DORA-Art16-P1

Article
16 (1)
Pillar
ICT Risk Management
Regulation Ref
Regulation (EU) 2022/2554, Article 16(1)
Last Reviewed
2026-01-15

Financial entities shall have in place communication plans enabling a responsible disclosure of ICT-related incidents or major vulnerabilities to clients and counterparts as well as to the public, as appropriate.

Evidence Profiles

ICT Incident Communication Plan PARTIAL

Plan defining communication procedures for ICT-related incidents and vulnerabilities, including stakeholder notification templates, escalation paths, and public disclosure criteria as required by DORA Article 16.

Formats
PDF
Evidence Class
ict-communication-plan
Availability
PARTIAL
Update Frequency
annual
Typical Author
Head of Communications
Approval Chain
Head of Communications → CISO → CEO

Content Sections

Expected Fields

Common Quality Issues

Fact Schemas

ict_communication_plan_status

Schema ID
fs-ict-communication-plan
Control
DORA-Art16-P1

Valid Ranges

approval_date
within last 18 months
stakeholder_categories_count
minimum 3 (clients, regulators, public)

JSON Schema

{
  "properties": {
    "approval_date": {
      "format": "date",
      "type": "string"
    },
    "has_disclosure_criteria": {
      "type": "boolean"
    },
    "has_escalation_paths": {
      "type": "boolean"
    },
    "has_notification_templates": {
      "type": "boolean"
    },
    "includes_media_handling": {
      "type": "boolean"
    },
    "includes_regulatory_notification": {
      "type": "boolean"
    },
    "last_simulation_date": {
      "format": "date",
      "type": "string"
    },
    "plan_version": {
      "type": "string"
    },
    "stakeholder_categories_count": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "plan_version",
    "approval_date",
    "has_notification_templates",
    "has_escalation_paths",
    "has_disclosure_criteria"
  ],
  "type": "object"
}