DORA-Art9-P1

Article: 9 (1)
Pillar: ICT Risk Management
Regulation Ref: Regulation (EU) 2022/2554, Article 9(1)
Last Reviewed: 2026-01-15

For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.

Evidence Profiles

ICT Security Policy COMMON

Comprehensive security policy covering access controls, encryption, network security, patch management, and security monitoring as required by DORA Article 9.

Formats: DOCX PDF
Evidence Class: ict-security-policy
Availability: COMMON
Update Frequency: annual
Typical Author: CISO
Approval Chain: CISO → CIO

Content Sections

Expected Fields

Common Quality Issues

Policy not updated to reflect cloud security requirements
Generic encryption standards without specific algorithm requirements
Missing mobile device and remote access provisions
No reference to DORA-specific security requirements

ICT Security Controls Register PARTIAL

Structured JSON register of deployed ICT security controls, their implementation status, effectiveness ratings, and mapping to regulatory requirements.

Formats: JSON
Evidence Class: ict-security-controls
Availability: PARTIAL
Update Frequency: quarterly
Typical Author: Security Operations Manager
Approval Chain: Security Operations Manager → CISO

Content Sections

Expected Fields

Common Quality Issues

Controls register not comprehensive — missing detective controls
Effectiveness ratings based on self-assessment rather than independent testing
Missing mapping between controls and specific DORA requirements
Stale last_tested dates for some controls

Fact Schemas

ict_security_controls_status

Schema ID: fs-ict-security-controls
Control: DORA-Art9-P1

Valid Ranges

assessment_date: within last 6 months
implemented_controls: should equal total_controls for full compliance

Related Schemas

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "effective_controls": {
      "minimum": 0,
      "type": "integer"
    },
    "has_access_controls": {
      "type": "boolean"
    },
    "has_encryption": {
      "type": "boolean"
    },
    "has_network_security": {
      "type": "boolean"
    },
    "has_patch_management": {
      "type": "boolean"
    },
    "implemented_controls": {
      "minimum": 0,
      "type": "integer"
    },
    "last_effectiveness_review": {
      "format": "date",
      "type": "string"
    },
    "total_controls": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "assessment_date",
    "total_controls",
    "implemented_controls",
    "has_access_controls",
    "has_encryption"
  ],
  "type": "object"
}