Governance and organisation

The setup of an adequate governance structure and mature ICT risk management organisation plays an important role in DORA and arises throughout the Regulation. For many processes prescribed by the Regulation, for example, there is a requirement that companies set clear roles and responsibilities.

DORA places great emphasis on the establishment of the Three Lines of Defence model (3LOD). Companies are expected to appoint both a control and audit function, and to position these sufficiently independently within the organisation.

There is also a requirement that some of the described processes are continuously evaluated and that this is embedded in processes . DORA also requires members of the management board to keep their knowledge up to date by means of training and education.

Governance and control framework

As a basis, DORA requires companies to have a governance and control framework enabling them to establish a control cycle and conduct continuous evaluations. Another important aspect is the allocation of the necessary ICT management roles, such as an independent role to manage ICT risks and an internal auditor to periodically assess the framework.