Overview:
This pillar mandates that financial entities establish and maintain a robust ICT (Information and Communication Technology) risk management framework. The framework must be integrated into the overall risk management system and should cover all aspects of ICT risk, including cybersecurity, ICT dependencies, and critical third-party service providers.

Key Requirements:

• Develop a comprehensive ICT risk management strategy.
• Implement procedures to identify, assess, and mitigate ICT risks.
• Ensure continuous monitoring and review of ICT risks.
• Integrate ICT risk management into the corporate governance structure.

Overview:
DORA introduces standardized requirements for reporting ICT-related incidents. This aims to improve the detection and response to ICT incidents, ensuring that significant disruptions are promptly communicated to relevant authorities.

Key Requirements:

• Establish processes for identifying and classifying ICT incidents.
• Report significant ICT incidents to competent authorities within specified timelines.
• Provide detailed incident reports, including root cause analysis and remediation actions.
• Ensure transparency with stakeholders regarding significant ICT incidents.

Overview:
Financial entities must conduct regular and comprehensive testing of their digital operational resilience. This includes various types of tests, such as vulnerability assessments, penetration testing, and advanced threat-led penetration testing (TLPT).

Key Requirements:

• Develop a testing framework that covers all critical ICT systems and services.
• Conduct regular tests to evaluate the effectiveness of ICT risk management controls.
• Involve independent parties in advanced testing exercises.
• Remediate identified weaknesses and gaps promptly.

Overview:
DORA places a strong emphasis on managing risks associated with ICT third-party service providers. Financial entities must ensure that their ICT third-party providers adhere to stringent security and resilience standards.

Key Requirements:

• Conduct thorough due diligence before engaging ICT third-party providers.
• Establish contractual agreements that include clear ICT risk management and resilience requirements.
• Monitor the performance and security practices of third-party providers continuously.
• Have contingency plans in place for critical third-party service failures.

Overview:
To enhance the overall cybersecurity posture of the financial sector, DORA encourages the sharing of cyber threat information and intelligence among financial entities and competent authorities.

Key Requirements:

• Participate in information-sharing arrangements and forums.
• Share relevant cyber threat intelligence in a timely and secure manner.
• Utilize shared information to improve ICT risk management practices.
• Collaborate with other financial entities and authorities to address common threats.

• RTS to specify the policy on ICT services performed by ICT third-party provider - (Article 28(10))
• RTS on criteria for the classification of ICT-related incidents (Article 18(3))
• ITS to establish the templates for the register of information (Article 28(9))
• RTS on ICT risk management framework (Article 15)
• RTS on simplified ICT risk management framework (Article 16(3))

• RTS and ITS on content, timeline and templates on incident reporting
• GL on aggregated costs and losses from major incidents
• RTS on subcontracting of critical or important - functions
• RTS on oversight harmonisation
• GL on oversight cooperation between ESAs and competent authorities
• RTS on threat-led penetration testing