Awareness training
Structured education programs designed to ensure that all employees understand cybersecurity threats, regulatory requirements like DORA, and their responsibilities in maintaining operational resilience.
Cloud services
Services delivered through shared, scalable computing resources over networks, enabling organizations to deploy, manage, and scale digital operations with flexibility and minimal manual effort.
Community cloud
A cloud environment built for a defined group of institutions sharing security, compliance, or operational needs, often seen among financial entities collaborating under similar oversight.
Compliance
Adherence to applicable laws, regulations, industry frameworks, and internal policies that govern technology, data protection, and operational behavior.
Control team
A multidisciplinary group responsible for coordinating testing or incident management processes, often including internal staff and select external service providers.
Critical dependency mapping
The process of identifying and documenting all third-party services, systems, and processes essential for core business functions, to manage potential points of failure under DORA.
Defence-in-depth
A layered security approach that combines technology, processes, and human oversight to reduce risk and create multiple barriers against cyber threats.
Digital operational resilience
The capability of an organization to ensure continuous business operations and service delivery even when facing ICT disruptions or security incidents.
Digital resilience testing
Simulated exercises that evaluate how effectively an organization can withstand and recover from digital or operational disruptions.
Disaster recovery plan (DRP)
A documented strategy outlining how essential IT systems and services will be restored following incidents such as data loss, cyberattacks, or infrastructure failure.
DORA (Digital Operational Resilience Act)
An EU regulation establishing uniform requirements for the security of network and information systems supporting financial entities, ensuring resilience against ICT-related risks.
Governance framework
The structure through which organizations define roles, responsibilities, and authority for managing digital risk and maintaining compliance with DORA.
Hybrid cloud
A computing model that combines private and public cloud infrastructures, allowing for flexible resource allocation while maintaining control over sensitive operations.
ICT (Information and Communication Technology)
ICT refers to the collection of technologies used to create, process, store, and transmit information electronically. It includes both computer systems and communication technologies such as telecommunications networks, the internet, mobile devices, and data transmission tools.
ICT asset
Any digital resource—hardware, software, or data—used to support a financial entity’s technological operations.
ICT concentration risk
The exposure resulting from heavy reliance on a limited number of ICT providers, which may amplify systemic risks in the event of a service outage or failure.
ICT risk
Any potential event or circumstance that could compromise digital systems, data integrity, service continuity, or confidentiality.
ICT third-party service provider
An external company delivering ICT-based solutions or services, including cloud, software, or analytics providers, on which financial entities depend for critical operations.
Information asset
Data or digital content with organizational value that must be classified, protected, and managed according to security policies.
Information security policy
A high-level document that establishes an organization’s rules, responsibilities, and objectives for safeguarding its digital information.
Joint operational testing
Collaborative resilience testing conducted between financial entities and third-party service providers to assess response readiness for potential ICT disruptions.
Legacy ICT system
Older technology still in use despite limited vendor support, creating increased maintenance and security challenges.
Logging and monitoring
Continuous collection and analysis of system events, network activity, and user actions to detect anomalies and support forensic investigations.
Malware
Malicious software designed to infiltrate, damage, or manipulate systems and data, often as part of targeted cyberattacks.
Management body
The group of authorized individuals responsible for decision-making and oversight of the organization’s strategy, including digital risk management and DORA compliance.
Maturity assessment
An evaluation of how effectively an organization has implemented its resilience, cybersecurity, and governance controls relative to best practices or regulatory expectations.
Network and information system
The interconnected computing and communication infrastructure that processes, stores, or transmits data essential for business operations.
Operational continuity
The organization’s ability to sustain essential functions and services without interruption during or after disruptive events.
Outsourcing
A contractual arrangement in which an external provider delivers services or performs activities that would otherwise be managed internally.
Private cloud
A secure cloud environment used exclusively by one organization to ensure higher control and compliance over data and systems.
Public cloud
A cloud environment accessible to multiple users or organizations, offered and managed by external providers.
Quantitative risk assessment
A method of evaluating cyber and operational risk through numerical modeling, assigning measurable probabilities and financial impacts to potential events.
Risk management
A continuous process of identifying, assessing, mitigating, and reviewing potential cybersecurity and operational threats.
Scenario-based testing
A resilience exercise where realistic, data-driven disruption scenarios are simulated to test detection and response capabilities.
Security of network and information systems
A state in which digital systems are protected against compromise, ensuring confidentiality, integrity, and availability of information.
Sensitive information
Any data whose exposure could cause harm to an organization, its clients, or its partners—such as financial details, trade secrets, or customer identifiers.
Service provider
An external organization performing outsourced activities or delivering solutions that contribute to a financial entity’s operations.
Third-country service provider
An ICT or cloud provider operating outside the EU without a physical presence within the Union, which may create jurisdictional and oversight challenges.
Threat intelligence
Enriched contextual information that helps organizations anticipate, understand, and mitigate cyberattacks and ICT-related incidents.
Threat led penetration testing (TLPT)
Simulated red-team testing that imitates real-world threat actors to uncover vulnerabilities in live systems and validate the effectiveness of defenses.
Threat monitoring
Ongoing tracking of cyber threats to detect emerging risks, trends, and vulnerabilities that may impact operational resilience.
Vulnerability management
A continuous process of identifying, prioritizing, and remediating weaknesses in systems or applications before they are exploited.
Vulnerability
A weakness or flaw in systems, processes, or infrastructure that may be targeted by threat actors to gain unauthorized access or disrupt operations.