DORA RTS on ICT Risk Management

1.   As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets.

2.   The policy on management of ICT assets referred to in paragraph 1 shall:

1. (a)
   prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;
2. (b)
   prescribe that the financial entity keeps records of all of the following:

   1. (i)
      the unique identifier of each ICT asset;
   2. (ii)
      information on the location, either physical or logical, of all ICT assets;
   3. (iii)
      the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;
   4. (iv)
      the identity of ICT asset owners;
   5. (v)
      the business functions or services supported by the ICT asset;
   6. (vi)
      the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
   7. (vii)
      whether the ICT asset can be or is exposed to external networks, including the internet;
   8. (viii)
      the links and interdependencies among ICT assets and the business functions using each ICT asset;
   9. (ix)
      where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;

3. (c)
   for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.