Establish and maintain a comprehensive digital operational resilience framework in line with DORA.

• Governance and Organisation

  Establish clear governance structures and roles for digital operational resilience

• Strategy and Policy

  Develop and document a digital operational resilience strategy and related policies

• Framework Review and Update

  Regularly review and update the digital operational resilience framework to reflect changes in risk technology and the regulatory landscape

• Communication and Awareness

  Establish communication channels and awareness programs for digital operational resilience across the organisation

Implement a robust ICT risk management framework as a key component of digital operational resilience.

• Risk Identification and Assessment

  Identify and classify ICT-related risks across all relevant areas of the business

• Risk Appetite and Tolerance

  Define and document the organisations risk appetite and tolerance for ICT risks

• Risk Mitigation and Control

  Implement appropriate risk mitigation measures and controls to address identified ICT risks

• Incident Management

  Establish and maintain a robust ICT incident management process

Implement robust ICT security measures to protect ICT systems and data.

• Security Policies and Procedures

  Develop and implement comprehensive ICT security policies and procedures covering all relevant areas

• Access Control

  Implement strong access control measures to restrict access to ICT systems and data to authorised personnel only

• Data Security and Protection

  Implement measures to ensure the security and protection of data throughout its lifecycle

• Network Security

  Implement network security measures to protect ICT networks from unauthorised access and cyber threats

• Endpoint Security

  Implement endpoint security measures to protect user devices (laptops desktops mobile devices etc)

• Vulnerability Management

  Establish and maintain a vulnerability management program to identify assess and remediate ICT vulnerabilities

• Security Monitoring and Logging

  Implement security monitoring and logging to detect and respond to security events

• Physical Security

  Implement physical security measures to protect ICT infrastructure and data centres

Establish and implement a comprehensive ICT resilience testing program.

• Resilience Testing Strategy

  Develop a risk-based ICT resilience testing strategy that covers various scenarios and threat types

• Scenario-Based Testing

  Conduct scenario-based testing to simulate various disruptive events (cyberattacks system failures natural disasters etc)

• Penetration Testing and Vulnerability Assessments

  Perform regular penetration testing and vulnerability assessments to identify weaknesses in ICT systems and security controls

• Lessons Learned and Improvement

  Implement a process for capturing lessons learned from testing exercises and incidents and using them to improve resilience

Manage ICT third-party risk as part of operational resilience.

• Third Party Risk Assessment

  Conduct thorough risk assessments of all ICT third-party providers

• Due Diligence and Selection

  Implement due diligence processes for selecting and onboarding ICT third-party providers

• Contractual Agreements and Monitoring

  Establish clear contractual agreements with ICT third-party providers that address resilience requirements and implement ongoing monitoring of provider performance

• Exit Strategy and Transition

  Develop and test exit strategies and transition plans for ICT third-party providers to ensure business continuity in case of provider failure or contract termination

Establish and implement an ICT-related incident reporting framework.

• Incident Classification and Thresholds

  Define clear criteria for classifying ICT-related incidents and thresholds for reporting to competent authorities

• Reporting Procedures and Timelines

  Establish clear procedures and timelines for reporting ICT-related incidents internally and to competent authorities

• Content and Format of Reports

  Define the required content and format of ICT-related incident reports for internal and external stakeholders including competent authorities

• Post-Incident Analysis and Follow-up

  Conduct thorough post-incident analysis and follow-up actions to identify root causes improve controls and prevent recurrence

Establish arrangements for sharing of cyber threat information and intelligence.

• Information Sharing Framework

  Establish a framework and procedures for participating in cyber threat information sharing arrangements

• Types of Information to Share

  Define the types of cyber threat information and intelligence to be shared and received

• Security and Confidentiality

  Implement security measures to protect shared information and maintain confidentiality

Specific requirements for oversight of key ICT third-party providers.

• Designation and Oversight of Key Providers

  Establish processes for designating ICT third-party providers as "key" and implementing enhanced oversight for these providers

• Concentration Risk Management

  Manage concentration risk arising from dependencies on key ICT third-party providers including potential systemic risk

• Subcontracting and Supply Chain

  Manage risks related to subcontracting arrangements of key ICT third-party providers and their supply chain

• Direct Supervision and Oversight

  Facilitate direct supervision and oversight of key ICT third-party providers by competent authorities where applicable