Article 13

Learning and evolving


TL;DR The Digital Operations Resilience Act from the EU requires all financial entities to have in place capabilities and staff to identify and analyze vulnerabilities and cyber threats, as well as incident reviews following major ICT-related incidents. Senor ICT staff must report on findings from digital operations resilience testing, real-life cyber attacks and challenges from activating ICT business continuity plans to the management body yearly. Entities must also develop ICT security awareness programmes, digital operational resilience training, and monitor relevant technological developments. They must also update ICT risk management processes regularly to effectively combat current or new forms of cyber-attacks.
  1. Financial entitiesas defined in Article 2, points (a) to (t) shall have in place capabilities and staff to gather information on vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited and cyber threatsas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons, ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset, and analyse the impact they are likely to have on their digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.

  2. Financial entitiesas defined in Article 2, points (a) to (t) shall put in place post ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity reviews after a major ICT-related incidentan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in Article 11.

    Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall, upon request, communicate to the competent authoritiesas defined in Article 46, the changes that were implemented following post ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity reviews as referred to in the first subparagraph.

    The post ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, including in relation to the following:

    1. the promptness in responding to security alerts and determining the impact of ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and their severity;

    2. the quality and speed of performing a forensic analysis, where deemed appropriate;

    3. the effectiveness of incident escalation within the financial entity;

    4. the effectiveness of internal and external communication.

  3. Lessons derived from the digital operational resilience testingas defined in Article 24 carried out in accordance with Articles 26 and 27 and from real life ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset, along with challenges faced upon the activation of ICT business continuity plans and ICT response and recovery plans, together with relevant information exchanged with counterparts and assessed during supervisory reviews, shall be duly incorporated on a continuous basis into the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment assessment process. Those findings shall form the basis for appropriate reviews of relevant components of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1).

  4. Financial entitiesas defined in Article 2, points (a) to (t) shall monitor the effectiveness of the implementation of their digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions strategy set out in Article 6(8). They shall map the evolution of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment over time, analyse the frequency, types, magnitude and evolution of ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, in particular cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset and their patterns, with a view to understanding the level of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment exposure, in particular in relation to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, and enhance the cyber maturity and preparedness of the financial entity.

  5. Senior ICT staff shall report at least yearly to the management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council, Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law on the findings referred to in paragraph 3 and put forward recommendations.

  6. Financial entitiesas defined in Article 2, points (a) to (t) shall develop ICT security awareness programmes and digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions. Where appropriate, financial entitiesas defined in Article 2, points (a) to (t) shall also include ICT third-party service providersan undertaking providing ICT services in their relevant training schemes in accordance with Article 30(2), point (i).

  7. Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions. They shall keep up-to-date with the latest ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management processes, in order to effectively combat current or new forms of cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset.