DORA RTS on ICT Risk Management

Browse Articles Full Text and PDF

Article 10 Vulnerability and patch management

1.   As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement vulnerability management procedures.

2.   The vulnerability management procedures referred to in paragraph 1 shall:

  1. (a)
    identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities;
  2. (b)
    ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset;
  3. (c)
    verify whether:

    1. (i)
      ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity;
    2. (ii)
      whether those service providers report to the financial entity at least the critical vulnerabilities and statistics and trends in a timely manner;

  4. (d)
    track the usage of:

    1. (i)
      third-party libraries, including open-source libraries, used by ICT services supporting critical or important functions;
    2. (ii)
      ICT services developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider;

  5. (e)
    establish procedures for the responsible disclosure of vulnerabilities to clients, counterparties, and to the public;
  6. (f)
    prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified;
  7. (g)
    monitor and verify the remediation of vulnerabilities;
  8. (h)
    require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution.
For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis.For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action.For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries.For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities.

3.   As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document and implement patch management procedures.

4.   The patch management procedures referred to in paragraph 3 shall:

  1. (a)
    to the extent possible identify and evaluate available software and hardware patches and updates using automated tools;
  2. (b)
    identify emergency procedures for the patching and updating of ICT assets;
  3. (c)
    test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii);
  4. (d)
    set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met.