DORA consultancy - helping financial institutes across the UK and Europe.

Resarse F, Abstract Lights in City at Night


Simplified Framework


ESA has recently released several draft Regulatory Technical Standards (RTSs), which provide some flavour of expected control levels. As part of the draft development, ESAs should consider the financial entity's size, overall risk profile, and the nature, scale and complexity of its services, activities and operations. Financial entities covered by Article 16 of DORA, which fall under the simplified ICT risk management framework are:
  • small and non-interconnected firms;
  • payment institutions;
  • electronic money institutions;
  • small institutions for occupational retirement provision, plus
  • some exempted institutions.
This is the second part of the Risk Management technical standards review. Read Part 1 here.

TL;DR Financial entity must employ robust and up-to-date ICT systems, protocols, and tools tailored to support their operations and services.

The following review will assess the Simplified framework requirements (Title II).
The simplified ICT risk management framework includes the following:
Chapter I: ICT Risk Management Framework
  • Governance and organisation. Aims to establish clear organisational roles, responsibilities, and accountability.
  • Information security policy and measures. Provides guidelines for protecting the availability, authenticity, integrity and confidentiality of information
  • Classification of information and ICT assets. Requires prioritising resources and efforts by categorising and understanding the value, sensitivity, and criticality of information and technology.
  • ICT risk management. Involves identifying, assessing, mitigating, and monitoring ICT risk.
  • ICT-related incident management. It is essential for promptly responding to and recovering from any ICT incidents.


Chapter II: Further elements of systems, protocols, and tools to minimise the impact of ICT risk
  • Physical and environmental security.
    Incorporates measures to secure data centres, servers, networks, and other critical assets from unauthorised access, theft, natural disasters, or environmental hazards.
  • Access Control.
    Includes defining and implementing logical and physical access control procedures.
  • ICT operations security.
    Requires monitoring and management of ICT assets supporting critical functions, assessing capacity requirements, performing vulnerability scanning, managing outdated assets, logging events, monitoring logs for anomalies, staying informed about cyber threats, and implementing measures to detect security threats and vulnerabilities.
    Note: Considering that security level of financial entity is as secure as its weakest point, ESAs are considering mandating these requirements for all ICT assets, not only those supporting critical or important functions.
  • Data, System and Network Security
    Protect data at all stages, including in use, transit, and rest.
    Note. ESAs are considering introducing further bespoke requirements, for example, a secure configuration baseline for ICT systems.
  • ICT security testing.
    Requires conducting comprehensive assessments, penetration testing, and vulnerability scans.
  • ICT systems acquisition, development, and maintenance.
    Recommends following a risk-based approach, which includes clearly defining functional and non-functional requirements, obtaining approval from relevant business management, conducting testing and approval before first use, and identifying measures to mitigate risks during development and implementation.
  • ICT project and change management.
    Depend on developing documented procedures covering project initiation to closure and defining roles and responsibilities. Additionally, ICT change management procedure ensures controlled recording, testing, assessment, approval, implementation, and verification of system changes, preserving digital operational resilience.
  • Note. Regarding cloud computing resources, ESAs may consider introducing additional requirements, e.g., preventive and detective measures to ensure security in the cloud environment, including tenant security and further resilience model.

Chapter III – ICT business continuity management.
Necessitates conducting a business impact analysis (BIA) to assess potential risks and vulnerabilities, identifying scenarios that ICT assets may face, and developing plans based on the BIA and scenario assessment. Testing covers backup and restore procedures and occurs at least once a year or during major plan’s changes.

Chapter IV – Report on the ICT risk management framework review.
Suggestion for the reporting structure.


Our opinion:
Despite the relative simplicity of the above framework, small and medium entities are unlikely to have in place already the required processes and capabilities. We expect significant effort in preparation for DORA and similar ongoing actions to maintain adequate compliance.

Please contact us if you have any questions.

Would you like to talk about DORA compliance? Contact us.