Article 5 Governance and organisation
TL;DR
This article from the EU’s Digital Operations Resilience Act outlines the responsibilities of the management body of financial entities with regards to managing ICT risk. This includes setting policies to ensure the maintenance of data security, setting roles and responsibilities for ICT-related functions and establishing governance arrangements, setting and approving the digital operational resilience strategy, approving and reviewing ICT business continuity strategies, ICT internal audit plans, and the use of ICT services provided by third parties. Additionally, members of the management body must be aware of ICT risk and its impact and have sufficient knowledge and skills to understand it, and must take part in regular training.-
Financial entitiesas defined in Article 2, points (a) to (t) shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, in accordance with Article 6(4), in order to achieve a high level of digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;.
proportionality Paragraph allows for application of the proportionality principle according to Article 4. -
The management bodymeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework referred to in Article 6(1).
For the purposes of the first subparagraph, the management bodymeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; shall:
-
bear the ultimate responsibility for managing the financial entity’s ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;;
-
put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
-
set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
-
bear the overall responsibility for setting and approving the digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; strategy as referred to in Article 6(8), including the determination of the appropriate risk tolerance level of ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; of the financial entity, as referred to in Article 6(8), point (b);
-
approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan;
-
approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;
-
allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; training referred to in Article 13(6), and ICT skills for all staff;
-
approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided by ICT third-party service providersmeans an undertaking providing ICT services;;
-
put in place, at corporate level, reporting channels enabling it to be duly informed of the following:
-
arrangements concluded with ICT third-party service providersmeans an undertaking providing ICT services; on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;,
-
any relevant planned material changes regarding the ICT third-party service providersmeans an undertaking providing ICT services;,
-
the potential impact of such changes on the critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and their impact, as well as response, recovery and corrective measures.
-
management body Paragraph has special considerations for 'management body' as defined by Article 3 point 30.proportionality Paragraph allows for application of the proportionality principle according to Article 4. -
-
Financial entitiesas defined in Article 2, points (a) to (t), other than microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;, shall establish a role in order to monitor the arrangements concluded with ICT third-party service providersmeans an undertaking providing ICT services; on the use of ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
exemption Paragraph has a reduced scope, i.e., it does not apply to all financial entities in Article 2(1) but some or only those of a certain size.proportionality Paragraph allows for application of the proportionality principle according to Article 4. -
Members of the management bodymeans a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; being managed.
management body Paragraph has special considerations for 'management body' as defined by Article 3 point 30.proportionality Paragraph allows for application of the proportionality principle according to Article 4.