Requirement
DORA.GV-1.1: The management body shall define, approve, oversee and bear ultimate responsibility for all arrangements related to the ICT risk management framework (Art. 5(1) DORA). This includes approving the digital operational resilience strategy, ICT business continuity policy, and ICT response and recovery plans.
Guidance
Evidence may include: board minutes approving ICT risk management policies, documented board-level accountability structures, governance frameworks, and delegation of authority documents for ICT risk functions. The management body shall receive regular reporting on ICT risk.
Documentation
Implementation
Requirement
DORA.GV-2.1: The financial entity shall define and assign roles and responsibilities for ICT risk management across the organisation, ensuring adequate segregation of duties between ICT risk oversight and ICT operations (Art. 5(4) DORA).
Guidance
Consider: documented RACI matrix for ICT risk functions; defined CISO or equivalent role at appropriate seniority level; separation between ICT risk management and internal audit; and accountability lines from ICT risk owners to the management body.
Documentation
Implementation
Requirement
DORA.GV-3.1: The management body shall ensure adequate and sufficient allocation of budget, human, and technical resources for digital operational resilience needs, including ICT security and testing (Art. 5(3) DORA).
Guidance
Evidence may include: annual budget allocation documents for ICT security and resilience, resource planning documentation, evidence that resilience investments are approved at board level, and staffing plans for ICT risk functions.
Documentation
Implementation
Requirement
DORA.GV-4.1: Members of the management body shall keep up with sufficient knowledge and skills to understand and assess ICT risk and its impact on the financial entity, including through regular training (Art. 5(4) DORA).
Guidance
Consider: annual cyber/ICT risk briefings for board members, documented skills assessment against ICT risk knowledge requirements, training completion records, and external expert briefings on emerging ICT threats.
Documentation
Implementation
Maturity Scale
Target: ≥ 3/5 for all categories
Documentation
No process documentation or not formally approved by management.
Implementation
Standard process does not exist. Actions are ad hoc and undocumented.
Documentation
Formally approved process documentation exists but has not been reviewed in the previous 2 years.
Implementation
Ad-hoc process exists and is performed informally. Results are inconsistent.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 5% of activities.
Implementation
Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 3% of activities.
Implementation
Formal process fully implemented. Evidence available for all activities. Detailed metrics captured and reported. Less than 5% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 0.5% of activities.
Implementation
Formal process fully implemented and continually improving. Minimal exceptions (<1%). Process improvements tracked and evidenced.