ANSWER 1: Recital 43 does not conflict with Article 28, paragraph 5 of the RTS. The text of Recital 43 in DORA suggests that microenterprises and FEs referred to in Article 16(1) of DORA are not obligated to conduct internal audits of their ICT RMF on a regular basis. This means there is no mandate for these entities to perform the said internal audit with a specific periodicity. However, it does not exclude the necessity of conducting internal audits as deemed necessary by the FE’s audit plan. The responsibility for determining the appropriate frequency and triggers for audits lies with the FE.

ANSWER 2: There is no contradiction between Article 11.6 of DORA and Article 39, paragraph 1 of the RTS. Article 11.6 of DORA explicitly excludes microenterprises from the requirement to include cyber-attack scenarios in their ICT business continuity and recovery plan testing. This exclusion applies solely to microenterprises and not to financial entities referred to in Article 16(1) of DORA. DORA clearly distinguishes between microenterprises and financial entities referred to in Article 16(1) of DORA, ensuring that the latter are still required to include cyber-attack scenarios in their testing plans as per Article 39, paragraph 1 of the RTS.

ANSWER 3: There is no contradiction between Recital 43 of DORA and Article 34, paragraph 1, point (e) of the RTS. Recital 43 specifies that microenterprises and financial entities referred to in Article 16(1) of DORA are not required to regularly conduct risk analyses on legacy ICT systems. This means there is no mandate for these entities to perform risk analyses with a specific periodicity. However, it does not imply that the risks associated with legacy systems should not be managed at all. Article 34 does not specify a required frequency for these risk analyses.