financial counterparts affected + or the actual number or amount of transactions affected cannot be determined, + the financial entity shall estimate those numbers or amounts based on available + data from comparable reference periods. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-9 + ref_id: '9.2' + description: "The materiality threshold for the criterion \u2018reputational\ + \ impact\u2019 is met where any of the conditions set out in Article 2, points\ + \ (a) to (d), are fulfilled." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-9 + ref_id: '9.3' + description: "The materiality threshold for the criterion \u2018duration and\ + \ service downtime\u2019 is met where any of the following conditions are\ + \ fulfilled:" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.3.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.3 + ref_id: 9.3.a + description: the duration of the incident is longer than 24 hours; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.3.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.3 + ref_id: 9.3.b + description: the service downtime is longer than 2 hours for ICT services that + support critical or important functions. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-9 + ref_id: '9.4' + description: "The materiality threshold for the criterion \u2018geographical\ + \ spread\u2019 is met where the incident has an impact in two or more Member\ + \ States in accordance with Article 4." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-9 + ref_id: '9.5' + description: "The materiality threshold for the criterion \u2018data losses\u2019\ + \ is met where any of the following conditions are fulfilled:" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.5.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.5 + ref_id: 9.5.a + description: any impact as referred to in Article 5 on the availability, authenticity, + integrity or confidentiality of data has or will have an adverse impact on + the implementation of the business objectives of the financial entity or on + its ability to meet regulatory requirements; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.5.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.5 + ref_id: 9.5.b + description: any successful, malicious and unauthorised access not covered by + point (a) occurs to network and information systems, where such access may + result in data losses. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:9.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-9 + ref_id: '9.6' + description: "The materiality threshold for the criterion \u2018economic impact\u2019\ + \ is met where the costs and losses incurred by the financial entity due to\ + \ the incident have exceeded or are likely to exceed 100 000 euro." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-iii + assessable: false + depth: 1 + ref_id: Chapter III + description: Significant Cyber threats + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-10 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-iii + ref_id: Article 10 + description: High materiality thresholds for determining significant cyber threats + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node85 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-10 + description: 'For the purposes of Article 18(2) of Regulation (EU) 2022/2554, + a cyber threat shall be considered significant where all of the following + conditions are fulfilled:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node85 + ref_id: 10.a + description: the cyber threat, if materialised, could affect or could have affected + critical or important functions of the financial entity, or could affect other + financial entities, third party providers, clients or financial counterparts, + based on information available to the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node85 + ref_id: 10.b + description: 'the cyber threat has a high probability of materialisation at + the financial entity or at other financial entities, taking into account at + least the following elements:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.b.i + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.b + ref_id: 10.b.i + description: applicable risks related to the cyber threat referred to in point + (a), including potential vulnerabilities of the systems of the financial entity + that can be exploited; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.b.ii + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.b + ref_id: 10.b.ii + description: the capabilities and intent of threat actors to the extent known + by the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.b.iii + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.b + ref_id: 10.b.iii + description: the persistence of the threat and any accrued knowledge about incidents + that have impacted the financial entity or its third-party provider, clients + or financial counterparts; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node85 + ref_id: 10.c + description: 'the cyber threat could, if materialised, meet any of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.c.i + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.c + ref_id: 10.c.i + description: the criterion regarding criticality of services set out in Article + 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 + of this Regulation; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.c.ii + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.c + ref_id: 10.c.ii + description: the materiality threshold set out in Article 9(1); + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.c.iii + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:10.c + ref_id: 10.c.iii + description: the materiality threshold set out in Article 9(4). + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node95 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-10 + description: Where, depending on the type of cyber threat and available information, + the financial entity concludes that the materiality thresholds set out in + Article 9(2), (3), (5) and (6) could be met, those thresholds may also be + considered. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-iv + assessable: false + depth: 1 + ref_id: Chapter IV + description: Relevance of major incidents to competent authorities in other + Member States and details of reports to be shared with other competent authorities + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-11 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-iv + ref_id: Article 11 + description: Relevance of major incidents to competent authorities in other + Member States + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node98 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-11 + description: 'The assessment of whether the major incident is relevant for competent + authorities in other Member States as referred to in Article 19(7) of Regulation + (EU) 2022/2554 shall be based on whether the incident has a root cause originating + from another Member State or whether the incident has or has had a significant + impact in another Member State in relation to any of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:11.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node98 + ref_id: 11.a + description: clients or financial counterparts; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:11.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node98 + ref_id: 11.b + description: a branch of the financial entity or another financial entity within + the group; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:11.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node98 + ref_id: 11.c + description: a financial market infrastructure or a third-party provider which + may affect financial entities to which they provide services. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-12 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-iv + ref_id: Article 12 + description: Details of major incidents to be shared with other competent authorities + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node103 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-12 + description: The details of major incidents to be submitted by competent authorities + to other competent authorities in accordance with Article 19(6) of Regulation + (EU) 2022/2554 and the notifications to be submitted by EBA, ESMA or EIOPA + and the ECB to the relevant competent authorities in other Member States in + accordance with Article 19(7) of that Regulation shall contain the same level + of information, without any anonymisation, as the notifications and reports + of major incidents received from financial entities in accordance with Article + 19(4) of Regulation (EU) 2022/2554. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-v + assessable: false + depth: 1 + ref_id: Chapter V + description: final provisions + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-13 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:chapter-v + ref_id: Article 13 + description: Entry into force + - urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:node106 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-related-incidents:article-13 + description: This Regulation shall enter into force on the twentieth day following + that of its publication in the Official Journal of the European Union diff --git a/backend/library/libraries/rts-dora-ict-risk-management.yaml b/backend/library/libraries/rts-dora-ict-risk-management.yaml new file mode 100644 index 000000000..9914eaf15 --- /dev/null +++ b/backend/library/libraries/rts-dora-ict-risk-management.yaml @@ -0,0 +1,4595 @@ +urn: urn:intuitem:risk:library:rts-dora-ict-risk-management +locale: en +ref_id: RTS-DORA-ICT-risk-management +name: RTS on ICT risk management framework and on simplified ICT risk management framework +description: One of the objectives of Regulation (EU) 2022/2554 on digital operational + resilience for the financial sector (DORA) is to set out uniform requirements for + the security of network and information systems of companies and organisations operating + in the financial sector. It thus creates a regulatory framework on digital operational + resilience, whereby all financial entities need to make sure they can withstand, + respond to, and recover from all types of ICT-related disruptions and threats. These + requirements are homogenous across the EU, with the aim of preventing and mitigating + cyber threats. +copyright: EUROPEAN COMMISSION +version: 1 +provider: EUROPEAN COMMISSION +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:rts-dora-ict-risk-management + ref_id: RTS-DORA-ICT-risk-management + name: RTS on ICT risk management framework and on simplified ICT risk management + framework + description: One of the objectives of Regulation (EU) 2022/2554 on digital operational + resilience for the financial sector (DORA) is to set out uniform requirements + for the security of network and information systems of companies and organisations + operating in the financial sector. It thus creates a regulatory framework on + digital operational resilience, whereby all financial entities need to make + sure they can withstand, respond to, and recover from all types of ICT-related + disruptions and threats. These requirements are homogenous across the EU, with + the aim of preventing and mitigating cyber threats. + requirement_nodes: + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-i + assessable: false + depth: 1 + ref_id: TITLE I + description: GENERAL PRINCIPLE + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-i + ref_id: Article 1 + description: Overall risk profile and complexity + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-1 + description: 'When developing and implementing the ICT security policies, procedures, + protocols and tools referred to in Title II and the simplified ICT risk management + framework referred to in Title III, the size and the overall risk profile + of the financial entity, and the nature, scale and elements of increased or + reduced complexity of its services, activities and operations shall be taken + into account, including elements relating to:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:1.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node4 + ref_id: 1.a + description: encryption and cryptography; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:1.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node4 + ref_id: 1.b + description: ICT operations security; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:1.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node4 + ref_id: 1.c + description: network security; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:1.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node4 + ref_id: 1.d + description: ICT project and change management; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:1.e + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node4 + ref_id: 1.e + description: "the potential impact of the ICT risk on confidentiality, integrity\ + \ and availability of data, and of the disruptions on the continuity and availability\ + \ of the financial entity\u2019s activities." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-ii + assessable: false + depth: 1 + ref_id: TITLE II + description: FURTHER HARMONISATION OF ICT RISK MANAGEMENT TOOLS, METHODS, PROCESSES, + AND POLICIES IN ACCORDANCE WITH ARTICLE 15 OF REGULATION (EU) 2022/2554 + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-ii + name: CHAPTER I + description: ICT SECURITY POLICIES, PROCEDURES, PROTOCOLS, AND TOOLS + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + ref_id: SECTION 1 + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-1 + ref_id: Article 2 + description: General elements of ICT security policies, procedures, protocols, + and tools + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-2 + ref_id: '2.1' + description: 'Financial entities shall ensure that their ICT security policies, + information security, and related procedures, protocols, and tools as referred + to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT + risk management framework. Financial entities shall establish the ICT security + policies, procedures, protocols, and tools laid down in this Chapter that:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1 + ref_id: 2.1.a + description: ensure the security of networks; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1 + ref_id: 2.1.b + description: "\_contain safeguards against intrusions and data misuse;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1 + ref_id: 2.1.c + description: preserve the availability, authenticity, integrity, and confidentiality + of data,including via the use of cryptographic techniques; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.1 + ref_id: 2.1.d + description: guarantee an accurate and prompt data transmission without major + disruptions and undue delays. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-2 + ref_id: '2.2' + description: 'Financial entities shall ensure that the ICT security policies + referred to in paragraph 1:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.a + description: "are aligned to the financial entity\u2019s information security\ + \ objectives included in the digital operational resilience strategy referred\ + \ to in Article 6(8) of Regulation (EU) 2022/2554;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.b + description: indicate the date of the formal approval of the ICT security policies + by the management body; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.c + description: ' contain indicators and measures to:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.c + ref_id: 2.2.c.i + description: monitor the implementation of the ICT security policies, procedures, + protocols, and tools + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.c + ref_id: 2.c.ii + description: record exceptions from that implementation + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.c + ref_id: 2.c.iii + description: ensure that the digital operational resilience of the financial + entity is ensured in case of exceptions as referred to in point (ii); + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.d + description: "specify the responsibilities of staff at all levels to ensure\ + \ the financial entity\u2019s\nICT security;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.e + description: specify the consequences of non-compliance by staff of the financial + entity with the ICT security policies, where provisions to that effect are + not laid down in other policies of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.f + description: list the documentation to be maintained; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.g + description: specify the segregation of duties arrangements in the context of + the three lines of defence model or other internal risk management and control + model, as applicable, to avoid conflicts of interest; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.h + description: consider leading practices and, where applicable, standards as + defined in Article 2, point (1), of Regulation (EU) No 1025/2012; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.i + description: identify the roles and responsibilities for the development, implementation + and maintenance of ICT security policies, procedures, protocols, and tools; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.j + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.j + description: are reviewed in accordance with Article 6(5) of Regulation (EU) + 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2.k + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:2.2 + ref_id: 2.2.k + description: take into account material changes concerning the financial entity, + including material changes to the activities or processes of the financial + entity, to the cyber threat landscape, or to applicable legal obligations. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + ref_id: SECTION 2 + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-2 + ref_id: Article 3 + description: ICT risk management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-3 + description: 'Financial entities shall develop, document, and implement ICT + risk management policies and procedures that shall contain all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node36 + ref_id: 3.a + description: an indication of the approval of the risk tolerance level for ICT + risk established in accordance with Article 6(8), point (b), of Regulation + (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node36 + ref_id: 3.b + description: 'a procedure and a methodology to conduct the ICT risk assessment, + identifying:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.b + ref_id: 3.b.i + description: vulnerabilities and threats that affect or may affect the supported + business functions, the ICT systems and ICT assets supporting those functions; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.b + ref_id: 3.b.ii + description: the quantitative or qualitative indicators to measure the impact + and likelihood of the vulnerabilities and threats referred to in point (i); + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node36 + ref_id: 3.c + description: the procedure to identify, implement, and document ICT risk treatment + measures for the ICT risks identified and assessed, including the determination + of ICT risk treatment measures necessary to bring ICT risk within the risk + tolerance level referred to in point (a); + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node36 + ref_id: 3.d + description: 'for the residual ICT risks that are still present following the + implementation of the ICT risk treatment measures referred to in point (c):' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d + ref_id: 3.d.i + description: provisions on the identification of those residual ICT risks; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d + ref_id: 3.d.ii + description: 'the assignment of roles and responsibilities regarding:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.ii.1 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.ii + ref_id: 3.d.ii.1 + description: "the acceptance of the residual ICT risks that exceed the financial\ + \ entity\u2019s risk tolerance level referred to in point (a);" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.ii.2 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.ii + ref_id: 3.d.ii.2 + description: for the review process referred to in point (iv) of this point + (d); + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d + ref_id: 3.d.iii + description: the development of an inventory of the accepted residual ICT risks, + including a justification for their acceptance; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d + ref_id: 3.d.iv + description: 'provisions on the review of the accepted residual ICT risks at + least once a year, including:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.iv.1 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.iv + ref_id: 3.d.iv.1 + description: the identification of any changes to the residual ICT risks; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.iv.2 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.iv + ref_id: 3.d.iv.2 + description: the assessment of available mitigation measures; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.iv.3 + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.d.iv + ref_id: 3.d.iv.3 + description: the assessment of whether the reasons justifying the acceptance + of residual ICT risks are still valid and applicable at the date of the review; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node36 + ref_id: 3.e + description: 'provisions on the monitoring of:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.e.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.e + ref_id: 3.e.i + description: any changes to the ICT risk and cyber threat landscape; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.e.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.e + ref_id: 3.e.ii + description: 'internal and external vulnerabilities and threats:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.e.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.e + ref_id: 3.e.iii + description: ICT risk of the financial entity that enables promp detection of + changes that could affect its ICT risk profile; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:3.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node36 + ref_id: 3.f + description: provisions on a process to ensure that any changes to the business + strategy and the digital operational resilience strategy of the financial + entity are taken into account. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node57 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-3 + description: 'For the purposes of the first paragraph, point (c), the procedure + referred to in that point shall ensure:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node58 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node57 + description: (a) the monitoring of the effectiveness of the ICT risk treatment + measures implemented; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node59 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node57 + description: (b) the assessment of whether the established risk tolerance levels + of the financial entity have been attained; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node60 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node57 + description: (c)the assessment of whether the financial entity has taken actions + to correct or improve those measures where necessary. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + ref_id: SECTION 3 + description: ICT ASSET MANAGEMENT + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-3 + ref_id: Article 4 + description: ICT asset management policy + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-4 + ref_id: '4.1' + description: As part of the ICT security policies, procedures, protocols, and + tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial + entities shall develop, document, and implement a policy on management of + ICT assets. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-4 + ref_id: '4.2' + description: 'The policy on management of ICT assets referred to in paragraph + 1 shall:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2 + ref_id: 4.2.a + description: prescribe the monitoring and management of the lifecycle of ICT + assets identified and classified in accordance with Article 8(1) of Regulation + (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2 + ref_id: 4.2.b + description: 'prescribe that the financial entity keeps records of all of the + following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.i + description: the unique identifier of each ICT asset; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.ii + description: information on the location, either physical or logical, of all + ICT assets; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.iii + description: the classification of all ICT assets, as referred to in Article + 8(1) of Regulation (EU) 2022/2254; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.iv + description: the identity of ICT asset owners; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.v + description: the business functions or services supported by the ICT asset; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.vi + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.vi + description: the ICT business continuity requirements, including recovery time + objectives and recovery point objectives; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.vii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.vii + description: whether the ICT asset can be or is exposed to external networks, + including the internet; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.viii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.viii + description: the links and interdependencies among ICT assets and the business + functions using each ICT asset; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b.ix + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.b + ref_id: 4.2.b.ix + description: "where applicable, for all ICT assets, the end dates of the ICT\ + \ third-party service provider\u2019s regular, extended, and custom support\ + \ services after which those ICT assets are no longer supported by their supplier\ + \ or by an ICT third-party service provider;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:4.2 + ref_id: 4.2.c + description: for financial entities other than microenterprises, prescribe that + those financial entities keep records of the information necessary to perform + a specific ICT risk assessment on all legacy ICT systems referred to in Article + 8(7) of Regulation (EU) 2022/2554. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-3 + ref_id: Article 5 + description: ICT asset management procedure + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:5.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-5 + ref_id: '5.1' + description: ' Financial entities shall develop, document, and implement a procedure + for the management of ICT assets.' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:5.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-5 + ref_id: '5.2' + description: 'The procedure for management of ICT assets referred to in paragraph + 1 shall specify the criteria to perform the criticality assessment of information + assets and ICT assets supporting business functions. That assessment shall + take into account:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:5.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:5.2 + ref_id: 5.2.a + description: the ICT risk related to those business functions and their dependencies + on the information assets or ICT assets; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:5.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:5.2 + ref_id: 5.2.b + description: how the loss of confidentiality, integrity, and availability of + such information assets and ICT assets would impact the business processes + and activities of the financial entities. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + ref_id: SECTION 4 + description: ENCRYPTION AND CRYPTOGRAPHY + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-6 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-4 + ref_id: Article 6 + description: Encryption and cryptographic controls + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-6 + ref_id: '6.1' + description: As part of their ICT security policies, procedures, protocols, + and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial + entities shall develop, document, and implement a policy on encryption and + cryptographic controls. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-6 + ref_id: '6.2' + description: 'Financial entities shall design the policy on encryption and cryptographic + controls referred to in paragraph 1 on the basis of the results of an approved + data classification and ICT risk assessment. That policy shall contain rules + for all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2 + ref_id: 6.2.a + description: the encryption of data at rest and in transit; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2 + ref_id: 6.2.b + description: the encryption of data in use, where necessary; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2 + ref_id: 6.2.c + description: the encryption of internal network connections and traffic with + external parties; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.2 + ref_id: 6.2.d + description: the cryptographic key management referred to in Article 7, laying + down rules on the correct use, protection, and lifecycle of cryptographic + keys. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node90 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-6 + description: For the purposes of point (b), where encryption of data in use + is not possible, financial entities shall process data in use in a separated + and protected environment, or take equivalent measures to ensure the confidentiality, + integrity, authenticity, and availability of data. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-6 + ref_id: '6.3' + description: Financial entities shall include in the policy on encryption and + cryptographic controls referred to in paragraph 1 criteria for the selection + of cryptographic techniques and use practices, taking into account leading + practices, and standards as defined in Article 2, point (1), of Regulation + (EU) No 1025/2012, and the classification of relevant ICT assets established + in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities + that are not able to adhere to the leading practices or standards, or to use + the most reliable techniques, shall adopt mitigation and monitoring measures + that ensure resilience against cyber threats. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-6 + ref_id: '6.4' + description: Financial entities shall include in the policy on encryption and + cryptographic controls referred to in paragraph 1 provisions for updating + or changing, where necessary, the cryptographic technology on the basis of + developments in cryptanalysis. Those updates or changes shall ensure that + the cryptographic technology remains resilient against cyber threats, as required + by Article 10(2), point (a). Financial entities that are not able to update + or change the cryptographic technology shall adopt mitigation and monitoring + measures that ensure resilience against cyber threats. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:6.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-6 + ref_id: '6.5' + description: Financial entities shall include in the policy on encryption and + cryptographic controls referred to in paragraph 1 a requirement to record + the adoption of mitigation and monitoring measures adopted in accordance with + paragraphs 3 and 4 and to provide a reasoned explanation for doing so. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-4 + ref_id: Article 7 + description: Cryptographic key management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:7.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-7 + ref_id: '7.1' + description: Financial entities shall include in the cryptographic key management + policy referred to in Article 6(2), point (d), requirements for managing cryptographic + keys through their whole lifecycle, including generating, renewing, storing, + backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying + those cryptographic keys. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:7.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-7 + ref_id: '7.2' + description: Financial entities shall identify and implement controls to protect + cryptographic keys through their whole lifecycle against loss, unauthorised + access, disclosure, and modification. Financial entities shall design those + controls on the basis of the results of the approved data classification and + the ICT risk assessment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:7.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-7 + ref_id: '7.3' + description: Financial entities shall develop and implement methods to replace + the cryptographic keys in the case of loss, or where those keys are compromised + or damaged. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:7.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-7 + ref_id: '7.4' + description: Financial entities shall create and maintain a register for all + certificates and certificate-storing devices for at least ICT assets supporting + critical or important functions. Financial entities shall keep that register + up to date + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:7.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-7 + ref_id: '7.5' + description: Financial entities shall ensure the prompt renewal of certificates + in advance of their expiration. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + ref_id: SECTION 5 + description: ICT OPERATIONS SECURITY + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-8 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-5 + ref_id: Article 8 + description: Policies and procedures for ICT operations + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-8 + ref_id: '8.1' + description: As part of the ICT security policies, procedures, protocols, and + tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial + entities shall develop, document, and implement policies and procedures to + manage the ICT operations. Those policies and procedures shall specify how + financial entities operate, monitor, control, and restore their ICT assets, + including the documentation of ICT operations. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-8 + ref_id: '8.2' + description: 'The policies and procedures for ICT operations referred to in + paragraph 1 shall + + contain all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2 + ref_id: 8.2.a + description: 'an ICT assets description, including all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.a + ref_id: 8.2.a.i + description: requirements regarding secure installation, maintenance, configuration, + and deinstallation of an ICT system; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.a + ref_id: 8.2.a.ii + description: requirements regarding the management of information assets used + by ICT assets, including their processing and handling, both automated and + manual; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.a.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.a + ref_id: 8.2.a.iii + description: requirements regarding the identification and control of legacy + ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2 + ref_id: 8.2.b + description: 'controls and monitoring of ICT systems, including all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b + ref_id: 8.2.b.i + description: backup and restore requirements of ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b + ref_id: 8.2.b.ii + description: scheduling requirements, taking into consideration interdependencies + among the ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b + ref_id: 8.2.b.iii + description: protocols for audit-trail and system log information; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b + ref_id: 8.2.b.iv + description: requirements to ensure that the performance of internal audit and + other testing minimises disruptions to business operations; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b + ref_id: 8.2.b.v + description: requirements on the separation of ICT production environments from + the development, testing, and other non-production environments; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b.vi + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b + ref_id: 8.2.b.vi + description: requirements to conduct the development and testing in environments + which are separated from the production environment; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b.vii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.b + ref_id: 8.2.b.vii + description: requirements to conduct the development and testing in production + environments; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2 + ref_id: 8.2.c + description: 'error handling concerning ICT systems, including all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.c + ref_id: 8.2.c.i + description: procedures and protocols for handling errors; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.c + ref_id: 8.2.c.ii + description: support and escalation contacts, including external support contacts + in case of unexpected operational or technical issues; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:8.2.c + ref_id: 8.2.c.iii + description: ICT system restart, rollback, and recovery procedures for use in + the event of ICT system disruption. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node120 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-8 + description: For the purposes of point (b)(v), the separation shall consider + all of the components of the environment, including accounts, data or connections, + as required by Article 13(1), point (a) + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node121 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-8 + description: For the purposes of point (b)(vii), the policies and procedures + referred to in paragraph 1 shall provide that the instances in which testing + is performed in a production environment are clearly identified, reasoned, + are for limited periods of time, and are approved by the relevant function + in accordance with Article 16(6). Financial entities shall ensure the availability, + confidentiality, integrity, and authenticity of ICT systems and production + data during development and test activities in the production environment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-5 + ref_id: Article 9 + description: Capacity and performance management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-9 + ref_id: '9.1' + description: 'As part of the ICT security policies, procedures, protocols, and + tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial + entities shall develop, document, and implement capacity and performance management + procedures for the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1 + ref_id: 9.1.a + description: the identification of capacity requirements of their ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1 + ref_id: 9.1.b + description: the application of resource optimisation; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1 + ref_id: 9.1.c + description: 'the monitoring procedures for maintaining and improving:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.c + ref_id: 9.1.c.i + description: the availability of data and ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.c + ref_id: 9.1.c.ii + description: the efficiency of ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.1.c + ref_id: 9.1.c.iii + description: the prevention of ICT capacity shortages. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:9.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-9 + ref_id: '9.2' + description: The capacity and performance management procedures referred to + in paragraph 1 shall ensure that financial entities take measures that are + appropriate to cater for the specificities of ICT systems with long or complex + procurement or approval processes or ICT systems that are resource-intensive. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-5 + ref_id: Article 10 + description: Vulnerability and patch management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + ref_id: '10.1' + description: As part of the ICT security policies, procedures, protocols, and + tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial + entities shall develop, document, and implement vulnerability management procedures. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + ref_id: '10.2' + description: 'The vulnerability management procedures referred to in paragraph + 1 shall:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + ref_id: 10.2.a + description: identify and update relevant and trustworthy information resources + to build and maintain awareness about vulnerabilities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + ref_id: 10.2.b + description: ensure the performance of automated vulnerability scanning and + assessments on ICT assets, whereby the frequency and scope of those activities + shall be commensurate to the classification established in accordance with + Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of + the ICT asset; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + ref_id: 10.2.c + description: 'verify whether:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.c + ref_id: 10.2.c.i + description: ICT third-party service providers handle vulnerabilities related + to the ICT services provided to the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.c + ref_id: 10.2.c.ii + description: whether those service providers report to the financial entity + at least the critical vulnerabilities and statistics and trends in a timely + manner; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + ref_id: 10.2.d + description: 'track the usage of:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.d.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.d + ref_id: 10.2.d.i + description: third-party libraries, including open-source libraries, used by + ICT services supporting critical or important functions; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.d.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.d + ref_id: 10.2.d.ii + description: ICT services developed by the financial entity itself or specifically + customised or developed for the financial entity by an ICT third-party service + provider; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + ref_id: 10.2.e + description: establish procedures for the responsible disclosure of vulnerabilities + to clients, counterparties, and to the public; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + ref_id: 10.2.f + description: 'prioritise the deployment of patches and other mitigation measures + to address + + the vulnerabilities identified;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + ref_id: 10.2.g + description: monitor and verify the remediation of vulnerabilities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.2 + ref_id: 10.2.h + description: require the recording of any detected vulnerabilities affecting + ICT systems and the monitoring of their resolution. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node146 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + description: For the purposes of point (b), financial entities shall perform + the automated vulnerability scanning and assessments on ICT assets for the + ICT assets supporting critical or important functions on at least a weekly + basis. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node147 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + description: For the purposes of point (c), financial entities shall request + that ICT third-party service providers investigate the relevant vulnerabilities, + determine the root causes, and implement appropriate mitigating action. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node148 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + description: For the purposes of point (d), financial entities shall, where + appropriate in collaboration with the ICT third-party service provider, monitor + the version and possible updates of the third-party libraries. In case of + ready to use (off-the-shelf) ICT assets or components of ICT assets acquired + and used in the operation of ICT services not supporting critical or important + functions, financial entities shall track the usage to the extent possible + of third-party libraries, including open-source libraries. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node149 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + description: For the purposes of point (f), financial entities shall consider + the criticality of the vulnerability, the classification established in accordance + with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the + ICT assets affected by the identified vulnerabilities + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + ref_id: '10.3' + description: As part of the ICT security policies, procedures, protocols, and + tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial + entities shall develop, document and implement patch management procedures. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-10 + ref_id: '10.4' + description: ' The patch management procedures referred to in paragraph 3 shall:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4 + ref_id: 10.4.a + description: to the extent possible identify and evaluate available software + and hardware patches and updates using automated tools; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4 + ref_id: 10.4.b + description: identify emergency procedures for the patching and updating of + ICT assets; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4 + ref_id: 10.4.c + description: test and deploy the software and hardware patches and the updates + referred to in Article 8(2), points (b)(v), (vi) and (vii); + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:10.4 + ref_id: 10.4.d + description: set deadlines for the installation of software and hardware patches + and updates and escalation procedures in case those deadlines cannot be met. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-11 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-5 + ref_id: Article 11 + description: Data and system security + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-11 + ref_id: '11.1' + description: As part of the ICT security policies, procedures, protocols, and + tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial + entities shall develop, document, and implement a data and system security + procedure. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-11 + ref_id: '11.2' + description: 'The data and system security procedure referred to in paragraph + 1 shall contain all of the following elements related to data and ICT system + security, in accordance with the classification established in accordance + with Article 8(1) of Regulation (EU) 2022/2554:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.a + description: the access restrictions referred to in Article 21 of this Regulation, + supporting the protection requirements for each level of classification; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.b + description: the identification of a secure configuration baseline for ICT assets + that minimise exposure of those ICT assets to cyber threats and measures to + verify regularly that those baselines are effectively deployed; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.c + description: the identification of security measures to ensure that only authorised + software is installed in ICT systems and endpoint devices; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.d + description: the identification of security measures against malicious codes; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.e + description: the identification of security measures to ensure that only authorised + data storage media, systems, and endpoint devices are used to transfer and + store data of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.f + description: 'the following requirements to secure the use of portable endpoint + devices and private non-portable endpoint devices:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.f.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.f + ref_id: 11.2.f.i + description: "the requirement to use a management solution to remotely manage\ + \ the endpoint devices and remotely wipe the financial entity\u2019s data;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.f.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.f + ref_id: 11.2.f.ii + description: the requirement to use security mechanisms that cannot be modified, + removed or bypassed by staff members or ICT third-party service providers + in an unauthorised manner; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.f.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.f + ref_id: 11.2.f.iii + description: "the requirement to use removable data storage devices only where\ + \ the residual ICT risk remains within the financial entity\u2019s risk tolerance\ + \ level referred to in Article 3(1), point (a);" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.g + description: the process to securely delete data, present on premises of the + financial entity or stored externally, that the financial entity no longer + needs to collect or to store; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.h + description: the process to securely dispose or decommission of data storage + devices present on premises of the financial entity or stored externally containing + confidential information; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.i + description: the identification and implementation of security measures to prevent + data loss and leakage for systems and endpoint devices; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.j + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.j + description: the implementation of security measures to ensure that teleworking + and the use of private endpoint devices does not adversely impact the ICT + security of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2.k + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:11.2 + ref_id: 11.2.k + description: for ICT assets or services operated by an ICT third-party service + provider, the identification and implementation of requirements to maintain + digital operational resilience, in accordance with the results of the data + classification and ICT risk assessment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node173 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-11 + description: For the purposes of point (b), the secure configuration baseline + referred to in that point shall take into account leading practices and appropriate + techniques laid down in the standards defined in Article 2, point (1), of + Regulation (EU) No 1025/2012. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node174 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-11 + description: 'For the purposes of point (k), financial entities shall consider + the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node175 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node174 + description: (a)the implementation of vendor recommended settings on the elements + operated by the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node176 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node174 + description: "(b)a clear allocation of information security roles and responsibilities\ + \ between the financial entity and the ICT third-party service provider, in\ + \ accordance with the principle of full responsibility of the financial entity\ + \ over its ICT third-party service provider referred to in Article 28(1),\ + \ point (a), of Regulation (EU) 2022/2554, and for financial entities referred\ + \ to in Article 28(2) of that Regulation, and in accordance with the financial\ + \ entity\u2019s policy on the use of ICT services supporting critical or important\ + \ functions;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node177 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node174 + description: (c)the need to ensure and maintain adequate competences within + the financial entity in the management and security of the service used; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node178 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node174 + description: (d)technical and organisational measures to minimise the risks + related to the infrastructure used by the ICT third-party service provider + for its ICT services, considering leading practices, and standards as defined + in Article 2, point (1), of Regulation (EU) No 1025/2012. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-12 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-5 + ref_id: Article 12 + description: Logging + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-12 + ref_id: '12.1' + description: Financial entities shall, as part of the safeguards against intrusions + and data misuse, develop, document, and implement logging procedures, protocols + and tools. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-12 + ref_id: '12.2' + description: 'The logging procedures, protocols, and tools referred to in paragraph + 1 shall contain all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2 + ref_id: 12.2.a + description: the identification of the events to be logged, the retention period + of the logs, and the measures to secure and handle the log data, considering + the purpose for which the logs are created; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2 + ref_id: 12.2.b + description: the alignment of the level of detail of the logs with their purpose + and usage to enable the effective detection of anomalous activities as referred + to in Article 24; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2 + ref_id: 12.2.c + description: 'the requirement to log events related to all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c + ref_id: 12.2.c.i + description: logical and physical access control, as referred to in Article + 21, and identity management; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c + ref_id: 12.2.c.ii + description: capacity management; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c + ref_id: 12.2.c.iii + description: change management; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c + ref_id: 12.2.c.iv + description: ICT operations, including ICT system activities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.c + ref_id: 12.2.c.v + description: network traffic activities, including ICT network performance; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2 + ref_id: 12.2.d + description: measures to protect logging systems and log information against + tampering, deletion, and unauthorised access at rest, in transit, and, where + relevant, in use; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2 + ref_id: 12.2.e + description: measures to detect a failure of logging systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:12.2 + ref_id: 12.2.f + description: "without prejudice to any applicable regulatory requirements under\ + \ Union or national law, the synchronisation of the clocks of each of the\ + \ financial entity\u2019s ICT systems upon a documented reliable reference\ + \ time source." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node193 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-12 + description: For the purposes of point (a), financial entities shall establish + the retention period, taking into account the business and information security + objectives, the reason for recording the event in the logs, and the results + of the ICT risk assessment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + ref_id: SECTION 6 + description: NETWORK SECURITY + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-13 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-6 + ref_id: Article 13 + description: Network security management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-13 + ref_id: '13.1' + description: 'Financial entities shall, as part of the safeguards ensuring the + security of network against intrusions and data misuse, develop, document, + and implement policies, procedures, protocols, and tools on network security + management, including all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.a + description: 'the segregation and segmentation of ICT systems and networks taking + into account:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.a + ref_id: 13.1.a.i + description: the criticality or importance of the function those ICT systems + and networks support; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.a + ref_id: 13.1.a.ii + description: the classification established in accordance with Article 8(1) + of Regulation (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.a.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.a + ref_id: 13.1.a.iii + description: the overall risk profile of ICT assets using those ICT systems + and networks; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.b + description: "the documentation of all of the financial entity\u2019s network\ + \ connections and data flows;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.c + description: the use of a separate and dedicated network for the administration + of ICT assets; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.d + description: the identification and implementation of network access controls + to prevent and detect connections to the financial entity's network by any + unauthorised device or system, or any endpoint not meeting the financial entity's + security requirements; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.e + description: the encryption of network connections passing over corporate networks, + public networks, domestic networks, third-party networks, and wireless networks, + for communication protocols used, taking into account the results of the approved + data classification, the results of the ICT risk assessment and the encryption + of network connections referred to in Article 6(2); + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.f + description: the design of networks in line with the ICT security requirements + established by the financial entity, taking into account leading practices + to ensure the confidentiality, integrity, and availability of the network; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.g + description: the securing of network traffic between the internal networks and + the internet and other external connections; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.h + description: the identification of the roles and responsibilities and steps + for the specification, implementation, approval, change, and review of firewall + rules and connections filters; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.i + description: the performance of reviews of the network architecture and of the + network security design once a year, and periodically for microenterprises, + to identify potential vulnerabilities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.j + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.j + description: the measures to temporarily isolate, where necessary, subnetworks, + and network components and devices; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.k + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.k + description: the implementation of a secure configuration baseline of all network + components, and the hardening of the network and of network devices in line + with any vendor instructions, where applicable standards, as defined in Article + 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.l + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.l + description: the procedures to limit, lock, and terminate system and remote + sessions after a specified period of inactivity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.m + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1 + ref_id: 13.1.m + description: 'for network services agreements:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.m.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.m + ref_id: 13.1.m.i + description: the identification and specification of ICT and information security + measures, service levels, and management requirements of all network services; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.m.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:13.1.m + ref_id: 13.1.m.ii + description: whether those services are provided by an ICT intra-group service + provider or by ICT third-party service providers. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node215 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-13 + description: For the purposes of point (h), financial entities shall perform + the review of firewall rules and connections filters on a regular basis in + accordance with the classification established in accordance with Article + 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems + involved. For ICT systems that support critical or important functions, financial + entities shall verify the adequacy of the existing firewall rules and connection + filters at least every 6 months. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-14 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-6 + ref_id: Article 14 + description: Securing information in transit + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:14.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-14 + ref_id: '14.1' + description: 'As part of the safeguards to preserve the availability, authenticity, + integrity and confidentiality of data, financial entities shall develop, document, + and implement the policies, procedures, protocols, and tools to protect information + in transit. Financial entities shall in particular ensure all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:14.1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:14.1 + ref_id: 14.1.a + description: the availability, authenticity, integrity and confidentiality of + data during network transmission, and the establishment of procedures to assess + compliance with those requirements; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:14.1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:14.1 + ref_id: 14.1.b + description: the prevention and detection of data leakages and the secure transfer + of information between the financial entity and external parties; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:14.1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:14.1 + ref_id: 14.1.c + description: "that requirements on confidentiality or non-disclosure arrangements\ + \ reflecting the financial entity\u2019s needs for the protection of information\ + \ for both the staff of the financial entity and of third parties are implemented,\ + \ documented, and regularly reviewed." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:14.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-14 + ref_id: '14.2' + description: Financial entities shall design the policies, procedures, protocols, + and tools to protect the information in transit referred to in paragraph 1 + on the basis of the results of the approved data classification and of the + ICT risk assessment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + ref_id: SECTION 7 + description: ICT PROJECT AND CHANGE MANAGEMENT + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-15 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-7 + ref_id: Article 15 + description: ICT project management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-15 + ref_id: '15.1' + description: As part of the safeguards to preserve the availability, authenticity, + integrity, and confidentiality of data, financial entities shall develop, + document, and implement an ICT project management policy. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-15 + ref_id: '15.2' + description: "The ICT project management policy referred to in paragraph 1 shall\ + \ specify the elements that ensure the effective management of the ICT projects\ + \ related to the acquisition, maintenance and, where applicable, development\ + \ of the financial entity\u2019s ICT systems" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-15 + ref_id: '15.3' + description: 'The ICT project management policy referred to in paragraph 1 shall + contain all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3 + ref_id: 15.3.a + description: ICT project objectives; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3 + ref_id: 15.3.b + description: ICT project governance, including roles and responsibilities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3 + ref_id: 15.3.c + description: ICT project planning, timeframe, and steps; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3 + ref_id: 15.3.d + description: ICT project risk assessment; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3 + ref_id: 15.3.e + description: relevant milestones; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3 + ref_id: 15.3.f + description: change management requirements; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.3 + ref_id: 15.3.g + description: the testing of all requirements, including security requirements, + and the respective approval process when deploying an ICT system in the production + environment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-15 + ref_id: '15.4' + description: The ICT project management policy referred to in paragraph 1 shall + ensure the secure ICT project implementation through the provision of the + necessary information and expertise from the business area or functions impacted + by the ICT project. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-15 + ref_id: '15.5' + description: 'In accordance with the ICT project risk assessment referred to + in paragraph 3, point (d), the ICT project management policy referred to in + paragraph 1 shall provide that the establishment and progress of ICT projects + impacting critical or important functions of the financial entity and their + associated risks are reported to the management body as follows:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.5.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.5 + ref_id: 15.5.a + description: individually or in aggregation, depending on the importance and + size of the ICT projects; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.5.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:15.5 + ref_id: 15.5.b + description: periodically and, where necessary, on an event-driven basis. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-7 + ref_id: Article 16 + description: ICT systems acquisition, development, and maintenance + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.1' + description: 'As part of the safeguards to preserve the availability, authenticity, + integrity, and confidentiality of data, financial entities shall develop, + document and implement a policy governing the acquisition, development, and + maintenance of ICT systems. That policy shall:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1 + ref_id: 16.1.a + description: identify security practices and methodologies relating to the acquisition, + development, and maintenance of ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1 + ref_id: 16.1.b + description: 'require the identification of:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1.b + ref_id: 16.1.b.i + description: technical specifications and ICT technical specifications, as defined + in Article 2, points (4) and (5), of Regulation (EU) No 1025/2012; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1.b + ref_id: 16.1.b.ii + description: "requirements relating to the acquisition, development, and maintenance\ + \ of ICT systems, with a particular focus on ICT security requirements and\ + \ on their approval by the relevant business function and ICT asset owner\ + \ in accordance with the financial entity\u2019s internal governance arrangements;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.1 + ref_id: 16.1.c + description: specify measures to mitigate the risk of unintentional alteration + or intentional manipulation of the ICT systems during the development, maintenance, + and deployment of those ICT systems in the production environment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.2' + description: "Financial entities shall develop, document, and implement an ICT\ + \ systems\u2019 acquisition, development, and maintenance procedure for the\ + \ testing and approval of all ICT systems prior to their use and after maintenance,\ + \ in accordance with Article 8(2), point (b), points (v), (vi) and (vii).\ + \ The level of testing shall be commensurate to the criticality of the business\ + \ procedures and ICT assets concerned. The testing shall be designed to verify\ + \ that new ICT systems are adequate to perform as intended, including the\ + \ quality of the software developed internally." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node246 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + description: 'Central counterparties shall, in addition to the requirements + laid down in the first subparagraph, involve, as appropriate, in the design + and conduct of the testing referred to in the first subparagraph:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node247 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node246 + description: (a)clearing members and clients; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node248 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node246 + description: (b)interoperable central counterparties; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node249 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node246 + description: (c)other interested parties. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node250 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + description: Central securities depositories shall, in addition to the requirements + laid down in the first subparagraph, involve, as appropriate, in the design + and conduct of the testing referred to in the first subparagraph + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node251 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node250 + description: (a)users; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node252 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node250 + description: (b)critical utilities and critical service providers; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node253 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node250 + description: (c)other central securities depositories; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node254 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node250 + description: (d)other market infrastructures; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node255 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node250 + description: '(e)any other institutions with which central securities depositories + have identified + + interdependencies in their business continuity policy.' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.3' + description: 'The procedure referred to in paragraph 2 shall contain the performance + of source code reviews covering both static and dynamic testing. That testing + shall contain security testing for internet-exposed systems and applications + in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial + entities shall:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.3.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.3 + ref_id: 16.3.a + description: identify and analyse vulnerabilities and anomalies in the source + code; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.3.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.3 + ref_id: 16.3.b + description: adopt an action plan to address those vulnerabilities and anomalies; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.3.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.3 + ref_id: 16.3.c + description: monitor the implementation of that action plan. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.4' + description: The procedure referred to in paragraph 2 shall contain security + testing of software packages no later than at the integration phase, in accordance + with Article 8(2), points (b)(v), (vi) and(vii). + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.5' + description: 'The procedure referred to in paragraph 2 shall provide that:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.5.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.5 + ref_id: 16.5.a + description: non-production environments only store anonymised, pseudonymised, + or randomised production data; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.5.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.5 + ref_id: 16.5.b + description: 'financial entities are to protect the integrity and confidentiality + of data in non- + + production environments.' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.6' + description: By way of derogation from paragraph 5, the procedure referred to + in paragraph 2 may provide that production data are stored only for specific + testing occasions, for limited periods of time, and following the approval + by the relevant function and the reporting of such occasions to the ICT risk + management function. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.7' + description: The procedure referred to in paragraph 2 shall contain the implementation + of controls to protect the integrity of the source code of ICT systems that + are developed in-house or by an ICT third-party service provider and delivered + to the financial entity by an ICT third-parties service provider. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.8' + description: The procedure referred to in paragraph 2 shall provide that proprietary + software and, where feasible, the source code provided by ICT third-party + service providers or coming from open-source projects, are to be analysed + and tested in accordance with paragraph 3 prior to their deployment in the + production environment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:16.9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-16 + ref_id: '16.9' + description: Paragraph 1 to 8 of this Article shall also apply to ICT systems + developed or managed by users outside the ICT function, using a risk-based + approach. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-17 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-7 + ref_id: Article 17 + description: ICT change management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-17 + ref_id: '17.1' + description: 'As part of the safeguards to preserve the availability, authenticity, + integrity, and confidentiality of data, financial entities shall include in + the ICT change management procedures referred to in Article 9(4), point (e), + of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, + firmware components, systems, or security parameters, all of the following + elements:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + ref_id: 17.1.a + description: a verification of whether the ICT security requirements have been + met; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + ref_id: 17.1.b + description: mechanisms to ensure the independence of the functions that approve + changes and the functions responsible for requesting and implementing those + changes; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + ref_id: 17.1.c + description: 'a clear description of the roles and responsibilities to ensure + that:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c + ref_id: 17.1.c.i + description: changes are specified and planned; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c + ref_id: 17.1.c.ii + description: an adequate transition is designed; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c + ref_id: 17.1.c.iii + description: the changes are tested and finalised in a controlled manner; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.c + ref_id: 17.1.c.iv + description: there is an effective quality assurance; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + ref_id: 17.1.d + description: 'the documentation and communication of change details, including:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.d.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.d + ref_id: 17.1.d.i + description: the purpose and scope of the change; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.d.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.d + ref_id: 17.1.d.ii + description: the timeline for the implementation of the change; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.d.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.d + ref_id: 17.1.d.iii + description: the expected outcomes; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + ref_id: 17.1.e + description: the identification of fall-back procedures and responsibilities, + including procedures and responsibilities for aborting changes or recovering + from changes not successfully implemented; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + ref_id: 17.1.f + description: procedures, protocols, and tools to manage emergency changes that + provide adequate safeguards; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + ref_id: 17.1.g + description: procedures to document, re-evaluate, assess, and approve emergency + changes after their implementation, including workarounds and patches; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.1 + ref_id: 17.1.h + description: the identification of the potential impact of a change on existing + ICT security measures and an assessment of whether such change requires the + adoption of additional ICT security measures. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:17.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-17 + ref_id: '17.2' + description: After having made significant changes to their ICT systems, central + counterparties and central securities depositories shall submit their ICT + systems to stringent testing by simulating stressed conditions. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node286 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-17 + description: 'Central counterparties shall involve, as appropriate, in the design + and conduct of the testing referred to in the first subparagraph:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node287 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node286 + description: (a) clearing members and clients; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node288 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node286 + description: (b) interoperable central counterparties; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node289 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node286 + description: (c) other interested parties; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node290 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-17 + description: 'Central securities depositories shall, as appropriate, involve + in the design and conduct of the testing referred to in the first subparagraph:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node291 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node290 + description: (a) users; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node292 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node290 + description: (b) critical utilities and critical service providers; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node293 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node290 + description: (c) other central securities depositories; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node294 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node290 + description: (d) other market infrastructures; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node295 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node290 + description: (e) any other institutions with which central securities depositories + have identified interdependencies in their ICT business continuity policy + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node11 + ref_id: SECTION 8 + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-18 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:section-8 + ref_id: Article 18 + description: Physical and environmental security + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-18 + ref_id: '18.1' + description: As part of the safeguards to preserve the availability, authenticity, + integrity, and confidentiality of data, financial entities shall specify, + document, and implement a physical and environmental security policy. Financial + entities shall design that policy i light of the cyber threat landscape, in + accordance with the classification established in accordance with Article + 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile + of ICT assets and accessible information assets. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-18 + ref_id: '18.2' + description: 'The physical and environmental security policy referred to in + paragraph 1 shall contain all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2 + ref_id: 18.2.a + description: a reference to the section of the policy on control of access management + rights referred to in Article 21(1) point (g) + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2 + ref_id: 18.2.b + description: measures to protect from attacks, accidents, and environmental + threats and hazards, the premises, data centres of the financial entity, and + sensitivedesignated areas identified by the financial entity, where ICT assets + and information assets reside; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2 + ref_id: 18.2.c + description: measures to secure ICT assets, both within and outside the premises + of the financial entity, taking into account the results of the ICT risk assessment + related to the relevant ICT assets + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2 + ref_id: 18.2.d + description: measures to ensure the availability, authenticity, integrity, and + confidentiality of ICT assets, information assets, and physical access control + devices of the financial entity through the appropriate maintenance; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2 + ref_id: 18.2.e + description: 'measures to preserve the availability, authenticity, integrity, + and confidentiality of the data, including:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.e.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.e + ref_id: 18.2.e.i + description: a clear desk policy for papers; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.e.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:18.2.e + ref_id: 18.2.e.ii + description: a clear screen policy for information processing facilities. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node307 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-18 + description: For the purposes of point (b), the measures to protect from environmental + threats and hazards shall be commensurate with the importance of the premises, + data centres, sensitive designated areas, and the criticality of the operations + or ICT systems located therein. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node308 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-18 + description: For the purposes of point (c), the physical and environmental security + policy referred to in paragraph 1 shall contain measures to provide appropriate + protection to unattended ICT assets. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node309 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-ii + name: CHAPTER II + description: HUMAN RESOURCES POLICY AND ACCESS CONTROL + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-19 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node309 + ref_id: Article 19 + description: Human resources policy + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node311 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-19 + description: 'Financial entities shall include in their human resource policy + or other relevant policies all of the following ICT security related elements:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:19.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node311 + ref_id: 19.a + description: the identification and assignment of any specific ICT security + responsibilities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:19.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node311 + ref_id: 19.b + description: 'requirements for staff of the financial entity and of the ICT + third-party service providers using or accessing ICT assets of the financial + entity to:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:19.b.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:19.b + ref_id: 19.b.i + description: be informed about, and adhere to, the financial entity's ICT security + policies, procedures, and protocols; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:19.b.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:19.b + ref_id: 19.b.ii + description: be aware of the reporting channels put in place by the financial + entity for the detection of anomalous behaviour, including, where applicable, + the reporting channels established in line with Directive (EU) 2019/1937 of + the European Parliament and of the Council10; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:19.b.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:19.b + ref_id: 19.b.iii + description: for the staff, to return to the financial entity, upon termination + of employment, all ICT assets and tangible information assets in their possession + that belong to the financial entity. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-20 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node309 + ref_id: Article 20 + description: Identity management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:20.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-20 + ref_id: '20.1' + description: "As part of their control of access management rights, financial\ + \ entities shall develop, document, and implement identity management policies\ + \ and procedures that ensure the unique identification and authentication\ + \ of natural persons and systems accessing the financial entities\u2019 information\ + \ to enable assignment of user access rights in accordance with Article 21." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:20.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-20 + ref_id: '20.2' + description: 'The identity management policies and procedures referred to in + paragraph 1 shall contain all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:20.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:20.2 + ref_id: 20.2.a + description: without prejudice to Article 21(1), point (c), a unique identity + corresponding to a unique user account shall be assigned to each staff member + of the financial entity or staff of the ICT third-party service providers + accessing the information assets and ICT assets of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:20.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:20.2 + ref_id: 20.2.b + description: a lifecycle management process for identities and accounts managing + the creation, change, review and update, temporary deactivation, and termination + of all accounts. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node322 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-20 + description: For the purposes of point (a), financial entities shall maintain + records of all identity assignments. Those records shall be kept following + a reorganisation of the financial entity or after the end of the contractual + relationship without prejudice to the retention requirements laid down in + applicable Union and national law. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node323 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-20 + description: For the purposes of point (b), financial entities shall, where + feasible and appropriate, deploy automated solutions for the lifecycle identity + management process. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-21 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node309 + ref_id: Article 21 + description: Access control + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node325 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-21 + description: 'As part of their control of access management rights, financial + entities shall develop, document, and implement a policy that contains all + of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node325 + ref_id: 21.a + description: the assignment of access rights to ICT assets based on need-to-know, + need-to-use and least privilege principles, including for remote and emergency + access; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node325 + ref_id: 21.b + description: the segregation of duties designed to prevent unjustified access + to critical data or to prevent the allocation of combinations of access rights + that may be used to circumvent controls; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node325 + ref_id: 21.c + description: a provision on user accountability, by limiting to the extent possible + the use of generic and shared user accounts and ensuring that users are identifiable + for the actions performed in the ICT systems at all times; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node325 + ref_id: 21.d + description: a provision on restrictions of access to ICT assets, setting out + controls and tools to prevent unauthorised access; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node325 + ref_id: 21.e + description: 'account management procedures to grant, change or revoke access + rights for user and generic accounts, including generic administrator accounts, + including provision on all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e + ref_id: 21.e.i + description: assignment of roles and responsibilities for granting, reviewing, + and revoking access rights; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e + ref_id: 21.e.ii + description: assignment of privileged, emergency, and administrator access on + a need-to-use or an ad-hoc basis for all ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e + ref_id: 21.e.iii + description: withdrawal of access rights without undue delay upon termination + of the employment or when the access is no longer necessary; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.e + ref_id: 21.e.iv + description: update of access rights where changes are necessary and at least + once a year for all ICT systems, other than ICT systems supporting critical + or important functions and at least every 6 months for ICT systems supporting + critical or important functions. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node325 + ref_id: 21.f + description: 'authentication methods, including all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.f.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.f + ref_id: 21.f.i + description: the use of authentication methods commensurate to the classification + established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and + to the overall risk profile of ICT assets and considering leading practices; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.f.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.f + ref_id: 21.f.ii + description: the use of strong authentication methods in accordance with leading + practices and techniques for remote access to the financial entity's network, + for privileged access, for access to ICT assets supporting critical or important + functions or ICT assets that are publicly accessible; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node325 + ref_id: 21.g + description: 'physical access controls measures including:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g + ref_id: 21.g.i + description: the identification and logging of natural persons that are authorised + to access premises, data centres, and sensitive designated areas identified + by the financial entity where ICT and information assets reside; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g + ref_id: 21.g.ii + description: the granting of physical access rights to critical ICT assets to + authorised persons only, in accordance with the need-to-know and least privilege + principles, and on an ad-hoc basis; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g + ref_id: 21.g.iii + description: the monitoring of physical access to premises, data centres, and + sensitive designated areas identified by the financial entity where ICT and + information assets or both reside; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:21.g + ref_id: 21.g.iv + description: the review of physical access rights to ensure that unnecessary + access rights are promptly revoked. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node343 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-21 + description: For the purposes of point (e)(i), financial entities shall establish + the retention period taking into account the business and information security + objectives, the reasons for recording the event in the logs, and the results + of the ICT risk assessment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node344 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-21 + description: For the purposes of point (e)(ii), financial entities shall, where + possible, use dedicated accounts for the performance of administrative tasks + on ICT systems. Where feasible and appropriate, financial entities shall deploy + automated solutions for the privilege access management. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node345 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-21 + description: For the purposes of point (g)(i), the identification and logging + shall be commensurate with the importance of the premises, data centres, sensitive + designated areas, and the criticality of the operations or ICT systems located + therein. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node346 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-21 + description: For the purposes of point (g)(iii), the monitoring shall be commensurate + to the classification established in accordance with Article 8(1) of Regulation + (EU) 2022/2554 and the criticality of the area accessed. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node347 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-ii + name: CHAPTER III + description: ICT-RELATED INCIDENT DETECTION AND RESPONSE + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-22 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node347 + ref_id: Article 22 + description: ICT-related incident management policy + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node349 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-22 + description: 'As part of the mechanisms to detect anomalous activities, including + ICT network performance issues and ICT-related incidents, financial entities + shall develop, document, and implement an ICT-related incident policy through + which they shall:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node349 + ref_id: 22.a + description: document the ICT-related incident management process referred to + in Article 17 of Regulation (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node349 + ref_id: 22.b + description: 'establish a list of relevant contacts with internal functions + and external stakeholders that are directly involved in ICT operations security, + including on:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.b.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.b + ref_id: 22.b.i + description: the detection and monitoring of cyber threats; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.b.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.b + ref_id: 22.b.ii + description: the detection of anomalous activities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.b.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.b + ref_id: 22.b.iii + description: vulnerability management; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node349 + ref_id: 22.c + description: establish, implement, and operate technical, organisational, and + operational mechanisms to support the ICT-related incident management process, + including mechanisms to enable a prompt detection of anomalous activities + and behaviours in accordance with Article 23 of this Regulation; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node349 + ref_id: 22.d + description: "retain all evidence relating to ICT-related incidents for a period\ + \ that shall be no longer than necessary for the purposes for which the data\ + \ are collected, commensurate with the criticality of the affected business\ + \ functions, supporting processes, and ICT and information assets, in accordance\ + \ with [Article [15] of Commission Delegated Regulation (EU) [\u2026]/[\u2026\ + ] [Commission Delegated Regulation on classification of ICT- related incidents]11\ + \ and with any applicable retention requirement pursuant to Union law;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:22.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node349 + ref_id: 22.e + description: establish and implement mechanisms to analyse significant or recurring + ICT-related incidents and patterns in the number and the occurrence of ICT-related + incidents. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node358 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-22 + description: For the purposes of point (d), financial entities shall retain + the evidence referred to in that point in a secure manner. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-23 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node347 + ref_id: Article 23 + description: Anomalous activities detection and criteria for ICT-related incidents + detection and response + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-23 + ref_id: '23.1' + description: Financial entities shall set clear roles and responsibilities to + effectively detect and respond to ICT-related incidents and anomalous activities. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-23 + ref_id: '23.2' + description: 'The mechanism to promptly detect anomalous activities, including + ICT network performance issues and ICT-related incidents, as referred to in + Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities + to:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2 + ref_id: 23.2.a + description: 'collect, monitor, and analyse all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.a.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.a + ref_id: 23.2.a.i + description: internal and external factors, including at least the logs collected + in accordance with Article 12 of this Regulation, information from business + and ICT functions, and any problem reported by users of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.a.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.a + ref_id: 23.2.a.ii + description: potential internal and external cyber threats, considering scenarios + commonly used by threat actors and scenarios based on threat intelligence + activity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.a.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.a + ref_id: 23.2.a.iii + description: ICT-related incident notification from an ICT third-party service + provider of the financial entity detected in the ICT systems and networks + of the ICT third-party service provider and that may affect the financial + entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2 + ref_id: 23.2.b + description: identify anomalous activities and behaviour, and implement tools + generating alerts for anomalous activities and behaviour, at least for ICT + assets and information assets supporting critical or important functions; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2 + ref_id: 23.2.c + description: prioritise the alerts referred to in point (b) to allow for the + management of the detected ICT-related incidents within the expected resolution + time, as specified by financial entities, both during and outside working + hours; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.2 + ref_id: 23.2.d + description: record, analyse, and evaluate any relevant information on all anomalous + activities and behaviours automatically or manually. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node369 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-23 + description: For the purposes of point (b), the tools referred to in that point + shall contain the tools that provide automated alerts based on pre-defined + rules to identify anomalies affecting the completeness and integrity of the + data sources or log collection. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-23 + ref_id: '23.3' + description: Financial entities shall protect any recording of the anomalous + activities against tampering and unauthorised access at rest, in transit and, + where relevant, in use. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-23 + ref_id: '23.4' + description: 'Financial entities shall log all relevant information for each + detected anomalous activity enabling:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.4.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.4 + ref_id: 23.4.a + description: the identification of the date and time of occurrence of the anomalous + activity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.4.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.4 + ref_id: 23.4.b + description: the identification of the date and time of detection of the anomalous + activity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.4.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.4 + ref_id: 23.4.c + description: the identification of the type of the anomalous activity. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-23 + ref_id: '23.5' + description: 'Financial entities shall consider all of the following criteria + to trigger the ICT-related incident detection and response processes referred + to in Article 10(2) of Regulation (EU) 2022/2554:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5 + ref_id: 23.5.a + description: indications that malicious activity may have been carried out in + an ICT system or network, or that such ICT system or network may have been + compromised; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5 + ref_id: 23.5.b + description: data losses detected in relation to the availability, authenticity, + integrity, and confidentiality of data; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5 + ref_id: 23.5.c + description: adverse impact detected on financial entity's transactions and + operations; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.5 + ref_id: 23.5.d + description: "ICT systems\u2019 and network unavailability;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:23.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-23 + ref_id: '23.6' + description: For the purposes of paragraph 5, financial entities shall also + consider the criticality of the services affected. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node381 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-ii + name: CHAPTER IV + description: ICT BUSINESS CONTINUITY MANAGEMENT + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-24 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node381 + ref_id: Article 24 + description: Components of the ICT business continuity policy + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-24 + ref_id: '24.1' + description: 'Financial entities shall include in their ICT business continuity + policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the + following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1 + ref_id: 24.1.a + description: 'a description of:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a + ref_id: 24.1.a.i + description: the objectives of the ICT business continuity policy, including + the interrelation of ICT and overall business continuity, and considering + the results of the business impact analysis (BIA) referred to in Article 11(5) + of Regulation (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a + ref_id: 24.1.a.ii + description: the scope of the ICT business continuity arrangements, plans, procedures, + and mechanisms, including limitations and exclusions; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a + ref_id: 24.1.a.iii + description: the timeframe to be covered by the ICT business continuity arrangements, + plans, procedures, and mechanisms; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.a + ref_id: 24.1.a.iv + description: the criteria to activate and deactivate ICT business continuity + plans, ICT response and recovery plans, and crisis communications plans; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1 + ref_id: 24.1.b + description: 'provisions on:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.b + ref_id: 24.b.i + description: the governance and organisation to implement the ICT business continuity + policy, including roles, responsibilities and escalation procedures ensuring + that sufficient resources are available; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.b + ref_id: 24.b.ii + description: 'the alignment between the ICT business continuity plans and the + overall business continuity plans, concerning at least all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.ii.1 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.ii + ref_id: 24.b.ii.1 + description: potential failure scenarios, including the scenarios referred to + in Article 26(2) of this Regulation; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.ii.2 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.ii + ref_id: 24.b.ii.2 + description: recovery objectives, specifying that the financial entity shall + be able to recover the operations of its critical or important functions after + disruptions within a recovery time objective and a recovery point objective; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.b + ref_id: 24.b.iii + description: the development of ICT business continuity plans for severe business + disruptions as part of those plans, and the prioritisation of ICT business + continuity actions using a risk-based approach; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.b + ref_id: 24.b.iv + description: the development, testing and review of ICT response and recovery + plans, in accordance with Articles 25 and 26 of this Regulation; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.v + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.b + ref_id: 24.b.v + description: the review of the effectiveness of the implemented ICT business + continuity arrangements, plans, procedures and mechanisms, in accordance with + Article 26 of this Regulation; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.vi + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.1.b + ref_id: 24.b.vi + description: 'the alignment of the ICT business continuity policy to:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.vi.1 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.vi + ref_id: 24.b.vi.1 + description: the communication policy referred to in Article 14(2) of Regulation + (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.vi.2 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.b.vi + ref_id: 24.b.vi.2 + description: the communication and crisis communication actions referred to + in Article 11(2), point (e), of Regulation (EU) 2022/2554. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-24 + ref_id: '24.2' + description: 'In addition to the requirements referred to in paragraph 1, central + counterparties shall ensure that their ICT business continuity policy:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2 + ref_id: 24.2.a + description: contains a maximum recovery time for their critical functions that + is not longer than 2 hours; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2 + ref_id: 24.2.b + description: takes into account external links and interdependencies within + the financial infrastructures, including trading venues cleared by the central + counterparty, securities settlement and payment systems, and credit institutions + used by the central counterparty or a linked central counterparty; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2 + ref_id: 24.2.c + description: 'requires that arrangements are in place to:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c + ref_id: 24.2.c.i + description: ensure the continuity of critical or important functions of the + central counterparty based on disaster scenarios; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c + ref_id: 24.2.c.ii + description: maintain a secondary processing site capable of ensuring continuity + of critical or important functions of the central counterparty identical to + the primary site; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c + ref_id: 24.2.c.iii + description: maintain or have immediate access to a secondary business site, + to allow staff to ensure continuity of the service if the primary location + of business is not available; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.2.c + ref_id: 24.2.c.iv + description: "consider the need for additional processing sites, in particular\ + \ where the diversity of the risk profiles of the primary and secondary sites\ + \ does not provide sufficient confidence that the central counterparty\u2019\ + s business continuity objectives will be met in all scenarios." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node408 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-24 + description: For the purposes of point (a), central counterparties shall complete + end of day procedures and payments on the required time and day in all circumstances. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node409 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-24 + description: For the purposes of point (c)(i), arrangements referred to in that + point shall address the availability of adequate human resources, the maximum + downtime of critical functions, and fail over and recovery to a secondary + site. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node410 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-24 + description: For the purposes of point (c)(ii), the secondary processing site + referred to in that point shall have a geographical risk profile which is + distinct from that of the primary site. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-24 + ref_id: '24.3' + description: 'In addition to the requirements referred to in paragraph 1, central + securities depositories shall ensure that their ICT business continuity policy:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.3.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.3 + ref_id: 24.3.a + description: takes into account any links and interdependencies to users, critical + utilities and critical service providers, other central securities depositories + and other market infrastructures; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.3.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.3 + ref_id: 24.3.b + description: requires its ICT business continuity arrangements to ensure that + the recovery time objective for their critical or important functions shall + not be longer than 2 hours. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-24 + ref_id: '24.4' + description: 'In addition to the requirements referred to in paragraph 1, trading + venues shall ensure that their ICT business continuity policy ensures that:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.4.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.4 + ref_id: 24.4.a + description: trading can be resumed within or close to 2 hours of a disruptive + incident; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.4.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:24.4 + ref_id: 24.4.b + description: the maximum amount of data that may be lost from any IT service + of the trading venue after a disruptive incident is close to zero. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node381 + ref_id: Article 25 + description: Testing of the ICT business continuity plans + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + ref_id: '25.1' + description: "When testing the ICT business continuity plans in accordance with\ + \ Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take\ + \ into account the financial entity\u2019s business impact analysis (BIA)\ + \ and the ICT risk assessment referred to in Article 3(1), point (b), of this\ + \ Regulation." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + ref_id: '25.2' + description: "Financial entities shall assess through the testing of their ICT\ + \ business continuity plans referred to in paragraph 1 whether they are able\ + \ to ensure the continuity of the financial entity\u2019s critical or important\ + \ functions. That testing shall:" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2 + ref_id: 25.2.a + description: 'be performed on the basis of test scenarios that simulate potential + disruptions, + + including an adequate set of severe but plausible scenarios;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2 + ref_id: 25.2.b + description: contain the testing of ICT services provided by ICT third-party + service providers, where applicable; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2 + ref_id: 25.2.c + description: ' for financial entities, other than microenterprises, as referred + to in Article 11(6), second subparagraph, of Regulation (EU) 2022/2554, contain + scenarios of switchover from primary ICT infrastructure to the redundant capacity, + backups and redundant facilities;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2 + ref_id: 25.2.d + description: be designed to challenge the assumptions on which the business + continuity plans are based, including governance arrangements and crisis communication + plans; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.2 + ref_id: 25.2.e + description: "contain procedures to verify the ability of the financial entities\u2019\ + \ staff, of ICT third-party service providers, of ICT systems, and ICT services\ + \ to respond adequately to the scenarios duly taken into account in accordance\ + \ with Article 26(2)." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node425 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + description: For the purposes of point (a), financial entities shall always + include in the testing the scenarios considered for the development of the + business continuity plans. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node426 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + description: "For the purposes of point (b), financial entities shall duly consider\ + \ scenarios linked to insolvency or failures of the ICT third-party service\ + \ providers or linked to political risks in the ICT third-party service providers\u2019\ + \ jurisdictions, where relevant." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node427 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + description: 'For the purposes of point (c), the testing shall verify whether + at least critical or + + important functions can be operated appropriately for a sufficient period + of time, and + + whether the normal functioning may be restored.' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + ref_id: '25.3' + description: 'In addition to the requirements referred to in paragraph 2, central + counterparties shall involve in the testing of their ICT business continuity + plans referred to in paragraph 1:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.3.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.3 + ref_id: 25.3.a + description: clearing members; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.3.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.3 + ref_id: 25.3.b + description: external providers; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.3.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.3 + ref_id: 25.3.c + description: relevant institutions in the financial infrastructure with which + central counterparties have identified interdependencies in their business + continuity policies. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + ref_id: '25.4' + description: 'In addition to the requirements referred to in paragraph 2, central + securities depositories shall involve in the testing of their ICT business + continuity plans referred to in paragraph 1, as appropriate:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4 + ref_id: 25.4.a + description: users of the central securities depositories; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4 + ref_id: 25.4.b + description: critical utilities and critical service providers; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4 + ref_id: 25.4.c + description: other central securities depositories; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4 + ref_id: 25.4.d + description: other market infrastructures; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.4 + ref_id: 25.4.e + description: any other institutions with which central securities depositories + have identified interdependencies in their business continuity policy. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:25.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-25 + ref_id: '25.5' + description: Financial entities shall document the results of the testing referred + to in paragraph 1. Any identified deficiencies resulting from that testing + shall be analysed, addressed,and reported to the management body. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-26 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node381 + ref_id: Article 26 + description: ICT response and recovery plans + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-26 + ref_id: '26.1' + description: "When developing the ICT response and recovery plans referred to\ + \ in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall\ + \ take into account the results of the financial entity\u2019s business impact\ + \ analysis (BIA). Those ICT response and recovery plans shall:" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1 + ref_id: 26.1.a + description: 'specify the conditions prompting their activation or deactivation, + and any + + exceptions for such activation or deactivation;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1 + ref_id: 26.1.b + description: describe what actions are to be taken to ensure the availability, + integrity, continuity, and recovery of at least ICT systems and services supporting + critical or important functions of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1 + ref_id: 26.1.c + description: 'be designed to meet the recovery objectives of the operations + of the financial + + entities;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1 + ref_id: 26.1.d + description: be documented and made available to the staff involved in the execution + of ICT response and recovery plans and be readily accessible in case of emergency; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1 + ref_id: 26.1.e + description: provide for both short-term and long-term recovery options, including + partial systems recovery; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.1 + ref_id: 26.1.f + description: lay down the objectives of ICT response and recovery plans and + the conditions to declare a successful execution of those plans. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node447 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-26 + description: For the purposes of point (d), financial entities shall clearly + specify roles and responsibilities. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-26 + ref_id: '26.2' + description: 'The ICT response and recovery plans referred to in paragraph 1 + shall identify relevant scenarios, including scenarios of severe business + disruptions and increased likelihood of occurrence of disruption. Those plans + shall develop scenarios based on current information on threats and on lessons + learned from previous occurrences of business disruptions. Financial entities + shall duly take into account all of the following scenarios:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.a + description: cyber-attacks and switchovers between the primary ICT infrastructure + and the redundant capacity, backups, and redundant facilities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.b + description: scenarios in which the quality of the provision of a critical or + important function deteriorates to an unacceptable level or fails, and duly + consider the potential impact of the insolvency, or other failures, of any + relevant ICT third- party service provider; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.c + description: partial or total failure of premises, including office and business + premises, and data centres; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.d + description: substantial failure of ICT assets or of the communication infrastructure; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.e + description: the non-availability of a critical number of staff or staff members + in charge of guaranteeing the continuity of operations; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.f + description: impact of climate change and environment degradation related events, + natural disasters, pandemics, and physical attacks, including intrusions and + terrorist attacks; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.g + description: insider attacks; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.h + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.h + description: "political and social instability, including, where relevant, in\ + \ the ICT third-party service provider\u2019s jurisdiction and the location\ + \ where the data are stored and processed;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2.i + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.2 + ref_id: 26.2.i + description: widespread power outages + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-26 + ref_id: '26.3' + description: Where the primary recovery measures may not be feasible in the + short term because of costs, risks, logistics, or unforeseen circumstances, + the ICT response and recovery plans referred to in paragraph 1 shall consider + alternative options. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:26.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-26 + ref_id: '26.4' + description: As part of the ICT response and recovery plans referred to in paragraph + 1, financial entities shall consider and implement continuity measures to + mitigate failures of ICT third-party service providers of ICT services supporting + critical or important functions of the financial entity. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node460 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-ii + name: CHAPTER V + description: REPORT ON THE ICT RISK MANAGEMENT FRAMEWORK REVIEW + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-27 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node460 + ref_id: Article 27 + description: Format and content of the report on the review of the ICT risk + management framework + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-27 + ref_id: '27.1' + description: Financial entities shall submit the report on the review of the + ICT risk management framework referred to in Article 6(5) of Regulation (EU) + 2022/2554 in a searchable electronic format. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-27 + ref_id: '27.2' + description: 'Financial entities shall include all of the following information + in the report referred to in paragraph 1:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.a + description: 'an introductory section that:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a + ref_id: 27.2.a.i + description: clearly identifies the financial entity that is the subject of + the report, and describes its group structure, where relevant; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a + ref_id: 27.2.a.ii + description: describes the context of the report in terms of the nature, scale, + and complexity of the financial entity's services, activities, and operations, + its organisation, identified critical functions, strategy, major ongoing projects + or activities, relationships and its dependence on in-house and contracted + ICT services and systems or the implications that a total loss or severe degradation + of such systems would have in terms of critical or important functions and + market efficiency; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a + ref_id: 27.2.a.iii + description: summarises the major changes in the ICT risk management framework + since the previous report submitted; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.a + ref_id: 27.2.a.iv + description: provides an executive level summary of the current and near-term + ICT risk profile, threat landscape, the assessed effectiveness of its controls, + and the security posture of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.b + description: the date of the approval of the report by the management body of + the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.c + description: a description of the reason for the review of the ICT risk management + framework in accordance with Article 6(5) of Regulation (EU) 2022/2554.; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.d + description: the start and end dates of the review period; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.e + description: an indication of the function responsible for the review; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.f + description: a description of the major changes and improvements to the ICT + risk management framework since the previous review; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.g + description: a summary of the findings of the review and detailed analysis and + assessment of the severity of the weaknesses, deficiencies, and gaps in the + ICT risk management framework during the review period; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.h + description: 'a description of the measures to address identified weaknesses, + deficiencies, and gaps, including all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h + ref_id: 27.2.h.i + description: a summary of measures taken to remediate to identified weaknesses, + deficiencies and gaps; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h + ref_id: 27.2.h.ii + description: an expected date for implementing the measures and dates related + to the internal control of the implementation, including information on the + state of progress of the implementation of those measures as at the date of + drafting of the report, explaining, where applicable, if there is a risk that + deadlines may not be respected; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h + ref_id: 27.2.h.iii + description: tools to be used, and the identification of the function responsible + for carrying out the measures, detailing whether the tools and functions are + internal or external; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h + ref_id: 27.2.h.iv + description: ' a description of the impact of the changes envisaged in the measures + on the financial entity''s budgetary, human, and material resources, including + resources dedicated to the implementation of any corrective measures;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h.v + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h + ref_id: 27.2.h.v + description: information on the process for informing the competent authority, + where appropriate; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h.vi + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.h + ref_id: 27.2.h.vi + description: where the weaknesses, deficiencies, or gaps identified are not + subject to corrective measures, a detailed explanation of the criteria used + to analyse the impact of those weaknesses, deficiencies, or gaps, to evaluate + the related residual ICT risk, and of the criteria used to accept the related + residual risk; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.i + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.i + description: information on planned further developments of the ICT risk management + framework; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.j + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.j + description: conclusions resulting from the review of the ICT risk management + framework; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.k + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.k + description: 'information on past reviews, including:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.k.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.k + ref_id: 27.2.k.i + description: a list of past reviews to date; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.k.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.k + ref_id: 27.2.k.ii + description: where applicable, a state of implementation of the corrective measures + identified by the last report; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.k.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.k + ref_id: 27.2.k.iii + description: where the proposed corrective measures in past reviews have proven + ineffective or have created unexpected challenges, a description of how those + corrective measures could be improved or of those unexpected challenges; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2 + ref_id: 27.2.l + description: 'sources of information used in the preparation of the report, + including all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l + ref_id: 27.2.l.i + description: for financial entities other than microenterprises as referred + to in Article 6(6) of Regulation (EU) 2022/2554, the results of internal audits; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l + ref_id: 27.2.l.ii + description: the results of compliance assessments; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l + ref_id: 27.2.l.iii + description: 'results of digital operational resilience testing, and where applicable + the + + results of advanced testing, based on threat-led penetration testing (TLPT), + + of ICT tools, systems, and processes;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:27.2.l + ref_id: 27.2.l.iv + description: external sources. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node493 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-27 + description: For the purposes of point (c), where the review was initiated following + supervisory instructions, or conclusions derived from relevant digital operational + resilience testing or audit processes, the report shall contain explicit references + to such instructions or conclusions, allowing for the identification of the + reason for initiating the review. Where the review was initiated following + ICT-related incidents, the report shall contain the list of all ICT related + incidents with incident root-cause analysis. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node494 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-27 + description: For the purposes of point (f), the description shall contain an + analysis of the impact of the changes on the financial entity's digital operational + resilience strategy, on the financial entity's ICT internal control framework, + and on the financial entity's ICT risk management governance. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-iii + assessable: false + depth: 1 + ref_id: TITLE III + description: SIMPLIFIED ICT RISK MANAGEMENT FRAMEWORK FOR FINANCIAL ENTITIES + REFERRED TO IN ARTICLE 16(1) OF REGULATION (EU) 2022/2554 + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node496 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-iii + name: CHAPTER I + description: SIMPLIFIED ICT RISK MANAGEMENT FRAMEWORK + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-28 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node496 + ref_id: Article 28 + description: Governance and organisation + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-28 + ref_id: '28.1' + description: The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall have in place an internal governance and control framework + that ensures an effective and prudent management of ICT risk to achieve a + high level of digital operational resilience. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-28 + ref_id: '28.2' + description: 'The financial entities referred to in paragraph 1 shall, as part + of their simplified ICT risk management framework, ensure that their management + body:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.a + description: "bears the overall responsibility for ensuring that the simplified\ + \ ICT risk management framework allows for the achievement of the financial\ + \ entity\u2019s business strategy in accordance with the risk appetite of\ + \ that financial entity, and ensures that ICT risk is considered in that context;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.b + description: sets clear roles and responsibilities for all ICT-related tasks; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.c + description: sets out information security objectives and ICT requirements; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.d + description: 'approves, oversees, and periodically reviews:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.d.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.d + ref_id: 28.2.d.i + description: the classification of information assets of the financial entity + as referred to in Article 30(1) of this Regulation, the list of main risks + identified, and the business impact analysis and related policies; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.d.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.d + ref_id: 28.2.d.ii + description: the business continuity plans of the financial entity, and the + response and recovery measures referred to in Article 16(1), point (f), of + Regulation (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.e + description: "allocates and reviews at least once a year the budget necessary\ + \ to fulfil the financial entity\u2019s digital operational resilience needs\ + \ in respect of all types of resources, including relevant ICT security awareness\ + \ programmes and digital operational resilience training and ICT skills for\ + \ all staff;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.f + description: specifies and implements the policies and measures included in + Chapters I, II and III of this Title to identify, assess and manage the ICT + risk the financial entity is exposed to; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.g + description: identifies and implements procedures, ICT protocols, and tools + that are necessary to protect all information assets and ICT assets; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.h + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.h + description: ensures that the staff of the financial entity is kept up to date + with sufficient knowledge and skills to understand and assess ICT risk and + its impact on the operations of the financial entity, commensurate to the + ICT risk being managed; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2.i + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.2 + ref_id: 28.2.i + description: establishes reporting arrangements, including the frequency, form, + and content of reporting to the management body on the information security + and digital operational resilience + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-28 + ref_id: '28.3' + description: The financial entities referred to in paragraph 1 may, in accordance + with Union and national sectoral law, outsource the tasks of verifying compliance + with ICT risk management requirements to ICT intra-group or ICT third-party + service providers. In case of such outsourcing, financial entities shall remain + fully responsible for the verification of compliance with the ICT risk management + requirements. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-28 + ref_id: '28.4' + description: The financial entities referred to in paragraph 1 shall ensure + an appropriate segregation and the independence of control functions and internal + audit functions. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-28 + ref_id: '28.5' + description: "The financial entities referred to in paragraph 1 shall ensure\ + \ that their simplified ICT risk management framework is subject to an internal\ + \ audit by auditors, in line with the financial entities\u2019 audit plan.\ + \ The auditors shall have sufficient knowledge, skills, and expertise in ICT\ + \ risk, and shall be independent. The frequency and focus of ICT audits shall\ + \ be commensurate to the ICT risk of the financial entity" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:28.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-28 + ref_id: '28.6' + description: Based on the outcome of the audit referred to in paragraph 5, the + financial entities referred to in paragraph 1 shall ensure the timely verification + and remediation of critical ICT audit findings. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-29 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node496 + ref_id: Article 29 + description: Information security policy and measures + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:29.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-29 + ref_id: '29.1' + description: The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall develop, document, and implement an information security + policy in the context of the simplified ICT risk management framework. That + information security policy shall specify the high-level principles and rules + to protect the confidentiality, integrity, availability, and authenticity + of data and of the services those financial entities provide. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:29.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-29 + ref_id: '29.2' + description: Based on their information security policy referred to in paragraph + 1, the financial entities referred to in paragraph 1 shall establish and implement + ICT security measures to mitigate their exposure to ICT risk, including mitigating + measures implemented by ICT third-party service providers. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node518 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-29 + description: The ICT security measures shall include all of the measures referred + to in Articles 30 to 38. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-30 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node496 + ref_id: Article 30 + description: Classification of information assets and ICT assets + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:30.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-30 + ref_id: '30.1' + description: As part of the simplified ICT risk management framework referred + to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial + entities referred to in paragraph 1 of that Article shall identify, classify, + and document all critical or important functions, the information assets and + ICT assets supporting them and their interdependencies. Financial entities + shall review that identification and classification as needed. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:30.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-30 + ref_id: '30.2' + description: The financial entities referred to in paragraph 1 shall identify + all critical or important functions supported by ICT third-party service providers. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-31 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node496 + ref_id: Article 31 + description: ICT risk management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-31 + ref_id: '31.1' + description: 'The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall include in their simplified ICT risk management framework + all of the following :' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1 + ref_id: 31.1.a + description: a determination of the risk tolerance levels for ICT risk, in accordance + with the risk appetite of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1 + ref_id: 31.1.b + description: the identification and assessment of the ICT risks to which the + financial entity is exposed; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1 + ref_id: 31.1.c + description: the specification of mitigation strategies at least for the ICT + risks that are not within the risk tolerance levels of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1 + ref_id: 31.1.d + description: the monitoring of the effectiveness of the mitigation strategies + referred to in point (c); + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.1 + ref_id: 31.1.e + description: the identification and assessment of any ICT and information security + risks resulting from any major change in ICT system or ICT services, processes, + or procedures, and from ICT security testing results and after any major ICT-related + incident. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-31 + ref_id: '31.2' + description: "The financial entities referred to in paragraph 1 shall carry\ + \ out and document the ICT risk assessment periodically commensurate to the\ + \ financial entities\u2019 ICT risk profile." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-31 + ref_id: '31.3' + description: The financial entities referred to in paragraph 1 shall continuously + monitor threats and vulnerabilities that are relevant to their critical or + important functions, and information assets and ICT assets, and shall regularly + review the risk scenarios impacting those critical or important functions. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:31.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-31 + ref_id: '31.4' + description: The financial entities referred to in paragraph 1 shall set out + alert thresholds and criteria to trigger and initiate ICT-related incident + response processes. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-32 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node496 + ref_id: Article 32 + description: Physical and environmental security + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:32.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-32 + ref_id: '32.1' + description: The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall identify and implement physical security measures designed + on the basis of the threat landscape and in accordance with the classification + referred to in Article 30(1) of this Regulation, the overall risk profile + of ICT assets, and accessible information assets. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:32.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-32 + ref_id: '32.2' + description: The measures referred to in paragraph 1 shall protect the premises + of financial entities and, where applicable, data centres of financial entities + where ICT assets and information assets reside from unauthorised access, attacks, + and accidents, and from environmental threats and hazards. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:32.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-32 + ref_id: '32.3' + description: The protection from environmental threats and hazards shall be + commensurate with the importance of the premises concerned and, where applicable, + the data centres and the criticality of the operations or ICT systems located + therein. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node536 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-iii + name: CHAPTER II + description: FURTHER ELEMENTS OF SYSTEMS, PROTOCOLS, AND TOOLS TO MINIMISE THE + IMPACT OF ICT RISK + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-33 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node536 + ref_id: Article 33 + description: Access Control + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-33 + ref_id: '33.1' + description: 'The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall develop, document, and implement procedures for the control + of logical and physical access and shall enforce, monitor, and periodically + review those procedures. Those procedures shall contain the following elements + of control of logical and physical access:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1 + ref_id: 33.1.a + description: access rights to information assets, ICT assets, and their supported + functions, and to critical locations of operation of the financial entity, + are managed on a need-to-know, need-to-use and least privileges basis, including + for remote and emergency access; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1 + ref_id: 33.1.b + description: user accountability, which ensures that users can be identified + for the actions performed in the ICT systems; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1 + ref_id: 33.1.c + description: account management procedures to grant, change, or revoke access + rights for user and generic accounts, including generic administrator accounts; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1 + ref_id: 33.1.d + description: authentication methods that are commensurate to the classification + referred to in Article 30(1) and to the overall risk profile of ICT assets, + and which are based on leading practices; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:33.1 + ref_id: 33.1.e + description: access rights are periodically reviewed and are withdrawn when + no longer required. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node544 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-33 + description: For the purposes of point (c), the financial entity shall assign + privileged, emergency, and administrator access on a need-to-use or an ad-hoc + basis for all ICT systems, and shall be logged in accordance with Article + 34(1), point (f). + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node545 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-33 + description: "For the purposes of point (d), financial entities shall use strong\ + \ authentication methods that are based on leading practices for remote access\ + \ to the financial entities\u2019 network, for privileged access, and for\ + \ access to ICT assets supporting critical or important functions that are\ + \ publicly available." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-34 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node536 + ref_id: Article 34 + description: ICT operations security + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-34 + description: 'The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and + for all ICT assets:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.a + description: monitor and manage the lifecycle of all ICT assets; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.b + description: monitor whether the ICT assets are supported by ICT third-party + service providers of financial entities, where applicable; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.c + description: identify capacity requirements of their ICT assets and measures + to maintain and improve the availability and efficiency of ICT systems and + prevent ICT capacity shortages before they materialise; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.d + description: perform automated vulnerability scanning and assessments of ICT + assets commensurate to their classification as referred to in Article 30(1) + and to the overall risk profile of the ICT asset, and deploy patches to address + identified vulnerabilities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.e + description: manage the risks related to outdated, unsupported, or legacy ICT + assets; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.f + description: log events related to logical and physical access control, ICT + operations, including system and network traffic activities, and ICT change + management; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.g + description: identify and implement measures to monitor and analyse information + on anomalous activities and behaviour for critical or important ICT operations; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.h + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.h + description: implement measures to monitor relevant and up-to-date information + about cyber threats; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:34.i + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node547 + ref_id: 34.i + description: implement measures to identify possible information leakages, malicious + code and other security threats, and publicly known vulnerabilities in software + and hardware, and check for corresponding new security updates. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node557 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-34 + description: For the purposes of point (f), financial entities shall align the + level of detail of the logs with their purpose and usage of the ICT asset + producing those logs. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-35 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node536 + ref_id: Article 35 + description: Data, system and network security + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node559 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-35 + description: 'The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop + and implement safeguards that ensure the security of networks against intrusions + and data misuse and that preserve the availability, authenticity, integrity, + and confidentiality of data. In particular, financial entities shall, taking + into account the classification referred to in Article 30(1) of this Regulation, + establish all of the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:35.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node559 + ref_id: 35.a + description: the identification and implementation of measures to protect data + in use, in transit, and at rest; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:35.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node559 + ref_id: 35.b + description: the identification and implementation of security measures regarding + the use of software, data storage media, systems and endpoint devices that + transfer and store data of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:35.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node559 + ref_id: 35.c + description: "the identification and implementation of measures to prevent and\ + \ detect unauthorised connections to the financial entity's network, and to\ + \ secure the network traffic between the financial entity\u2019s internal\ + \ networks and the internet and other external connections;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:35.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node559 + ref_id: 35.d + description: the identification and implementation of measures that ensure the + availability, authenticity, integrity, and confidentiality of data during + network transmissions; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:35.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node559 + ref_id: 35.e + description: a process to securely delete data on premises, or that are stored + externally, that the financial entity no longer needs to collect or store; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:35.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node559 + ref_id: 35.f + description: a process to securely dispose of, or decommission, data storage + devices on premises, or data storage devices that are stored externally, that + contain confidential information; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:35.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node559 + ref_id: 35.g + description: "the identification and implementation of measures to ensure that\ + \ teleworking and the use of private endpoint devices does not adversely impact\ + \ the financial entity\u2019s ability to carry out its critical activities\ + \ in an adequate, timely, and secure manner." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-36 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node536 + ref_id: Article 36 + description: ICT security testing + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:36.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-36 + ref_id: '36.1' + description: The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall establish and implement an ICT security testing plan + to validate the effectiveness of their ICT security measures developed in + accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. + Financial entities shall ensure that that plan considers threats and vulnerabilities + identified as part of the simplified ICT risk management framework referred + to in Article 31 of this Regulation. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:36.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-36 + ref_id: '36.2' + description: The financial entities referred to in paragraph 1 shall review, + asses and test ICT security measures, taking into consideration the overall + risk profile of the ICT assets of the financial entity. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:36.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-36 + ref_id: '36.3' + description: The financial entities referred to in paragraph 1 shall monitor + and evaluate the results of the security tests and update their security measures + accordingly without undue delay in the case of ICT systems supporting critical + or important functions. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-37 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node536 + ref_id: Article 37 + description: ICT systems acquisition, development, and maintenance + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node572 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-37 + description: 'The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall design and implement, where appropriate, a procedure + governing the acquisition, development, and maintenance of ICT systems following + a risk-based approach. That procedure shall:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:37.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node572 + ref_id: 37.a + description: ensure that, before any acquisition or development of ICT systems + takes place, the functional and non-functional requirements, including information + security requirements, are clearly specified and approved by the business + function concerned; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:37.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node572 + ref_id: 37.b + description: ensure the testing and approval of ICT systems prior to their first + use and before introducing changes to the production environment; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:37.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node572 + ref_id: 37.c + description: identify measures to mitigate the risk of unintentional alteration + or intentional manipulation of the ICT systems during development and implementation + in the production environment. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-38 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node536 + ref_id: Article 38 + description: ICT project and change management + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:38.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-38 + ref_id: '38.1' + description: The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall develop, document, and implement an ICT project management + procedure and shall specify the roles and responsibilities for its implementation. + That procedure shall cover all stages of the ICT projects from their initiation + to their closure. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:38.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-38 + ref_id: '38.2' + description: "The financial entities referred to in paragraph 1 shall develop,\ + \ document, and implement an ICT change management procedure to ensure that\ + \ all changes to ICT systems are recorded, tested, assessed, approved, implemented,\ + \ and verified in a controlled manner and with the adequate safeguards to\ + \ preserve the financial entity\u2019s digital operational resilience." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node579 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-iii + name: CHAPTER III + description: ICT BUSINESS CONTINUITY MANAGEMENT + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-39 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node579 + ref_id: Article 39 + description: Components of the ICT business continuity plan + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-39 + ref_id: '39.1' + description: The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall develop their ICT business continuity plans considering + the results of the analysis of their exposures to and potential impact of + severe business disruptions and scenarios to which their ICT assets supporting + critical or important functions might be exposed, including a cyber-attack + scenario. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-39 + ref_id: '39.2' + description: 'The ICT business continuity plans referred to in paragraph 1 shall:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.a + description: be approved by the management body of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.b + description: be documented and readily accessible in the event of an emergency + or crisis; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.c + description: allocate sufficient resources for their execution; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.d + description: establish planned recovery levels and timeframes for the recovery + and resumption of functions and key internal and external dependencies, including + ICT third-party service providers; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.e + description: "identify the conditions that may prompt the activation of the\ + \ ICT business continuity plans and what actions are to be taken to ensure\ + \ the availability, continuity, and recovery of the financial entities\u2019\ + \ ICT assets supporting critical or important functions;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.f + description: identify the restoration and recovery measures for critical or + important business functions, supporting processes, information assets, and + their interdependencies to avoid adverse effects on the functioning of the + financial entities; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.g + description: identify backup procedures and measures that specify the scope + of the data that are subject to the backup, and the minimum frequency of the + backup, based on the criticality of the function using those data; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.h + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.h + description: consider alternative options where recovery may not be feasible + in the short term because of costs, risks, logistics, or unforeseen circumstances; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.i + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.i + description: specify the internal and external communication arrangements, including + escalation plans; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2.j + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:39.2 + ref_id: 39.2.j + description: "be updated in line with lessons learned from incidents, tests,\ + \ new risks, and threats identified, changed recovery objectives, major changes\ + \ to the financial entity\u2019s organisation, and to the ICT assets supporting\ + \ critical or business functions." + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node593 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-39 + description: For the purposes of point (f), the measures referred to in that + point shall provide for the mitigation of failures of critical third-party + providers. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-40 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node579 + ref_id: Article 40 + description: Testing of business continuity plans + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:40.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-40 + ref_id: '40.1' + description: The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall test their business continuity plans referred to in Article + 39 of this Regulation, including the scenarios referred to in that Article, + at least once every year for the back up and restore procedures, or upon every + major change of the business continuity plan. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:40.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-40 + ref_id: '40.2' + description: The testing of business continuity plans referred to in paragraph + 1 shall demonstrate that the financial entities referred to in that paragraph + are able to sustain the viability of their businesses until critical operations + are re-established and identify any deficiencies in those plans. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:40.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-40 + ref_id: '40.3' + description: The financial entities referred to in paragraph 1 shall document + the results of the testing of business continuity plans and any identified + deficiencies resulting from that testing shall be analysed, addressed, and + reported to the management body. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node598 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-iii + name: CHAPTER IV + description: REPORT ON THE REVIEW OF THE SIMPLIFIED ICT RISK MANAGEMENT FRAMEWORK + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-41 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node598 + ref_id: Article 41 + description: Format and content of the report on the review of the simplified + ICT risk management framework + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-41 + ref_id: '41.1' + description: The financial entities referred to in Article 16(1) of Regulation + (EU) 2022/2554 shall submit the report on the review of the ICT risk management + framework referred to in paragraph 2 of that Article in a searchable electronic + format. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-41 + ref_id: '41.2' + description: 'The report referred to in paragraph 1 shall contain all of the + following information:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + ref_id: 41.2.a + description: 'an introductory section providing:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a + ref_id: 41.2.a.i + description: "a description of the context of the report in terms of the nature,\ + \ scale, and complexity of the financial entity's services, activities, and\ + \ operations, the financial entity\u2019s organisation, identified critical\ + \ functions, strategy, major ongoing projects or activities, and relationships,\ + \ and the financial entity\u2019s dependence on in-house and outsourced ICT\ + \ services and systems, or the implications that a total loss or severe degradation\ + \ of such systems would have on critical or important functions and market\n\ + efficiency;" + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a + ref_id: 41.2.a.ii + description: an executive level summary of the current and near-term ICT risk + identified, threat landscape, the assessed effectiveness of its controls, + and the security posture of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a + ref_id: 41.2.a.iii + description: information about the reported area; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a + ref_id: 41.2.a.iv + description: a summary of the major changes in the ICT risk management framework + since the previous report; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a.v + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.a + ref_id: 41.2.a.v + description: a summary and a description of the impact of major changes to the + simplified ICT risk management framework since the previous report; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + ref_id: 41.2.b + description: where applicable, the date of the approval of the report by the + management body of the financial entity; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + ref_id: 41.2.c + description: 'a description of the reasons for the review, including:' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.c.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.c + ref_id: 41.2.c.i + description: where the review has been initiated following supervisory instructions, + evidence of such instructions; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.c.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.c + ref_id: 41.2.c.ii + description: where the review has been initiated following the occurrence of + ICT-related incidents, the list of all those ICT-related incidents with related + incident root-cause analysis; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + ref_id: 41.2.d + description: ' the start and end date of the review period;' + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + ref_id: 41.2.e + description: the person responsible for the review; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + ref_id: 41.2.f + description: a summary of findings, and a self-assessment of the severity of + the weaknesses, deficiencies, and gaps identified in ICT risk management framework + for the review period, including a detailed analysis thereof; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + ref_id: 41.2.g + description: remedying measures identified to address weaknesses, deficiencies, + and gaps in the simplified ICT risk management framework, and the expected + date for implementing those measures, including the follow-up on weaknesses, + deficiencies, and gaps identified in previous reports, where those weaknesses, + deficiencies, and gaps have not yet been remedied; + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2.h + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:41.2 + ref_id: 41.2.h + description: overall conclusions on the review of the simplified ICT risk management + framework, including any further planned developments. + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-iv + assessable: false + depth: 1 + ref_id: TITLE IV + description: FINAL PROVISIONS + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-42 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:title-iv + ref_id: Article 42 + description: Entry into force + - urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:node619 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ict-risk-management:article-42 + description: 'This Regulation shall enter into force on the twentieth day following + that of its publication in + + the Official Journal of the European Union. + + This Regulation shall be binding in its entirety and directly applicable in + all Member States. + + ' diff --git a/backend/library/libraries/rts-dora-ictservices-supporting.yaml b/backend/library/libraries/rts-dora-ictservices-supporting.yaml new file mode 100644 index 000000000..64f67bf31 --- /dev/null +++ b/backend/library/libraries/rts-dora-ictservices-supporting.yaml @@ -0,0 +1,866 @@ +urn: urn:intuitem:risk:library:rts-dora-ictservices-supporting +locale: en +ref_id: RTS-DORA-ICTservices-supporting +name: RTS to specify the policy on ICT services supporting critical or important functions + provided by ICT third-party service providers (TPPs) +description: These RTS specify parts of the governance arrangements, risk management + and internal control framework that financial entities should have in place regarding + the use of ICT third-party service providers. They aim to ensure financial entities + remain in control of their operational risks, information security and business + continuity throughout the life cycle of contractual arrangements with such ICT third-party + service providers. +copyright: EUROPEAN COMMISSION +version: 1 +provider: EUROPEAN COMMISSION +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:rts-dora-ictservices-supporting + ref_id: RTS-DORA-ICTservices-supporting + name: RTS to specify the policy on ICT services supporting critical or important + functions provided by ICT third-party service providers (TPPs) + description: These RTS specify parts of the governance arrangements, risk management + and internal control framework that financial entities should have in place + regarding the use of ICT third-party service providers. They aim to ensure financial + entities remain in control of their operational risks, information security + and business continuity throughout the life cycle of contractual arrangements + with such ICT third-party service providers. + requirement_nodes: + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-1 + assessable: false + depth: 1 + ref_id: Article 1 + description: Overall risk profile and complexity + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-1 + description: "The policy on the use of ICT services supporting critical or important\ + \ functions provided by ICT third-party service providers (the \u2018policy\u2019\ + ) shall take into account the size and the overall risk profile of the financial\ + \ entity, and the nature, scale and elements of increased or reduced complexity\ + \ of its services, activities and operations, including elements relating\ + \ to:" + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.a + description: "the type of ICT services included in the contractual arrangement\ + \ on the use of ICT services supporting critical or important functions provided\ + \ by ICT third-party service providers (the \u2018contractual arrangement\u2019\ + ) between the financial entity and the ICT third-party service provider;" + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.b + description: the location of the ICT third-party service provider or the location + of its parent company; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.c + description: whether the ICT services supporting critical or important functions + are provided by an ICT third-party service provider located within a Member + State or in a third country, also considering the location from where the + ICT services are provided and the location where the data is processed and + stored; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.d + description: the nature of the data shared with the ICT third-party service + provider; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.e + description: whether the ICT third-party service provider is part of the same + group as the financial entity to which the services are provided; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.f + description: the use of ICT third-party service providers that are authorised, + registered or subject to supervision or oversight by a competent authority + in a Member State or subject to the oversight framework under Chapter V, Section + II, of Regulation (EU) 2022/2554, and the use of ICT third-party service providers + that are not; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.g + description: the use of ICT third-party service providers that are authorised, + registered or subject to supervision or oversight by a supervisory authority + in a third country, and the use of ICT third-party service providers that + are not; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.h + description: whether the provision of ICT services supporting critical or important + functions are concentrated to a single ICT third-party service provider or + a small number of such service providers; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.i + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.i + description: the transferability of the ICT services supporting critical or + important functions to another ICT third-party service provider, including + as a result of technology specificities; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:1.j + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node3 + ref_id: 1.j + description: "the potential impact of disruptions in the provision of the ICT\ + \ services supporting critical or important functions on the continuity of\ + \ the financial entity\u2019s activities and on the availability of its services." + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-2 + assessable: false + depth: 1 + ref_id: Article 2 + description: Group application + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-2 + description: Where this Regulation applies on a sub-consolidated or consolidated + basis, the parent undertaking that is responsible for providing the consolidated + or sub-consolidated financial statements for the group shall ensure that the + policy is implemented consistently in all financial entities that are part + of the group and is adequate for the effective application of this Regulation + at all relevant levels of the group. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + assessable: false + depth: 1 + ref_id: Article 3 + description: Governance arrangements + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + ref_id: '3.1' + description: The management body shall review the policy at least once a year + and update it where necessary. Changes made to the policy shall be implemented + in a timely manner and as soon as it is possible within the relevant contractual + arrangements. The financial entity shall document the planned timeline for + the implementation. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + ref_id: '3.2' + description: The policy shall establish or refer to a methodology for determining + which ICT services support critical or important functions. The policy shall + also specify when this assessment is to be conducted and reviewed. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + ref_id: '3.3' + description: The policy shall clearly assign the internal responsibilities for + the approval, management, control, and documentation of relevant contractual + arrangements and shall ensure that appropriate skills, experience and knowledge + are maintained within the financial entity to effectively oversee the relevant + contractual arrangements, including the ICT services provided under those + arrangements. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + ref_id: '3.4' + description: Without prejudice to the final responsibility of the financial + entity to effectively oversee relevant contractual arrangements, the policy + shall require that the ICT third party service provider is assessed to have + sufficient resources to ensure that the financial entity complies with all + its legal and regulatory requirements regarding the ICT services supporting + critical or important functions that are provided. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + ref_id: '3.5' + description: The policy shall clearly identify the role or member of senior + management responsible for monitoring the relevant contractual arrangements. + The policy shall specify how that role or member of senior management shall + cooperate with the control functions, unless it is part of it, and shall set + out the reporting lines to the management body, including the nature of the + information to report and the documents to provide. It shall also set out + the frequency of such reporting. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + ref_id: '3.6' + description: 'The policy shall ensure that the contractual arrangements are + consistent with the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6 + ref_id: 3.6.a + description: the ICT risk management framework referred to in Article 6 of Regulation + (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6 + ref_id: 3.6.b + description: ' the information security policy referred to in Article 9(4) of + Regulation (EU) 2022/2554;' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6 + ref_id: 3.6.c + description: the ICT business continuity policy referred to in Article 11 of + Regulation (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.6 + ref_id: 3.6.d + description: ' the requirements on incident reporting set out in Article 19 + of Regulation (EU) 2022/2554.' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.7 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + ref_id: '3.7' + description: The policy shall require that ICT services supporting critical + or important functions provided by ICT third party service providers are subject + to independent review and are included in the audit plan. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-3 + ref_id: '3.8' + description: 'The policy shall explicitly specify that the contractual arrangements:' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8 + ref_id: 3.8.a + description: do not relieve the financial entity and its management body of + its regulatory obligations and its responsibilities to its clients; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8 + ref_id: 3.8.b + description: are not to prevent effective supervision of a financial entity + and are not to contravene any supervisory restrictions on services and activities; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8 + ref_id: 3.8.c + description: ' are to require that the ICT third party service providers cooperate + with the competent authorities;' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:3.8 + ref_id: 3.8.d + description: are to require that the financial entity, its auditors, and competent + authorities have effective access to data and premises relating to the use + of ICT services supporting critical or important functions. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-4 + assessable: false + depth: 1 + ref_id: Article 4 + description: Main phases of the life cycle for the adoption and use of contractual + arrangements + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node34 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-4 + description: 'The policy shall specify the requirements, including the rules, + the responsibilities and the processes, for each main phase of the lifecycle + of the contractual arrangement, covering at least the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node34 + ref_id: 4.a + description: the responsibilities of the management body, including its involvement, + as appropriate, in the decision-making process on the use of ICT services + supporting critical or important functions provided by ICT third-party service + providers; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node34 + ref_id: 4.b + description: the planning of contractual arrangements, including the risk assessment, + the due diligence as set out in Articles 5 and 6 and the approval process + regarding new or material changes to contractual arrangements as set out in + Article 8(4); + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node34 + ref_id: 4.c + description: the involvement of business units, internal controls and other + relevant units in respect of contractual arrangements; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node34 + ref_id: 4.d + description: the implementation, monitoring and management of contractual arrangements + as referred to in Articles 7, 8 and 9, including at consolidated and sub-consolidated + level, where applicable; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:4.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node34 + ref_id: 4.e + description: the documentation and record-keeping, taking into account the requirements + with regard to the register of information laid down in Article 28(3) of Regulation + (EU) 2022/2554; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:4.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node34 + ref_id: 4.f + description: the exit strategies and termination processes as set out in Article + 10. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-5 + assessable: false + depth: 1 + ref_id: Article 5 + description: Ex-ante risk assessment + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-5 + ref_id: '5.1' + description: The policy shall require that the business needs of the financial + entity are defined before a contractual arrangement is concluded. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-5 + ref_id: '5.2' + description: The policy shall require that a risk assessment is conducted at + financial entity level and, where applicable, at consolidated and sub-consolidated + level before a contractual arrangement is concluded. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-5 + description: 'The risk assessment shall take into account all the relevant requirements + laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. + It shall consider, in particular, the impact of the provision of ICT services + supporting critical or important functions by ICT third-party service providers + on the financial entity and all the risks posed by the provision of those + ICT services supporting critical or important functions by ICT third-party + service providers, including the following:' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.a + description: operational risks; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.b + description: legal risks; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.c + description: ICT risks; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.d + description: reputational risks; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.e + description: risks linked to the protection of confidential or personal data; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.f + description: risks linked to the availability of data; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.g + description: risks linked to the location where the data is processed and stored; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.h + description: risks linked to the location of the ICT third-party service provider; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:5.2.i + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node44 + ref_id: 5.2.i + description: ICT concentration risks at entity level. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-6 + assessable: false + depth: 1 + ref_id: Article 6 + description: Due diligence + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-6 + ref_id: '6.1' + description: 'The policy shall set out an appropriate and proportionate process + for selecting and assessing the prospective ICT third-party service providers + taking into account whether or not the ICT third party service provider is + an intragroup ICT service provider, and shall require that the financial entity + assesses, before entering into a contractual arrangement, whether the ICT + third-party service provider:' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1 + ref_id: 6.1.a + description: has the business reputation, sufficient abilities, expertise and + adequate financial, human and technical resources, information security standards, + appropriate organisational structure, risk management and internal controls + and, if applicable, the required authorisations or registrations to provide + the ICT services supporting the critical or important function in a reliable + and professional manner; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1 + ref_id: 6.1.b + description: has the ability to monitor relevant technological developments + and identify ICT security leading practices and implement them where appropriate + to have an effective and sound digital operational resilience framework; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1 + ref_id: 6.1.c + description: uses or intends to use ICT sub-contractors to perform the ICT services + supporting critical or important functions or material parts thereof; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1 + ref_id: 6.1.d + description: is located, or processes or stores the data in a third country + and, if this is the case, whether this practice affects the level of operational + or reputational risks or the risk of being affected by restrictive measures, + including embargos and sanctions, that may impact the ability of the ICT third-party + service provider to provide the ICT services or the financial entity to receive + those ICT services; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1 + ref_id: 6.1.e + description: consents to contractual arrangements that ensure that it is effectively + possible to conduct audits at the ICT third-party service provider, including + onsite, by the financial entity itself, appointed third parties, and competent + authorities; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.1 + ref_id: 6.1.f + description: "acts in an ethical and socially responsible manner, respects human\ + \ rights and children\u2019s rights, including the prohibition of child labour,\ + \ respects applicable principles on environmental protection, and ensures\ + \ appropriate working conditions." + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-6 + ref_id: '6.2' + description: "The policy shall specify the required level of assurance concerning\ + \ the effectiveness of ICT third-party service providers\u2019 risk management\ + \ framework for the ICT services supporting critical or important functions\ + \ to be provided by an ICT third- party service provider. The policy shall\ + \ require that the due diligence process includes an assessment of the existence\ + \ of risk mitigation and business continuity measures and of how their functioning\ + \ within the ICT third-party service provider is ensured." + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-6 + ref_id: '6.3' + description: "The policy shall determine the due diligence process for selecting\ + \ and assessing the prospective ICT third-party service providers and shall\ + \ indicate which of the following elements are to be used for the required\ + \ level of assurance on the ICT third-party service provider\u2019s performance:" + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3 + ref_id: 6.3.a + description: audits or independent assessments performed by the financial entity + itself or on its behalf; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3 + ref_id: 6.3.b + description: the use of independent audit reports made on request by the ICT + third-party service provider; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3 + ref_id: 6.3.c + description: the use of audit reports made by the internal audit function of + the ICT third- party service provider; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3 + ref_id: 6.3.d + description: the use of appropriate third-party certifications; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.3 + ref_id: 6.3.e + description: the use of other relevant information available to the financial + entity or other information provided by the ICT third-party service provider. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:6.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-6 + ref_id: '6.4' + description: "Financial entities shall ensure an appropriate level of assurance\ + \ on the ICT third- party service provider\u2019s performance, taking into\ + \ account the elements listed in\nparagraph 3, points (a) to (e). Where appropriate,\ + \ more than one element listed in those points shall be used." + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-7 + assessable: false + depth: 1 + ref_id: Article 7 + description: Conflicts of interest + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:7.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-7 + ref_id: '7.1' + description: 'The policy shall specify the appropriate measures to identify, + prevent and manage actual or potential conflicts of interest arising from + the use of ICT third-party service + + providers that are to be taken before entering relevant contractual arrangements + and shall provide for an ongoing monitoring of such conflicts of interest.' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:7.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-7 + ref_id: '7.2' + description: 'Where ICT services supporting critical or important functions + are provided by ICT intra-group service providers, the policy shall specify + that decisions on the + + conditions, including the financial conditions, for the ICT services are to + be taken objectively.' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-8 + assessable: false + depth: 1 + ref_id: Article 8 + description: Contractual clauses + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-8 + ref_id: '8.1' + description: 'The policy shall specify that the relevant contractual arrangement + are to be in written form and are to include all the elements referred to + in Article 30(2) and (3) of + + Regulation (EU) 2022/2554. The policy shall also include elements regarding + requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, + as well as other relevant Union and national law as appropriate.' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-8 + ref_id: '8.2' + description: ' The policy shall specify that the relevant contractual arrangements + are to include the right for the financial entity to access information, to + carry out inspections and + + audits, and to perform tests on ICT. For that purpose, the policy shall require + that the financial entity uses the following methods, without prejudice to + the ultimate responsibility of the financial entity:' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2 + ref_id: 8.2.a + description: its own internal audit or an audit by an appointed third party; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2 + ref_id: 8.2.b + description: where appropriate, pooled audits and pooled ICT testing, including + threat-led penetration testing, that are organised jointly with other contracting + financial entities or firms that use ICT services of the same ICT third-party + service provider and that are performed by those contracting financial entities + or firms or by a third party appointed by them; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2 + ref_id: 8.2.c + description: where appropriate, third-party certifications; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.2 + ref_id: 8.2.d + description: where appropriate, internal or third-party audit reports made available + by the ICT third-party service provider. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-8 + ref_id: '8.3' + description: 'The financial entity shall not over time rely solely on certifications + referred to in paragraph 2, point (c), or audit reports referred to in point + (d) of that paragraph. The policy shall only permit the use of the methods + referred to in paragraph 2, points (c) and (d), where the financial entity:' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + ref_id: 8.3.a + description: is satisfied with the audit plan of the ICT third-party service + provider for the relevant contractual arrangements; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + ref_id: 8.3.b + description: ensures that the scope of the certifications or audit reports cover + the systems and key controls identified by it and ensures compliance with + relevant regulatory requirements; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + ref_id: 8.3.c + description: thoroughly assesses the content of the certifications or audit + reports on an ongoing basis and verifies that the reports or certifications + are not obsolete; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + ref_id: 8.3.d + description: ensures that key systems and controls are covered in future versions + of the certification or audit report; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + ref_id: 8.3.e + description: is satisfied with the aptitude of the certifying or auditing party; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3.f + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + ref_id: 8.3.f + description: is satisfied that the certifications are issued, and the audits + are performed against widely recognised relevant professional standards and + include a test of the operational effectiveness of the key controls in place; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3.g + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + ref_id: 8.3.g + description: has the contractual right to request, with a frequency that is + reasonable and legitimate from a risk management perspective, modifications + of the scope of the certifications or audit reports to other relevant systems + and controls; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3.h + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.3 + ref_id: 8.3.h + description: has the contractual right to perform individual and pooled audits + at its discretion with regard to the contractual arrangements and execute + those rights in line with the agreed frequency. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:8.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-8 + ref_id: '8.4' + description: The policy shall ensure that material changes to the contractual + agreement are to be formalised in a written document which is dated and signed + by all parties and shall specify the renewal process for the contractual arrangements. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-9 + assessable: false + depth: 1 + ref_id: Article 9 + description: Monitoring of the contractual arrangements + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-9 + ref_id: '9.1' + description: "The policy shall require that the contractual arrangements specify\ + \ the measures and key indicators to monitor, on an ongoing basis, the performance\ + \ of ICT third party service providers, including measures to monitor compliance\ + \ with requirements regarding the confidentiality, availability, integrity\ + \ and authenticity of data and information, and the compliance of the ICT\ + \ third-party service providers with the financial entity\u2019s relevant\ + \ policies and procedures. The policy shall also specify measures that apply\ + \ when service level agreements are not met, including contractual penalties\ + \ where appropriate." + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-9 + ref_id: '9.2' + description: "The policy shall specify how the financial entity is to assess\ + \ whether the ICT third- party service providers used for the ICT services\ + \ supporting critical or important functions meet appropriate performance\ + \ and quality standards in line with the contractual arrangement and the financial\ + \ entity\u2019s own policies. The policy shall, in particular, ensure the\ + \ following:" + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2 + ref_id: 9.2.a + description: 'that the ICT third-party service providers provide appropriate + reports on their activities and services to the financial entity, including + periodic reports, incidents reports, service delivery reports, reports on + ICT security and reports + + on business continuity measures and testing;' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2 + ref_id: 9.2.b + description: "that the performance of ICT third-party service providers is assessed\ + \ with key performance indicators, key control indicators, audits, self-certifications\ + \ and independent reviews in line with the financial entity\u2019s ICT risk\ + \ management\nframework;" + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2 + ref_id: 9.2.c + description: that the financial entity receives other relevant information from + the ICT third-party service providers; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2 + ref_id: 9.2.d + description: that the financial entity is notified, where appropriate, of ICT-related + incidents and operational or security payment-related incidents; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.2 + ref_id: 9.2.e + description: that an independent review and audits verifying compliance with + legal and regulatory requirements and policies are performed + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-9 + ref_id: '9.3' + description: "The policy shall specify that the assessment referred to in paragraph\ + \ 2 is to be documented and its results to be used to update the financial\ + \ entity\u2019s risk assessment referred to in Article 6." + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:9.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-9 + ref_id: '9.4' + description: The policy shall establish the appropriate measures that the financial + entity is to adopt if it identifies shortcomings of the ICT third-party service + providers, including ICT-related incidents and operational or security payment + related incidents, in the provision of the ICT services supporting critical + or important functions or in the compliance with contractual arrangements + or legal requirements. It shall also specify how the implementation of such + measures is to be monitored in order to ensure that they are effectively complied + with within a defined timeframe, taking into account the materiality of the + shortcomings. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-10 + assessable: false + depth: 1 + ref_id: Article 10 + description: Exit from and termination of the contractual arrangements + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node101 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-10 + description: 'The policy shall contain requirements for a documented exit plan + for each contractual + + arrangement and for the periodic review and testing of the documented exit + plan. When + + establishing the exit plan, the following shall be taken into account:' + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:10.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node101 + ref_id: 10.a + description: unforeseen and persistent service interruptions; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:10.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node101 + ref_id: 10.b + description: inappropriate or failed service delivery; + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:10.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node101 + ref_id: 10.c + description: the unexpected termination of the contractual arrangement. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node105 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-10 + description: The exit plan shall be realistic, feasible, based on plausible + scenarios and reasonable assumptions and shall have a planned implementation + schedule compatible with the exit and termination terms established in the + contractual arrangements. + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-11 + assessable: false + depth: 1 + ref_id: Article 11 + description: Entry into force + - urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:node107 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:rts-dora-ictservices-supporting:article-11 + description: This Regulation shall enter into force on the twentieth day following + its publication in the Official Journal of the European Union. diff --git a/tools/dora/RTS/RTS-DORA-ICT-related-incidents.xlsx b/tools/dora/RTS/RTS-DORA-ICT-related-incidents.xlsx new file mode 100644 index 000000000..2978153d8 Binary files /dev/null and b/tools/dora/RTS/RTS-DORA-ICT-related-incidents.xlsx differ diff --git a/tools/dora/RTS/RTS-DORA-ICT-risk-management.xlsx b/tools/dora/RTS/RTS-DORA-ICT-risk-management.xlsx new file mode 100644 index 000000000..6aca94999 Binary files /dev/null and b/tools/dora/RTS/RTS-DORA-ICT-risk-management.xlsx differ diff --git a/tools/dora/RTS/RTS-DORA-ICTservices-supporting.xlsx b/tools/dora/RTS/RTS-DORA-ICTservices-supporting.xlsx new file mode 100644 index 000000000..e4961a785 Binary files /dev/null and b/tools/dora/RTS/RTS-DORA-ICTservices-supporting.xlsx differ