ICT Risk Management

ICT risk management is a cornerstone requirement under both the Digital Operational Resilience Act (DORA) and the NIS2 Directive, though each regulation approaches it with different scope and emphasis. Under DORA, financial entities must establish and maintain a comprehensive ICT risk management framework that includes strategies, policies, procedures, ICT protocols, and tools necessary to properly protect all information assets and ICT assets.

DORA's ICT risk management framework (Articles 5-16) requires financial entities to implement measures across several domains: identification of all ICT-supported business functions and associated risks, protection and prevention mechanisms including cybersecurity policies, detection capabilities for anomalous activities, response and recovery plans with business continuity procedures, and mechanisms for learning and evolving from past incidents.

Under NIS2, essential and important entities must adopt appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems. These measures must include incident handling, business continuity, supply chain security, security in network and information systems acquisition, and policies on the use of cryptography and encryption.

A critical aspect of ICT risk management under both frameworks is the governance dimension. Senior management (the management body under DORA, the management bodies under NIS2) bears ultimate responsibility for the ICT risk management framework and can be held personally liable for non-compliance. This reflects the regulatory intent to elevate cybersecurity from a purely technical concern to a board-level strategic priority.