Question ID: DORA033 - 2996
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT risk management (DORA)
Article: 8
Status: Final
Date of submission: 14 Feb 2024
Question
Art. 8 VII: Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems. What does DORA mean by connecting?
Background of the question
Explanation: Article 8 VII refers explicit to legacy systems. However, it is unclear whether "before and after connection of technologies, applications or systems" refers to all changes.
EIOPA answer
Under Art. 8(7) of DORA, FEs must perform ICT risk assessments on legacy systems at least annually and in any case before and after connecting technologies, applications, or systems. In this regard, “connection” relates to e.g. integrations, interfacing of systems/tools, or changes to legacy systems that can add new interdependencies and/or vulnerabilities.
Moreover, the RTS on RMF detail this interpretation by describing the procedures for ICT risk management, such as the need of change management policy and procedures (Art. 17) and the identification of interdependencies between systems and providers (Art. 8). These provisions highlight the importance of assessing connections as part of a broader strategy to manage ICT risks.