Article 14 Communication
TL;DR
The EU Digital Operations Resilience Act outlines the need for financial entities to have a crisis communication plan in place to responsibly disclose major ICT-related incidents or vulnerabilities to clients and counterparts, as well as to the public, as appropriate. Additionally, internal and external communication policies must be implemented for staff and external stakeholders. At least one person must be appointed to implement the communication strategy for ICT-related incidents and fulfill a public and media role.-
As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework referred to in Article 6(1), financial entitiesas defined in Article 2, points (a) to (t) shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity or vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited to clients and counterparts as well as to the public, as appropriate.
proportionality Paragraph allows for application of the proportionality principle according to Article 4. -
As part of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework, financial entitiesas defined in Article 2, points (a) to (t) shall implement communication policies for internal staff and for external stakeholders. Communication policies for staff shall take into account the need to differentiate between staff involved in ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management, in particular the staff responsible for response and recovery, and staff that needs to be informed.
proportionality Paragraph allows for application of the proportionality principle according to Article 4. -
At least one person in the financial entity shall be tasked with implementing the communication strategy for ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and fulfil the public and media function for that purpose.
proportionality Paragraph allows for application of the proportionality principle according to Article 4.