Digital Operational Resilience Act (DORA), Article 4, Governance and organisation.
1. Financial entities shall have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks.
2. The management body of the financial entity shall define, approve, oversee and be accountable for the implementation of all arrangements related to the ICT risk management framework referred to in Article 5(1):
For the purposes of the first subparagraph, the management body shall:
(a) bear the final responsibility for managing the financial entity’s ICT risks;
(b) set clear roles and responsibilities for all ICT-related functions;
(c) determine the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in point (b) of Article 5(9);
(d) approve, oversee and periodically review the implementation of the financial entity's ICT Business Continuity Policy and ICT Disaster Recovery Plan referred to in, respectively, paragraphs 1 and 3 of Article 10;
(e) approve and periodically review the ICT audit plans, ICT audits and material modifications thereto;
(f) allocate and periodically review appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including training on ICT risks and skills for all relevant staff;
(g) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
(h) be duly informed, of the arrangements concluded with ICT third-party service providers on the use of ICT services, of any relevant planned material changes regarding the ICT third-party service providers, and on the potential impact of such changes on the critical or important functions subject to those arrangements, including receiving a summary of the risk analysis to assess the impact of these changes;
(i) be duly informed about ICT-related incidents and their impact and about response, recovery and corrective measures.
3. Financial entities other than microenterprises shall establish a role to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
4. Members of the management body shall, on a regular basis, follow specific training to gain and keep up to date sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity.