+DORA Ch. II Sec. II Art. 6 8.

1. Overview

DORA Ch. II Sec. II Art. 6 8.

8. The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented. To that end, the digital operational resilience strategy shall include methods to address ICT risk and attain specific ICT objectives, by:

(a) explaining how the ICT risk management framework supports the financial entity’s business strategy and objectives;
(b) establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruptions;
(c) setting out clear information security objectives, including key performance indicators and key risk metrics;
(d) explaining the ICT reference architecture and any changes needed to reach specific business objectives;
(e) outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it;
(f) evidencing the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the effectiveness of preventive measures;
(g) implementing digital operational resilience testing, in accordance with Chapter IV of this Regulation;
(h) outlining a communication strategy in the event of ICT-related incidents the disclosure of which is required in accordance with Article 14.

Summary	Regulation

1.1 References

1.2 Identified Requirements

1.3 Related Standards

2. Identified Requirements

Requirements
Source	Requirement

3. Related Standards

Standards
Source	Requirement
NOREA	Governance of ICT risk The Management body shall take ultimate responsibility for effectively managing all ICT risks of the financial entity. As such, the management body periodically (e.g. annually) ensures: Establish policies related to the availability, authenticity, integrity, and confidentiality of data, including the policy on arrangements with ICT third-party service providers (see control 2.1). Define the roles, responsibilities and goverance arrangements for ICT related functions risk management (including those related to ICT third-party arrangements), including the continuous monitoring thereof. Review the policy on arrangements with ICT third-party service providers and stay informed about third-party arrangements, services provided, planned material changes regarding third- party service providers, and understand the impact of these changes on critical and important functions of the entity (including risk assessment results).
NOREA	Knowledge of the Management Body The Management body shall ensure that it is kept up to date with sufficient knowledge and skills to understand and assess ICT risks and operations (e.g. through periodic trainings).
NOREA	Digital Operational Resilience Strategy The Management body shall set and approve the digital operational resilience strategy and periodically update when needed. The digital operational resilience strategy must: Set out how the risk management framework will be implemented. Elaborate on the alignment between the risk management framework and the business strategy and objectives. Establish the ICT risk tolerance level (based on risk appetite) and the impact tolerance level for ICT disruptions. Include clear security objectives, including Key Performance Indicators (KPIs) and risk metrics. Elaborate on the ICT reference architecture and any changes needed to reach specific business objectives. Outline the mechanisms in place to detect ICT-related incidents Contain evidence to prove the current digital operational resilience situation (e.g. based on the number of major ICT-related incidents and the effectiveness of preventive measures. Contain how the digital operational resilience testing is implemented (see controls under 19 and 20). Outline the communication strategy in case of incidents (see 11.3) The Management body shall allocate and review the budget required for resources to fulfill the digital operational resilience needs of the entity. Ensure monitoring is arranged on the the effectiveness of the implementation of the digital operational resilience.
NOREA	Business Continuity Oversight The Management body reviews and approves periodically (e.g. annually) the ICT business continuity policy and the ICT response and recovery plans.
NOREA	Audit Plan Approval and Review The Management body reviews and approves periodically (e.g. annually) internal ICT audit plans, ICT audits, and material modifications to the audits.

DORA -
DORA