{ "version": "1.0", "generated_at": "2026-06-13T05:49:11+00:00", "requirements": [ { "id": "REQ-DORA-ART5", "framework": "DORA", "article": "Art. 5", "title": "Governance-Regelungen", "description": "Das Leitungsorgan muss den IKT-Risikomanagementrahmen festlegen, billigen und überwachen." }, { "id": "REQ-DORA-ART6", "framework": "DORA", "article": "Art. 6", "title": "IKT-Risikomanagementrahmen", "description": "Finanzunternehmen müssen über einen soliden, umfassenden und gut dokumentierten IKT-Risikomanagementrahmen verfügen." }, { "id": "REQ-DORA-ART8", "framework": "DORA", "article": "Art. 8", "title": "Identifikation und Klassifizierung", "description": "IKT-gestützte Funktionen, Informations- und IKT-Assets sowie Abhängigkeiten identifizieren und dokumentieren." }, { "id": "REQ-DORA-ART9", "framework": "DORA", "article": "Art. 9", "title": "Schutz und Prävention", "description": "Maßnahmen zum Schutz von IKT-Systemen und zur Prävention von Cyberbedrohungen." }, { "id": "REQ-DORA-ART10", "framework": "DORA", "article": "Art. 10", "title": "Erkennung anomaler Aktivitäten", "description": "Mechanismen zur prompten Erkennung anomaler Aktivitäten, einschließlich Netzdatenverkehr." }, { "id": "REQ-DORA-ART11", "framework": "DORA", "article": "Art. 11", "title": "Reaktion und Wiederherstellung", "description": "Business-Continuity- und Disaster-Recovery-Pläne für IKT-Systeme." }, { "id": "REQ-DORA-ART12", "framework": "DORA", "article": "Art. 12", "title": "Backup-Policies und Wiederherstellungsverfahren", "description": "Regelmäßige Backups und getestete Wiederherstellungsverfahren." }, { "id": "REQ-DORA-ART19", "framework": "DORA", "article": "Art. 19", "title": "Meldung schwerwiegender IKT-Vorfälle", "description": "Meldepflicht an zuständige Behörde bei schwerwiegenden IKT-bezogenen Vorfällen." }, { "id": "REQ-DORA-ART24", "framework": "DORA", "article": "Art. 24", "title": "Testprogramm", "description": "Robustes und umfassendes Testen der digitalen operationalen Resilienz." }, { "id": "REQ-DORA-ART28", "framework": "DORA", "article": "Art. 28", "title": "IKT-Drittparteienrisiko", "description": "IKT-Drittparteienrisiken als integralen Bestandteil des IKT-Risikomanagements steuern." }, { "id": "REQ-NIS2-ART20", "framework": "NIS2", "article": "Art. 20", "title": "Management-Verantwortung", "description": "Leitungsorgan muss Cybersicherheitsrisikomanagement-Maßnahmen billigen und beaufsichtigen." }, { "id": "REQ-NIS2-ART21", "framework": "NIS2", "article": "Art. 21", "title": "Risikomanagement-Maßnahmen", "description": "Technische, operative und organisatorische Maßnahmen für Netz- und Informationssysteme." }, { "id": "REQ-NIS2-ART23", "framework": "NIS2", "article": "Art. 23", "title": "Meldepflichten", "description": "Frühwarnung (24h), Incident-Notification (72h), Abschlussbericht (1M)." }, { "id": "REQ-ISO-A51", "framework": "ISO27001", "article": "A.5.1", "title": "Führung und Verpflichtung", "description": "Management-Leitlinien für Informationssicherheit." }, { "id": "REQ-ISO-A537", "framework": "ISO27001", "article": "A.5.37", "title": "Dokumentierte Information", "description": "Betriebsregeln für Informationsverarbeitung dokumentieren." }, { "id": "REQ-MARISK-AT43", "framework": "MaRisk", "article": "AT 4.3.1", "title": "Risikosteuerung", "description": "Angemessene Risikosteuerungs- und -controllingprozesse." } ], "controls": [ { "id": "CTRL-GOV", "title": "IKT-Governance-Rahmenwerk", "linked_requirements": [ "REQ-DORA-ART5", "REQ-NIS2-ART20", "REQ-ISO-A51" ], "owner": "Geschäftsleitung / CISO" }, { "id": "CTRL-RISK", "title": "IKT-Risikomanagementprozess", "linked_requirements": [ "REQ-DORA-ART6", "REQ-NIS2-ART21", "REQ-MARISK-AT43" ], "owner": "IKT-Risikomanager" }, { "id": "CTRL-ASSET", "title": "Asset-Klassifizierung & Inventar", "linked_requirements": [ "REQ-DORA-ART8" ], "owner": "IT-Asset-Management" }, { "id": "CTRL-PROTECT", "title": "Schutzmaßnahmen & Prävention", "linked_requirements": [ "REQ-DORA-ART9" ], "owner": "IT-Sicherheit" }, { "id": "CTRL-DETECT", "title": "Anomalie-Erkennung (SIEM/SOC)", "linked_requirements": [ "REQ-DORA-ART10" ], "owner": "SOC / IT-Sicherheit" }, { "id": "CTRL-RESPOND", "title": "Incident Response & Recovery", "linked_requirements": [ "REQ-DORA-ART11", "REQ-DORA-ART12" ], "owner": "Incident-Manager" }, { "id": "CTRL-TEST", "title": "Resilienz-Testprogramm", "linked_requirements": [ "REQ-DORA-ART24" ], "owner": "Test-Manager" }, { "id": "CTRL-TPR", "title": "IKT-Drittparteiensteuerung", "linked_requirements": [ "REQ-DORA-ART28" ], "owner": "Third-Party Risk Manager" }, { "id": "CTRL-REPORT", "title": "Meldepflichten & Reporting", "linked_requirements": [ "REQ-DORA-ART19", "REQ-NIS2-ART23" ], "owner": "Compliance" }, { "id": "CTRL-DOC", "title": "Dokumentation & Nachweisführung", "linked_requirements": [ "REQ-ISO-A537" ], "owner": "Qualitätsmanagement" } ], "linkages": [ { "type": "control_to_measure", "control_id": "CTRL-GOV", "measure_ids": [ "DORA-GOV-001", "DORA-GOV-002" ] }, { "type": "control_to_measure", "control_id": "CTRL-RISK", "measure_ids": [ "DORA-ICT-001", "DORA-ICT-015" ] }, { "type": "control_to_measure", "control_id": "CTRL-DETECT", "measure_ids": [ "OSS-003", "OFS-001" ] }, { "type": "control_to_measure", "control_id": "CTRL-TEST", "measure_ids": [ "DORA-TPR-001", "DORA-TPR-015" ] }, { "type": "control_to_measure", "control_id": "CTRL-TPR", "measure_ids": [ "DORA-ICT-019", "OSS-005" ] }, { "type": "measure_to_evidence", "measure_id": "DORA-GOV-001", "evidence_ids": [ "EVD-OSS-001", "EVD-OSS-007" ] }, { "type": "measure_to_evidence", "measure_id": "OSS-003", "evidence_ids": [ "EVD-OSS-004", "EVD-OSS-005" ] }, { "type": "finding_to_decision", "finding_reference": "Critical OSS Vulnerability", "decision_type": "risk_acceptance", "human_gate": "HG-RISK-001" } ] }