Notice describing the ICT risk management framework under EU Regulation 2022/2554 (DORA)

1 SECRÉTARIAT GÉNÉRAL Notice describing the ICT risk management framework under EU Regulation No. 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA) Insurance, reinsurance and supplementary occupational pension sectors (Version of 18/12/2024)

2 Table of contents

1. Introduction..................................................................................................................................... 2
2. Information to be communicated as part of the RSR....................................................................... 4
3. Tools, methods, processes and policies for ICT risk management ........................................... 4 3.1. Digital operational resilience strategy and governance ....................................... 4 3.2. ICT risk management .............................................................................................. 5 3.3. Security of ICT networks and systems .......................................................................... 6 3.4. ICT operations management................................................................................................. 6 3.4.1. ICT asset management policy and procedure.............................................................. 6 3.4.2. Human resources and access control policy.................................................... 7 3.4.3. Policies and procedures covering the operation, monitoring and control of IT systems and services................................................................................................ 8 3.4.4. ICT incident management policy..................................................................... 8 3.4.5. Change and project management policies and procedures .................................... 9 3.5. Business continuity management ........................................................................................ 10 3.5.1. Description of the operational maintenance of ICT systems and solutions (IT business continuity).................................................................................................... 10 3.5.2. Description of the crisis management arrangement....................................................................... 11 3.6. Management of risks related to third-party ICT service providers ............................................. 11
4. Simplified ICT risk management framework............................................................................ 13
5. Report on the review of the ICT risk management framework............................................. 13 Annex 1: Structure and content of the report on the review of the ICT risk management framework ............................................................................................................................................................... 15
6. Introduction 1 This document (the "Notice" hereinafter) aims to present the framework for managing risks related to information and communication technology (ICT) within the meaning of the provisions of Regulation (EU) No 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (hereinafter, the "DORA Regulation") and its implementing texts. Concurrently, it also aims to clarify the relevant elements that must be included in the Regular Report to the Supervisor (RSR) for entities subject to the Solvency II prudential framework (see Part 2). According to the definition in Article 3(5) of the DORA Regulation, "ICT risk" means any reasonably identifiable circumstance related to the use of information networks and systems which, if realized, could compromise the security of information networks and systems, any tool or process dependent on technology, the functioning and processes or the provision of services by producing harmful effects in the digital or physical environment.

3 2 In addition to the DORA Regulation, this Notice refers to Commission Delegated Regulation (EU) No 2024/1774 of 13 March 2024 supplementing the DORA Regulation with regulatory technical standards specifying the tools, methods, processes and policies for ICT risk management and the simplified ICT risk management framework. It also refers to Commission Delegated Regulation (EU) No 2024/1773 of 13 March 2024 supplementing the DORA Regulation with regulatory technical standards specifying the content of the third-party policy. 3 This Notice targets the following listed entities: a. insurance or reinsurance undertakings subject to the "Solvency II" regime mentioned in Articles L. 310-3-1 of the Insurance Code, L. 211-10 of the Mutual Code and L. 931-6 of the Social Security Code; b. supplementary occupational pension schemes (ORPS) mentioned in Articles L. 381-1 of the Insurance Code, L. 214-1 of the Mutual Code and L. 942-1 of the Social Security Code, which have more than fifteen members in total; c. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries mentioned in paragraph III of Article L. 511-1 of the Insurance Code, which are neither micro-enterprises nor small or medium-sized enterprises1 . These obligations specify in particular the due diligence to be carried out, in order to take into account the importance of ICT risk management, and its consideration by governance and in the event of recourse to external providers. 4 Given the three categories of different entities mentioned in paragraph 3, this Notice contains five parts, including the introduction, which are not all applicable to all these entities. Thus:

• Part 2 regarding information to be communicated as part of the RSR, concerns only the entities mentioned in point a of paragraph 3;
• Part 3 regarding tools, methods, processes and policies for ICT risk management, applies to all entities mentioned in paragraph 3, except small ORPS2 ;
• Part 4 regarding the simplified ICT risk management framework, concerns only small ORPS;
• Part 5 regarding the report on the review of the ICT risk management framework, applies to all entities mentioned in paragraph 3, without exception. 5 This Notice aims to provide explanations to the entities mentioned in paragraph 3 on the implementation of the DORA Regulation, which is scheduled to enter into force on 17 January 2025. However, its content cannot exhaust all questions raised by the implementation of a DORA Regulation obligation, and will thus be subject to evolution. Furthermore, this document does not prejudice individual decisions that may be taken by the ACPR, based on specific situations it may be called upon to examine. 6 The DORA Regulation having reaffirmed, notably in its Article 4, a principle of application of ICT risk management measures proportionate to the nature, scale and complexity of the risks inherent in the activities of the concerned undertakings subject to the regulation, the indications provided by the Notice must be read in respect of this principle. In this regard, the ACPR will take into account the internal organization of the undertakings subject to the regulation, the nature, scope and complexity of the products and services that these undertakings provide or intend to provide. For financial entities in the insurance sector not falling within the scope of DORA, it should be noted that measures must be taken to adequately manage IT and cyber risks within the framework of sound and prudent management of the company's activity. 7 Unless otherwise stated, in this Notice, "the undertaking" refers to the entities mentioned in paragraph 3. 8 This notice is applicable from the day of its publication in the official register of the ACPR but will only take effect from the entry into force of the DORA Regulation (17 January 2025).

2. Information to be communicated as part of the RSR3 9 Entities subject to the Solvency II regulatory framework submit a report intended for the supervisor, named "Regular Report to the Supervisor" whose principle is set out in point 1 of Article 304 of the amended Delegated Regulation and detailed content in Articles 307 and following of the same text. 10 Under the principle of the guidelines specified below, the entity refers to the clarifications intended to be provided in the notice "Communication of information to the supervisory authority and information for the public (RSR/SFCR) for insurance undertakings and groups subject to the Solvency II Directive" in its version of 17/07/2023. 11 The undertaking provides information on the governance framework for ICT risks and the security of information networks and systems (Article 5 of the DORA Regulation). 12 The undertaking provides information on its digital operational resilience strategy (cf. Art. 6.8 of the DORA Regulation) and on the organization of its framework for managing associated ICT risks (Articles 5.1, 6.1, and 16.1.a of the DORA Regulation).
3. Tools, methods, processes and policies for ICT risk management 13 This part addresses all entities listed in paragraph 3, except small ORPS. 3.1. Digital operational resilience strategy and governance 14 The undertaking documents its digital operational resilience strategy by specifying in particular its governance and its integration into the risk management system related to information and communication technology (ICT), as well as the means dedicated to it4 . 15 The undertaking documents its digital operational resilience strategy specifying the methods to counter risks affecting information assets and ICT assets, including software, computer hardware, servers, as well as all relevant components and physical infrastructures, in order to ensure that all information assets and ICT assets are correctly protected against risks, including damage and unauthorized access or use, according to the methods mentioned in Article 6 (8) of the DORA Regulation. The digital operational resilience strategy may include, where appropriate, the overall multi-provider strategy integrating in particular the main dependency relationships with third-party ICT service providers and exposing the reasons underlying the combination of chosen third-party ICT service providers in accordance with point 9 of the aforementioned Article. 16 The undertaking documents the effective and prudent management of ICT risk by its governance and internal control framework in accordance with Article 5 (1) of the DORA Regulation. In this regard, its management body defines, approves, supervises and is responsible for the implementation of all provisions related to the ICT risk management framework, in accordance with point 2 of the aforementioned Article. The documentation includes all elements specified in Article 3 of Delegated Regulation EU No 2024/1774. 3.2. ICT risk management 17 In order to satisfy the objectives assigned by Articles 5 and 6 of the DORA Regulation on digital operational resilience for the financial sector, the undertaking develops, documents, regularly updates, implements and makes available to the supervisor the policies and procedures for ICT risk management which contain all the elements defined in Article 3 of Regulation (EU) No 2024/1774. It deals in particular with the following elements:

• the indication of the approval of the level of tolerance for ICT risk;
• a procedure and method for assessing vulnerabilities and threats affecting or potentially affecting operational functions supported and ICT systems and ICT assets supporting them, as well as the required quantitative or qualitative indicators;
• the procedure for determining, implementing and documenting measures for treating ICT risk;
• the elements required for residual ICT risks;
• monitoring provisions;
• the consideration of any change in the company's business strategy and digital operational resilience strategy.

4 Also included are ICT security awareness programs and digital operational resilience training that they integrate into their staff training programs within the meaning of paragraph 6 of Article 13 of Regulation No 2022-2554 (cf. also Article 5.2.g of the same Regulation).

6 3.3. Security of ICT networks and systems 18 In order to satisfy the objectives assigned by Article 9 of the DORA Regulation on digital operational resilience for the financial sector, the undertaking develops, documents, regularly updates, implements and makes available to the supervisor ICT security policies, information security and related procedures, protocols and tools which:

• guarantee network security;
• include guarantees against intrusions and misuse of data;
• preserve the availability, authenticity, integrity and confidentiality of data, including by using cryptographic techniques;
• guarantee accurate and rapid transmission of data without major disruption and without unjustified delay. It ensures that these policies respect the conditions mentioned in point 2 of Article 2 of Delegated Regulation No 2024/1774. 19 For the purposes of network security guarantees mentioned in the previous paragraph, the undertaking develops, documents, regularly updates, implements and makes available to the supervisor the network security management protocols and tools defined in Article 13 of the aforementioned Delegated Regulation. 20 For the purposes of guarantees aimed at preserving the availability, authenticity5 , integrity and confidentiality of data, the undertaking develops, documents, regularly updates, implements and makes available to the supervisor the policies, procedures, protocols and tools for protecting information in transit (cf. to this effect Article 14 of Delegated Regulation No 2024-1774). This is notably the case of the encryption and cryptographic controls policy and the cryptographic key management policy, within the meaning of the provisions of Articles 6 and 7 of the aforementioned Delegated Regulation. 3.4. ICT operations management 3.4.1. ICT asset management policy and procedure 21 The undertaking must have an ICT asset management policy in accordance with Article 4(2) of Delegated Regulation (EU) No 2024/1774. 22 The undertaking develops, documents and implements an ICT asset management procedure (Article 5 of the aforementioned Delegated Regulation). This procedure specifies the criteria used to evaluate the criticality of ICT assets based on: a. the ICT risk associated with these "business" functions and their dependence on information assets or ICT assets; b. the impact that the loss of confidentiality, integrity and availability of these information assets and ICT assets would have on the company's operational processes and activities.

5 Within the meaning of CNIL definitions.

7 3.4.2. Human resources and access control policy 23 The undertaking includes in its human resources policy or other relevant policies elements related to ICT security (Article 19 of Delegated Regulation No 2024/1774):

• the identification and attribution of any specific responsibility for ICT security;
• the obligation for the company's personnel and third-party ICT service providers who use or have access to the company's ICT assets to: o be informed of the company's ICT security policies, procedures and protocols and to comply with them; o know the notification channels set up by the company for the detection of abnormal behavior, including in the case of reporting channels established in accordance with Directive (EU) No 2019/1937 of the European Parliament and of the Council; o return to the financial entity upon termination of their employment, all ICT assets and all tangible information assets in their possession belonging to the company. 24 The undertaking develops, documents and implements identity management policies and procedures in accordance with Article 20 (1) of Delegated Regulation No 2024/1774. These must contain all the elements cited in point 2 of the same Article. 25 The undertaking develops, documents and implements a policy on the control of management rights for access to ICT assets (Article 21 of Delegated Regulation No 2024/1774). In particular, this policy must include: ● the attribution of access rights to ICT assets according to the principles of need to know, need to have and least privilege, including for remote access and emergency access; ● a separation of duties aimed at preventing unjustified access to critical data or preventing the attribution of access right combinations that could be used to bypass controls; ● provisions on user responsibility, limiting, as much as possible, the use of generic or shared user accounts and ensuring that users are identifiable at all times for actions performed in ICT systems; ● provisions on restrictions on access to ICT assets, providing controls and tools to prevent any unauthorized access; ● account management procedures to grant, modify or revoke access rights for user accounts and generic accounts, including generic administrator accounts containing the provisions related to the elements cited in Article 21(e) of Delegated Regulation No 2024/1774; ● protocols and procedures related to strong authentication mechanisms (Article 9(4)(d) of the DORA Regulation and Article 21 (f) of Delegated Regulation No 2024/1774); ● any information related to physical access control measures for ICT assets (Article 21(g) of Delegated Regulation No 2024/1774).

8 3.4.3. Policies and procedures covering the operation, monitoring and control of IT systems and services 35 In order to guarantee the confidentiality, integrity and availability of systems, the undertaking develops, documents and implements policies and procedures defining how it operates, monitors, controls and restores ICT systems and services, in particular those supporting critical or important functions6 (Article 9(2) of the DORA Regulation and Article 8(1) of Delegated Regulation No 2024/1774). 36 The documents mentioned in paragraph 35 include procedures for planning and monitoring performance and capacity to prevent, detect and resolve any significant performance issues in ICT systems, as well as any capacity limits (Article 9 of Delegated Regulation No 2024/1774). 37 The documents mentioned in paragraph 35 include vulnerability management procedures providing in particular for various reviews and assessments of information security, in order to guarantee effective identification of vulnerabilities present within its ICT systems and services, including when these services are provided by a third-party provider (Article 10(1) and Article 10(2) of Delegated Regulation No 2024/1774). 38 The documents mentioned in paragraph 35 include patch management procedures providing in particular for the identification and evaluation of available software and hardware patches and updates, the definition of emergency procedures for applying patches and updates to ICT assets, the setting of deadlines for installing software and hardware patches and updates, as well as reporting procedures when these deadlines cannot be met (Article 10(3) and Article 10(4) of Regulation 2024/1774). 39 The documents mentioned in paragraph 35 include a data and ICT system security procedure containing all the elements mentioned in Article 11(2) of Delegated Regulation 2024/1774. 40 The undertaking establishes, maintains and reviews a digital operational resilience testing program to evaluate readiness for the treatment of ICT incidents (Article 24 of the DORA Regulation). The results of these tests are part of the information included in the report on the review of the ICT risk management framework (see Part 5). The undertaking ensures to submit, at least once a year, all ICT systems and applications supporting critical or important functions to appropriate tests. 3.4.4. ICT incident management policy

6 "Critical or important function": a function whose disruption is likely to seriously harm the financial performance of a financial entity, or the solidity or continuity of its services and activities, or an interruption, anomaly or failure in the execution of this function is likely to seriously harm the ability of a financial entity to permanently comply with the conditions and obligations of its authorization, or its other obligations arising from the applicable provisions of financial services law (definition of point 22 of Article 3 of the DORA Regulation).

9 41 The undertaking develops, documents and implements a policy describing the principles for detecting and managing ICT incidents (Article 17 and Article 10 of the DORA Regulation). These principles include in particular:

• an internal and external communication strategy in the event of ICT incidents (Article 6 (8)(h) of the DORA Regulation);
• technical, organizational and operational mechanisms for the rapid detection of abnormal activities and behaviors (including ICT network performance issues and