# Art. 6 — ICT risk framework

1. Financial entities shall have a sound, comprehensive and well-documented [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework as part of their overall risk management system, which enables them to address [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) quickly, efficiently and comprehensively and to ensure a high level of [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience).
2. The [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset), including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset) are adequately protected from risks including damage and unauthorised access or usage.
3. In accordance with their [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework, financial entities shall minimise the impact of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) and on their [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework to the competent authorities upon their request.
4. Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall assign the responsibility for managing and overseeing [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate segregation and independence of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.
5. The [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework shall be documented and reviewed at least once a year, or periodically in the case of [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), as well as upon the occurrence of [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident), and following supervisory instructions or conclusions derived from relevant [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework shall be submitted to the competent authority upon its request.
6. The [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework of financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall be subject to internal audit by auditors on a regular basis in line with the financial entities' audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk), as well as appropriate independence. The frequency and focus of ICT audits shall be commensurate to the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) of the financial entity.
7. Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings.
8. The [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework shall include a [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) strategy setting out how the framework shall be implemented. To that end, the [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) strategy shall include methods to address [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) and attain specific ICT objectives, by:
   1. explaining how the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework supports the financial entity's business strategy and objectives;
   2. establishing the risk tolerance level for [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk), in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruptions;
   3. setting out clear information security objectives, including key performance indicators and key risk metrics;
   4. explaining the ICT reference architecture and any changes needed to reach specific business objectives;
   5. outlining the different mechanisms put in place to detect [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), prevent their impact and provide protection from it;
   6. evidencing the current [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) situation on the basis of the number of [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) reported and the effectiveness of preventive measures;
   7. implementing [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) testing, in accordance with Chapter IV of this Regulation;
   8. outlining a communication strategy in the event of [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) the disclosure of which is required in accordance with [Article 14](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-14-communication.md).
9. Financial entities may, in the context of the [digital operational resilience](https://www.mica.wtf/definitions/definitions/dora/digital-operational-resilience) strategy referred to in paragraph 8, define a holistic ICT multi-vendor strategy, at [group](https://www.mica.wtf/definitions/definitions/dora/group) or entity level, showing key dependencies on [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) and explaining the rationale behind the procurement mix of [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider).
10. Financial entities may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management requirements to intra-group or external undertakings. In case of such outsourcing, the financial entity remains fully responsible for the verification of compliance with the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management requirements.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-6-ict-risk-management-framework.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.