ICT risk management framework

This is a placeholder-page for the full legal text of the regulatory technical standard (RTS) on ICT risk management framework, supplementing DORA. It was submitted by the ESAs to the European Commission in January 2024 as mandated by Article 15 and Article 16(3) of DORA. It is expected to become applicable on 17 January 2025 along with DORA.

Until we publish the full legal text here, please find the draft RTS on ESMA’s web page or the adopted regulation on the EC’s web page..

The RTS on ICT risk management framework provides specifications on various policies, procedures and plans mandated by DORA across several topics, e.g., access management, anomaly detection, criteria for triggering incident management and response processes, elements concerning business continuity management and the regular ICT risk management framework review. The RTS also expands on the simplified ICT risk management framework.