# Art. 8 — Identification

1. As part of the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework referred to in [Article 6(1)](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-6-ict-risk-management-framework.md), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset) supporting those functions, and their roles and dependencies in relation to [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk). Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation.
2. Financial entities shall, on a continuous basis, identify all sources of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk), in particular the risk exposure to and from other financial entities, and assess [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat) and ICT [vulnerabilities](https://www.mica.wtf/definitions/definitions/dora/vulnerability) relevant to their ICT supported business functions, [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset). Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.
3. Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall perform a risk assessment upon each major change in the [network and information system](https://www.mica.wtf/definitions/definitions/dora/network-and-information-system) infrastructure, in the processes or procedures affecting their ICT supported business functions, [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) or [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset).
4. Financial entities shall identify all [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset), including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset) and the links and interdependencies between the different [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset).
5. Financial entities shall identify and document all processes that are dependent on [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), and shall identify interconnections with [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) that provide services that support [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function).
6. For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs.
7. Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall on a regular basis, and at least yearly, conduct a specific [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) assessment on all [legacy ICT systems](https://www.mica.wtf/definitions/definitions/dora/legacy-ict-system) and, in any case before and after connecting technologies, applications or systems.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-8-identification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.