# Regulatory Technical Standards - DORA | ManageEngine Endpoint Central

## RTS on ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework

**Regulatory Technical Standards on ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework**

The European Supervisory Authorities (ESAs)—including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA)—are collaborating to develop the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to provide detailed guidance for implementing DORA's requirements. Released in two batches, the first RTS, now finalized and approved by the European Commission, focuses on ICT risk management tools, methods, processes, and policies, as well as the simplified ICT risk management framework.

Endpoint Central supports the standards outlined in this RTS, providing organizations with seamless alignment to these requirements.

| Article | Summary of the Article | How Endpoint Central helps |
|---|---|---|
| 2 | **General Elements of ICT Security Policies, Procedures, Protocols, and Tools**<br>**Integration with ICT Risk Management Framework**<br><br>Financial entities must ensure their ICT security policies, procedures, and tools are embedded within their ICT risk management framework, as required under DORA (Regulation (EU) 2022/2554). These measures should:<br><ul><li>Ensure network security</li><li>Safeguard against intrusions and data misuse.</li><li>Maintain data availability, authenticity, integrity, and confidentiality, including encryption.</li><li>Enable accurate and timely data transmission without disruptions.</li><li>Alignment with the Digital Operational Resilience Strategy</li></ul><br>**ICT security policies must:**<br><ul><li>Align with the financial entity’s information security objectives, as outlined in its digital operational resilience strategy under DORA.</li><li>Specify the date of formal approval by the management body.</li></ul><br>**Include mechanisms to:**<br><ul><li>Monitor implementation.</li><li>Record and manage exceptions while ensuring operational resilience.</li><li>Responsibilities and Compliance</li></ul><br>**ICT security policies should:**<br><ul><li>Clearly define responsibilities at all staff levels.</li><li>Specify consequences for non-compliance (if not covered by other internal policies).</li><li>Detail required documentation and its maintenance.</li><li>Define segregation of duties using models like the three lines of defense to prevent conflicts of interest.</li><li>Best Practices, Standards, and Roles</li></ul><br>**Policies must:**<br><ul><li>Consider leading practices and standards, as defined in relevant EU regulations.</li><li>Identify clear roles and responsibilities for developing, implementing, and maintaining ICT security measures.</li><li>Adaptability and Periodic Review</li><li>Policies must be reviewed periodically as per DORA requirements.</li></ul><br>**They should account for material changes, such as:**<br><ul><li>Shifts in activities or processes.</li><li>Changes in the cyber threat landscape.</li><li>Updates to legal obligations.</li></ul> | Endpoint Central can leverage its endpoint security features such as Endpoint DLP, Browser security, Risk based Vulnerability and Patch management, Next-Gen Antivirus engine, Anti-Ransomware and mobile security capabilities.<br><br>In case of a malware attack, Endpoint Central can alert the SOC team and IT admins and enable them to quarantine the system safely.<br><br>Endpoint Central offers advanced [data leakage prevention capabilities](https://www.manageengine.com/endpoint-dlp/), enabling the detection and classification of personally identifiable information (PII).<br><br>It provides complete control over data flow within your IT environment by allowing administrators to configure policies for data transfers through cloud services and peripheral devices.<br><br>It also can containerize corporate and personal data and perform remote wipes if the device gets stolen. |
| 3 | **ICT Risk Management**<br><br>**Risk Tolerance Approval**<br><ul><li>Include approval of the ICT risk tolerance level as defined under DORA.</li></ul><br>**Risk Assessment Procedure**<br><ul><li>Establish methods to assess ICT risks by identifying:</li><li>Vulnerabilities and threats affecting business functions, ICT systems, and assets.</li><li>Indicators to measure the likelihood and impact of these vulnerabilities and threats.</li></ul><br>**Risk Treatment Measures**<br><ul><li>Define processes to identify, implement, and document measures to address ICT risks, ensuring they remain within approved tolerance levels.</li></ul><br>**Management of Residual Risks**<br>For remaining risks after treatment:<br><ul><li>Identify and document these residual risks.</li><li>Assign roles for accepting residual risks that exceed tolerance levels and for reviewing them annually.</li><li>Maintain an inventory with justifications for accepted residual risks.</li><li>Annually review accepted residual risks to assess changes, mitigation options, and whether the reasons for acceptance are still valid.</li></ul><br>**Continuous Monitoring**<br>Monitor:<br><ul><li>Changes in the ICT risk and cyber threat landscape.</li><li>Internal and external vulnerabilities.</li><li>ICT risks to promptly detect changes affecting the entity’s risk profile.</li><li>Adaptability to Strategic Changes</li><li>Ensure processes account for changes in the financial entity's business strategy or digital operational resilience strategy.</li></ul><br>**Effectiveness of Risk Treatment**<br><ul><li>Monitor the effectiveness of ICT risk treatment measures.</li><li>Assess whether the entity's risk tolerance levels have been met.</li><li>Identify and implement corrective actions where necessary.</li></ul> | Endpoint Central delivers robust vulnerability management by offering continuous assessment and comprehensive visibility of threats through a centralized console. Beyond vulnerability assessment, it also includes built-in tools for remediating detected vulnerabilities.<br><br>For information systems, Endpoint Central enables [risk-based vulnerability management](https://www.manageengine.com/vulnerability-management/risk-based-vulnerability-management.html), allowing administrators to prioritize vulnerabilities using metrics such as CVSS scores, CVE impact types, patch availability, and more.<br><br>It also serves as a unified platform for IT operations and security teams to manage efficiently and secure endpoints. With [role-based access control](https://www.manageengine.com/products/desktop-central/role-based-administration.html), security tasks within the IT environment can be delegated to dedicated security specialists, ensuring streamlined and focused management. |

*The remaining articles (4 through 39) continue in the same structured format, detailing each DORA RTS requirement and how Endpoint Central supports compliance across ICT asset management, encryption and cryptographic controls, vulnerability and patch management, access control, network security, incident management, ICT operations security, business continuity planning, and ICT project and change management, with corresponding feature mappings and relevant product links from ManageEngine Endpoint Central.*