To keep pace with the rapidly changing cyber threat environment, financial institutions must establish procedures and frameworks that mitigate the effects of ICT risk. They should consistently detect ICT risks from diverse sources and take action using internal controls, disaster recovery plans, and other measures to protect the security, reliability, and resilience of ICT systems and associated physical infrastructure.

Financial entities must manage ICT third-party providers throughout their lifecycle, from contracting to termination and post-contractual stages, due to the increasing use of such providers. This management should be based on the minimum requirements outlined in DORA. To ensure proper management, it is necessary to establish a framework for critical ICT third-party risks, adopt and regularly review an ICT third-party risk strategy, maintain a register of information and control outsourcing contracts and arrangements, and perform ICT concentration risk assessments before entering into new contractual agreements.

Under DORA, it is neccessary to establish an ICT incident management process that records, monitors, and addresses incidents. Financial entities should categorize and prioritize incidents, assign roles, communicate with stakeholders, and establish procedure for incident response and service restoration.

Financial entities can share cyber threat information to improve their digital resilience, within trusted communities, and governed by rules protecting sensitive information and personal data. They must notify authorities when joining or leaving such arrangements.

DORA requires financial institutions to establish a comprehensive digital operational resilience testing program, including various assessments, test, and tools. Test must follow a risk-based approach and be undertaken by independent parties. Institutions must establish policies to address all issues and conduct yearly tests on critical ICT systems and applications.

To help financial entities to be ready with their preparations, the ESAs and competent authorities carrying out a dry run on a best-efforts basis in mid-2024. The ESAs will provide individual and general feedback to financial entities regarding their registers of information in the second half of 2024.