DORA-Art6-P8

Article: 6 (8)
Pillar: ICT Risk Management
Regulation Ref: Regulation (EU) 2022/2554, Article 6(8)
Last Reviewed: 2026-01-15

The ICT risk management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes.

Evidence Profiles

ICT Risk Management Framework Document COMMON

Comprehensive document describing the institution's ICT risk management framework, governance structure, risk appetite, and risk management methodology as required by DORA Article 6.

Formats: PDF DOCX
Evidence Class: ict-risk-framework
Availability: COMMON
Update Frequency: annual
Typical Author: CISO
Approval Chain: CISO → CRO → Board Risk Committee

Content Sections

Expected Fields

Common Quality Issues

Missing or outdated next_review_date
Vague risk appetite thresholds without quantitative measures
No explicit mapping to DORA articles
Unsigned or missing board approval

ICT Risk Framework Review Record PARTIAL

Structured JSON record documenting each periodic review of the ICT risk management framework, including review date, findings, changes made, and next review date.

Formats: JSON
Evidence Class: framework-review-record
Availability: PARTIAL
Update Frequency: annual
Typical Author: CISO
Approval Chain: CISO → CRO

Content Sections

Expected Fields

Common Quality Issues

Review conducted but not formally documented
Findings recorded without corresponding action items
Missing approval signature or timestamp
Review scope does not cover all framework components

Fact Schemas

ict_risk_framework_status

Schema ID: fs-ict-risk-framework-status
Control: DORA-Art6-P1

Valid Ranges

approval_date: within last 18 months
next_review_date: future date within 12 months of approval

Related Schemas

JSON Schema

{
  "properties": {
    "approval_date": {
      "format": "date",
      "type": "string"
    },
    "framework_version": {
      "pattern": "^\\d+\\.\\d+$",
      "type": "string"
    },
    "has_governance_structure": {
      "type": "boolean"
    },
    "has_risk_appetite": {
      "type": "boolean"
    },
    "next_review_date": {
      "format": "date",
      "type": "string"
    },
    "risk_appetite_thresholds": {
      "items": {
        "properties": {
          "category": {
            "type": "string"
          },
          "threshold": {
            "type": "number"
          },
          "unit": {
            "type": "string"
          }
        },
        "type": "object"
      },
      "type": "array"
    }
  },
  "required": [
    "framework_version",
    "approval_date",
    "next_review_date",
    "has_governance_structure",
    "has_risk_appetite"
  ],
  "type": "object"
}

framework_review_record

Schema ID: fs-framework-review-record
Control: DORA-Art6-P8

Valid Ranges

review_date: within last 12 months for annual review
next_review_date: within 12 months of review_date

Related Schemas

JSON Schema

{
  "properties": {
    "approved_by": {
      "type": "string"
    },
    "change_summary": {
      "type": "string"
    },
    "changes_made": {
      "type": "boolean"
    },
    "findings_count": {
      "minimum": 0,
      "type": "integer"
    },
    "next_review_date": {
      "format": "date",
      "type": "string"
    },
    "review_date": {
      "format": "date",
      "type": "string"
    },
    "review_trigger": {
      "enum": [
        "periodic",
        "major_incident",
        "supervisory_instruction",
        "audit_finding",
        "resilience_test"
      ],
      "type": "string"
    },
    "reviewer": {
      "minLength": 1,
      "type": "string"
    }
  },
  "required": [
    "review_date",
    "reviewer",
    "review_trigger",
    "changes_made",
    "next_review_date"
  ],
  "type": "object"
}