# Art. 13 — Learning and evolving

1. Financial entities shall have in place capabilities and staff to gather information on [vulnerabilities](https://www.mica.wtf/definitions/definitions/dora/vulnerability) and [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat), [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), in particular [cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack), and analyse the impact they are likely to have on their [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience).
2. Financial entities shall put in place post [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reviews after a [major ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in [Article 11](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-11-response-and-recovery.md).

   Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall, upon request, communicate to the competent authorities, the changes that were implemented following post [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reviews as referred to in the first subparagraph.

   The post [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, including in relation to the following:

   1. the promptness in responding to security alerts and determining the impact of [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) and their severity;
   2. the quality and speed of performing a forensic analysis, where deemed appropriate;
   3. the effectiveness of incident escalation within the financial entity;
   4. the effectiveness of internal and external communication.
3. Lessons derived from the [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing carried out in accordance with [Article 26](/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-26-advanced-testing-tlpt.md) and [Article 27](/dora/digital-operational-resilience-act/chapter-iv-digital-operational-resilience-testing/article-27-requirements-for-testers.md) and from real life [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), in particular [cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack), along with challenges faced upon the activation of ICT business continuity plans and ICT response and recovery plans, together with relevant information exchanged with counterparts and assessed during supervisory reviews, shall be duly incorporated on a continuous basis into the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) assessment process. Those findings shall form the basis for appropriate reviews of relevant components of the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework referred to in [Article 6(1)](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-6-ict-risk-management-framework.md).
4. Financial entities shall monitor the effectiveness of the implementation of their [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) strategy set out in [Article 6(8)](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-6-ict-risk-management-framework.md). They shall map the evolution of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) over time, analyse the frequency, types, magnitude and evolution of [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), in particular [cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack) and their patterns, with a view to understanding the level of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) exposure, in particular in relation to [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function), and enhance the cyber maturity and preparedness of the financial entity.
5. Senior ICT staff shall report at least yearly to the [management body](https://www.mica.wtf/definitions/definitions/dora/management-body) on the findings referred to in paragraph 3 and put forward recommendations.
6. Financial entities shall develop ICT security awareness programmes and [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions. Where appropriate, financial entities shall also include [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) in their relevant training schemes in accordance with [Article 30(2), point (i)](/dora/digital-operational-resilience-act/chapter-v-managing-ict-third-party-risk/article-30-key-contractual-provisions.md).
7. Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience). They shall keep up-to-date with the latest [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management processes, in order to effectively combat current or new forms of [cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-13-learning-and-evolving.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.