Proportionality in Action: Deciphering the Simplified Framework for ICT Risk Management for Smaller Financial Entities

In the complex world of financial regulation, proportionality is a fundamental principle. The simplified framework for managing risks related to Information and Communication Technologies (ICT) is a clear example of how this principle is applied in practice. This article analyzes in detail what this framework is, who it affects, and its implications.

What is the Simplified Framework for ICT Risk Management?

The simplified framework for ICT risk management is a set of less stringent rules designed for smaller financial entities or those with more limited services. The key points of this framework are:

1. Exemption from Specific Roles: Entities are not required to create a role for monitoring agreements with third-party ICT service providers.
2. Flexibility in Organizational Structure: It is not necessary to designate a senior management member to oversee ICT risk exposure.
3. Simplification of Internal Controls: There is no requirement to assign the responsibility for managing and supervising ICT risk to an independent control function.
4. Reduction in Documentation Burden: It is not mandatory to document and annually review the ICT risk management framework.
5. Flexibility in Audits: Periodic internal audits of the ICT risk management framework are not required.
6. Less Frequent Evaluations: Comprehensive evaluations are not necessary after each significant change in ICT processes and infrastructure.
7. Simplification in Risk Analysis: Periodic risk analyses on legacy ICT systems are not required.
8. Lower Demand for Continuity Plans: ICT response and recovery plans do not need to be subjected to independent internal audits.
9. Flexibility in Crisis Management: There is no requirement to have a specific crisis management function.
10. Simplified Tests: Tests of continuity and recovery plans do not need to reflect complex failover scenarios between infrastructures.
11. Lower Information Burden: It is not necessary to report cost and loss estimates for severe ICT incidents to authorities.
12. Flexibility in Infrastructure: There is no requirement to maintain redundant ICT capabilities (although micro-enterprises must evaluate this need based on their risk profile).
13. Reduction in Reporting Obligations: It is not necessary to report changes following ICT incidents to authorities.
14. Simplification in Innovation: Continuous tracking of relevant technological advances is not required.
15. Adapted Resilience Tests: A more flexible regime is allowed for digital operational resilience testing programs.
16. Exemption from Advanced Tests: Threat-based penetration tests are not required.
17. Flexibility in Third-Party Audits: Micro-enterprises can delegate certain audit rights to an independent third party appointed by the ICT service provider.

Si te ha interesado este artículo no dudes en leer:

DORA: Compliance and risk management for cryptoasset service providers

The DORA Regulation imposes new obligations on cryptoasset service providers. At ILP Abogados, we have a specialized cryptoassets team to help you comply with these obligations and manage your risks

Which Entities Does This Simplified Framework Affect?

The simplified framework applies to:

1. Small and non-interconnected investment service companies.
2. Small occupational pension funds that meet the following conditions:
   • Can be excluded under Directive (EU) 2016/2341.
   • Manage pension plans with no more than 100 participants in total.
3. Entities exempted under Directive 2013/36/EU.
4. Payment entities referred to in Article 32(1) of Directive (EU) 2015/2366, exempted under national law.
5. Electronic money entities mentioned in Article 9 of Directive 2009/110/EC, exempted under national law.
6. Micro-enterprises, according to the EU definition.

It is important to note that payment and electronic money entities not exempted by their national law must comply with the general framework established in the Regulation.

If you enjoyed this article, you might also find the following reading interesting:

DORA: Impact on Transparency, Investor Protection and Governance