ICT Risk Management under DORA (Digital Operational Resilience Act) refers to the specific and detailed requirements that financial entities in the EU must implement to identify, protect against, detect, respond to and recover from ICT-related risks and incidents. DORA goes beyond general risk management by mandating specific capabilities such as ICT asset management, threat-led penetration testing, third-party ICT provider oversight and detailed incident classification and reporting within strict timeframes.
DORA applies to a broad range of financial entities including banks, insurance companies, investment firms and their critical ICT service providers, with compliance required from January 2025. Organisations must establish a comprehensive ICT risk management framework approved by senior management, conduct regular digital operational resilience testing and maintain detailed registers of all ICT third-party arrangements, making it one of the most prescriptive regulatory frameworks for operational technology risk in the financial sector.