DORA compliance Part 1: ICT risk management

By Katalin Jakucs DORA
DORA compliance Part 1: ICT risk management

 As of January 17, 2025, the Digital Operational Resilience Act (DORA) will become legally binding in the European Union (EU). The regulation sets new standards for digital security in the financial sector and requires companies to take comprehensive security measures. One of the five core pillars of DORA focuses on the implementation of risk management for information and communication technologies (ICT risk management).

What is ICT risk management?

ICT risk management, defined in Chapter II, Article 6 of the regulation, is one of the five essential pillars of digital operational resilience. It includes all measures aimed at ensuring the stability and security of IT systems. Simply put, this is about being technically prepared for cyber threats. Given the financial sector’s reliance on sensitive data and digital transactions, systematic risk management is crucial. 

Subareas of ICT risk management

DORA's requirements for ICT risk management extend far beyond what most organizations have implemented so far. They affect e.g. strategies, processes, ICT protocols, and tools, covering both software and hardware as well as all relevant physical components and infrastructures, such as premises and data centers. ICT risk management can be subdivided into the following areas:

  • Governance and organization
  • ICT risk management framework
  • ICT systems, protocols and tools
  • Continuous identification of ICT risks
  • Protection and prevention
  • Detection of unusual activities
  • Response and recovery
  • Backup and restoration
  • Learning and evolving
  • Communication
  • Simplified ICT risk management framework for certain financial companies

What obligations do companies have?

One of the most significant shifts under DORA is moving from a reactive approach to actively anticipating and mitigating potential threats.

The DORA requirements in terms of ICT risk management are clearly defined and include the following obligations:

Risk identification

Companies must continuously assess and document potential threats and vulnerabilities in their IT systems.

Risk assessment

Financial institutions are required to assess each risk according to its probability and potential impact. This assessment helps prioritize appropriate countermeasures.

Implementation of security measures

Companies are obliged to mitigate risks by applying technical and organizational measures such as firewalls, access controls, and backups.

Continuous monitoring

Actors in the financial sector must continuously monitor all IT systems and security measures to swiftly detect new risks.

Emergency plans and response strategies

DORA stipulates the development of emergency plans, which empower companies to quickly react to incidents and minimize damage in accordance with current standards.

How can financial institutions implement the obligations?

DORA does not provide an exhaustive templatized checklist for designing ICT risk management. Instead, companies should begin with a gap analysis, comparing their existing risk management practices with the regulation’s requirements. This analysis will help identify necessary steps to achieve compliance.

Long-term benefits of ICT risk management

Comprehensive ICT risk management is an integral part of a digital resilience strategy. These measures protect companies from cyberattacks, ensure business continuity even in the case of IT outages, and foster trust among customers and business partners.

Learn more about how Tresorit can help financial organizations manage their data in a safe and compliant manner.

Suggested Articles