DORA-Art6-P1

Article: 6 (1)
Pillar: ICT Risk Management
Regulation Ref: Regulation (EU) 2022/2554, Article 6(1)
Last Reviewed: 2026-01-15

Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively.

Evidence Profiles

ICT Risk Management Framework Document COMMON

Comprehensive document describing the institution's ICT risk management framework, governance structure, risk appetite, and risk management methodology as required by DORA Article 6.

Formats: PDF DOCX
Evidence Class: ict-risk-framework
Availability: COMMON
Update Frequency: annual
Typical Author: CISO
Approval Chain: CISO → CRO → Board Risk Committee

Content Sections

Expected Fields

Common Quality Issues

Missing or outdated next_review_date
Vague risk appetite thresholds without quantitative measures
No explicit mapping to DORA articles
Unsigned or missing board approval

ICT Risk Management Policy COMMON

Operational policy document detailing specific ICT risk management procedures, roles, escalation paths, and control requirements derived from the overarching framework.

Formats: DOCX
Evidence Class: ict-risk-policy
Availability: COMMON
Update Frequency: annual
Typical Author: CISO
Approval Chain: CISO → CRO

Content Sections

Expected Fields

Common Quality Issues

Policy not updated after organisational changes
Generic language not tailored to institution's specific ICT landscape
Missing escalation thresholds
No evidence of staff acknowledgement

Fact Schemas

ict_risk_framework_status

Schema ID: fs-ict-risk-framework-status
Control: DORA-Art6-P1

Valid Ranges

approval_date: within last 18 months
next_review_date: future date within 12 months of approval

Related Schemas

JSON Schema

{
  "properties": {
    "approval_date": {
      "format": "date",
      "type": "string"
    },
    "framework_version": {
      "pattern": "^\\d+\\.\\d+$",
      "type": "string"
    },
    "has_governance_structure": {
      "type": "boolean"
    },
    "has_risk_appetite": {
      "type": "boolean"
    },
    "next_review_date": {
      "format": "date",
      "type": "string"
    },
    "risk_appetite_thresholds": {
      "items": {
        "properties": {
          "category": {
            "type": "string"
          },
          "threshold": {
            "type": "number"
          },
          "unit": {
            "type": "string"
          }
        },
        "type": "object"
      },
      "type": "array"
    }
  },
  "required": [
    "framework_version",
    "approval_date",
    "next_review_date",
    "has_governance_structure",
    "has_risk_appetite"
  ],
  "type": "object"
}

risk_appetite_statement

Schema ID: fs-risk-appetite-statement
Control: DORA-Art6-P1

Valid Ranges

approval_date: within last 12 months
risk_categories: must include at least ICT operational risk, cyber risk, and third-party risk

Related Schemas

JSON Schema

{
  "properties": {
    "approval_date": {
      "format": "date",
      "type": "string"
    },
    "has_quantitative_thresholds": {
      "type": "boolean"
    },
    "risk_categories": {
      "items": {
        "properties": {
          "appetite_level": {
            "enum": [
              "low",
              "moderate",
              "high"
            ],
            "type": "string"
          },
          "category": {
            "type": "string"
          },
          "threshold_unit": {
            "type": "string"
          },
          "threshold_value": {
            "type": "number"
          }
        },
        "required": [
          "category",
          "appetite_level"
        ],
        "type": "object"
      },
      "minItems": 1,
      "type": "array"
    },
    "statement_version": {
      "type": "string"
    }
  },
  "required": [
    "statement_version",
    "approval_date",
    "has_quantitative_thresholds",
    "risk_categories"
  ],
  "type": "object"
}