Article 11

Response and recovery


TL;DR This article from the Digital Operations Resilience Act of the EU outlines key measures and policies that financial entities must take in order to ensure the continuity of their operations during ICT-related incidents. Entities must put in place a comprehensive ICT business continuity policy, associated ICT response and recovery plans, and ICT business continuity plans. They must also conduct a business impact analysis and test plans at least once a year, and appoint a crisis management function. Furthermore, they must keep records of activities during disruption events, provide test results to competent authorities, and, if requested, report an estimation of costs and losses due to major ICT-related incidents. The European Supervisory Authorities have also been assigned to develop common guidelines for the estimation of aggregated annual costs and losses related to these incidents by July 2024.
  1. As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1) and based on the identification requirements set out in Article 8, financial entitiesas defined in Article 2, points (a) to (t) shall put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy of the financial entity.

  2. Financial entitiesas defined in Article 2, points (a) to (t) shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to:

    1. ensure the continuity of the financial entity’s critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;

    2. quickly, appropriately and effectively respond to, and resolve, all ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity in a way that limits damage and prioritises the resumption of activities and recovery actions;

    3. activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and prevent further damage, as well as tailored response and recovery procedures established in accordance with Article 12;

    4. estimate preliminary impacts, damages and losses;

    5. set out communication and crisis management actions that ensure that updated information is transmitted to all relevant internal staff and external stakeholders in accordance with Article 14, and report to the competent authoritiesas defined in Article 46 in accordance with Article 19.

  3. As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1), financial entitiesas defined in Article 2, points (a) to (t) shall implement associated ICT response and recovery plans which, in the case of financial entitiesas defined in Article 2, points (a) to (t) other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall be subject to independent internal audit reviews.

  4. Financial entitiesas defined in Article 2, points (a) to (t) shall put in place, maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law outsourced or contracted through arrangements with ICT third-party service providersan undertaking providing ICT services.

  5. As part of the overall business continuity policy, financial entitiesas defined in Article 2, points (a) to (t) shall conduct a business impact analysis (BIAbusiness impact analysis) of their exposures to severe business disruptions. Under the BIAbusiness impact analysis, financial entitiesas defined in Article 2, points (a) to (t) shall assess the potential impact of severe business disruptions by means of quantitative and qualitative criteria, using internal and external data and scenario analysis, as appropriate. The BIAbusiness impact analysis shall consider the criticality of identified and mapped business functions, support processes, third-party dependencies and information assetsa collection of information, either tangible or intangible, that is worth protecting, and their interdependencies. Financial entitiesas defined in Article 2, points (a) to (t) shall ensure that ICT assetsa software or hardware asset in the network and information systems used by the financial entity and ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services are designed and used in full alignment with the BIAbusiness impact analysis, in particular with regard to adequately ensuring the redundancy of all critical components.

  6. As part of their comprehensive ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management, financial entitiesas defined in Article 2, points (a) to (t) shall:

    1. test the ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly, as well as in the event of any substantive changes to ICT systems supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;

    2. test the crisis communication plans established in accordance with Article 14.

    For the purposes of the first subparagraph, point (a), financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall include in the testing plans scenarios of cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 12.

    Financial entitiesas defined in Article 2, points (a) to (t) shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews.

  7. Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall have a crisis management function, which, in the event of activation of their ICT business continuity plans or ICT response and recovery plans, shall, inter alia, set out clear procedures to manage internal and external crisis communications in accordance with Article 14.

  8. Financial entitiesas defined in Article 2, points (a) to (t) shall keep readily accessible records of activities before and during disruption events when their ICT business continuity plans and ICT response and recovery plans are activated.

  9. Central securities depositoriesa central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 shall provide the competent authoritiesas defined in Article 46 with copies of the results of the ICT business continuity tests, or of similar exercises.

  10. Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall report to the competent authoritiesas defined in Article 46, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity.

  11. In accordance with Article 16 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAsEuropean Supervisory Authority, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, shall by 17 July 2024 develop common guidelines on the estimation of aggregated annual costs and losses referred to in paragraph 10.