DORA ICT Risk Control function

What is the DORA ICT Risk Control function?

The ICT risk control function is a new, independent control body which, in accordance with Article 6 (4) DORA, is responsible for monitoring the effectiveness of ICT risk management in a financial undertaking .

---

Core tasks according to DORA Art. 6 (4) DORA:

• Independent monitoring of ICT risk management processes
• Review of ICT strategies, policies, procedures and controls
• Supporting management through critical analyses and reports
• Ensuring that ICT risks are adequately considered in overall risk management.

---

Differentiation: DORA ICT risk control function vs. XAIT Information Security Officer (ISO)

Criterion	ICT Risk Control Function (DORA)	Information Security Officer (ISO, according to BAIT/VAIT/ZAIT)
Regulatory framework	Article 6 (4) DORA	XAIT (BAIT, VAIT, KAIT, ZAIT)
Focus	Overall ICT risk management	Information security
Role in the 3-Lines-of-Defense model	2. LoD	2. LoD
Organizational independence	Necessary	Necessary
Outsourcing allowed?	Yes, explicitly possible (Art. 6 (10) DORA)	Yes, under certain conditions (according to XAIT)

In conclusion, the ICT risk control function is not identical to the Information Security Board (ISB), but there are thematic overlaps – particularly in the assessment of ICT threats, the monitoring of security incidents, and the review of protective measures. Organizations can leverage synergies here , for example, through coordinated reports or joint risk analyses.

---

What does this mean in practice?

• Companies must clearly define who will assume the ICT risk control function – internally or through suitable external service providers .
• In small institutions, a dual role with the ISB may be justifiable if conflicts of interest are excluded.
• Role profiles, reporting lines and control plans should be formally defined and documented.
• The ICT risk control function must have sufficient expertise , methodological competence , and access to senior management.