DORA-Art5-P1

Article
5 (1)
Pillar
ICT Risk Management
Regulation Ref
Regulation (EU) 2022/2554, Article 5(1)
Last Reviewed
2026-01-15

Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of all ICT risks, in order to achieve a high level of digital operational resilience.

Evidence Profiles

ICT Governance and Control Framework Document COMMON

Board-approved document defining the internal governance and control framework for ICT risk management, including roles, responsibilities, reporting lines, and oversight mechanisms.

Formats
PDF
Evidence Class
ict-governance-framework
Availability
COMMON
Update Frequency
annual
Typical Author
CIO
Approval Chain
CIO → CRO → Board of Directors

Content Sections

Expected Fields

Common Quality Issues

Fact Schemas

ict_governance_framework_status

Schema ID
fs-ict-governance-framework
Control
DORA-Art5-P1

Valid Ranges

approval_date
within last 18 months
next_review_date
future date within 12 months of approval
board_oversight_frequency
at least quarterly for significant institutions

Related Schemas

JSON Schema

{
  "properties": {
    "approval_date": {
      "format": "date",
      "type": "string"
    },
    "board_oversight_frequency": {
      "enum": [
        "monthly",
        "quarterly",
        "semi-annual",
        "annual"
      ],
      "type": "string"
    },
    "governance_model": {
      "minLength": 1,
      "type": "string"
    },
    "has_three_lines_of_defence": {
      "type": "boolean"
    },
    "ict_risk_committee_exists": {
      "type": "boolean"
    },
    "next_review_date": {
      "format": "date",
      "type": "string"
    },
    "reporting_lines_documented": {
      "type": "boolean"
    }
  },
  "required": [
    "governance_model",
    "approval_date",
    "next_review_date",
    "has_three_lines_of_defence",
    "board_oversight_frequency"
  ],
  "type": "object"
}