Question ID
2024_7178
Legal act
Regulation (EU) No 2022/2554 (DORA Reg)
Topic
ICT third-party risk management
Article
13
Paragraph
1
Subparagraph
(c)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2024/1774 – RTS on ICT risk management framework and on simplified ICT risk management framework
Article/Paragraph
13/1/c
Type of submitter
Credit institution
Subject matter
Elaboration on the meaning of a separated and dedicated network for ICT asset administration
Question

In the "RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework"; How should we read: ''A separate and dedicated network for ICT asset administration, along with strict prohibition of direct internet access[...]''? (article 13, paragraph 1, sub (c)).
A separate and dedicated network could be on-premises, but is a virtual-LAN sufficient? or is it enough to have it in the regular production-LAN with other systems? and what if the CMDB is in a cloud environment? is it then a de facto separated and dedicated network or not?

Background on the question

ICT asset administration happens in an Configuration Management Database (CMDB), these can be hosted on-premises or in the cloud but in either case it is important to know how to interpret (especially) the ''separate and dedicated network" as it is multi-interpretable by being a virtual-LAN but also a complete physically separated network. In the case of a cloud-hosted solution there could be an issue, as it is not clear if these types of solutions adhere to this requirement in the strictest interpretation. Depending on the level of interpretation, this could greatly effect the architecture of CMDB systems in institutions.

Submission date
Final publishing date
Final answer

DORA regulation and the corresponding technical standards are principle-based ( Delegated regulation - EU - 2024/1774 - EN - EUR-Lex) and technology agnostic and thus they do not identify specific configurations to ensure they can remain future-proof and that financial entities can decide on the specific arrangements based on their needs, their bespoke environment and their ICT risk assessment. 

In this context, logical (e.g. using of virtual-LAN (vLAN) or a cloud-based solution), physical separation or a combination of both may or may not serve as adequate controls to meet the requirement of “(c)the use of a separate and dedicated network for the administration of ICT assets” (RTS on ICT risk management Article 13(c)). The decision on which controls to implement to ensure such separation would need to be taken in accordance with Article 13 point (a) and in compliance with Article 13 as a whole for network security management aspects.

For example, in the case of isolating an administrative network, where ensuring sufficient separation is key, it is also important to stress that a virtual LAN (vLAN) alone may not be sufficient to ensure effective isolation of the administrative network. In this case, the financial entity should assess whether the logical segregation alone is sufficient and in the case of opting for a VLAN at least consider complementing vLAN with additional controls (e.g. a firewall with an appropriate filtering policy, or implementing appropriate routing, etc). Furthermore, it is important to note that any decision on the use of the regular production-LAN with other systems, would need to consider also at a minimum the requirements under Article 8(2)(b), and Recital 10.

Status
Final Q&A
Answer prepared by
Answer prepared by the Joint ESAs Q&A

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.