Appearance
Applicability and governance
This page covers how Modulos models DORA scope, proportionality, management-body duties, and the base governance structure for the ICT risk-management framework.
OFF-16 governance foundation
| Requirement | Topic | Regulation reference |
|---|---|---|
ORF-361 | DORA scope and entity-category applicability | Art. 1-3 |
ORF-362 | Proportionality and simplified ICT risk-management eligibility | Art. 4, 16 |
ORF-363 | Management body ICT accountability and oversight | Art. 5(1)-(3) |
ORF-364 | Management body ICT training | Art. 5(4) |
ORF-365 | ICT risk-management framework and resilience strategy governance | Art. 6, 15 |
ORF-366 | ICT control-function independence, audit, and review governance | Art. 6(4), 6(6), 6(7) |
MFF-16 execution anchor
| Requirement | Topic | Regulation reference |
|---|---|---|
MRF-293 | ICT risk-management framework implementation | Art. 6, 15, 16 |
How applicability works in Modulos
Modulos currently handles DORA applicability in a lightweight way:
- there is no dedicated DORA questionnaire flow
- there is no separate static
DORA Scopetag family - the scope perimeter is established through
ORF-361andORF-362 - later conditional duties carry explicit Applicability sections in the requirement text
The Article 16 outcome also affects how some otherwise broad governance duties are evidenced. For example, ORF-366 remains part of the governance foundation, but the supporting assurance model differs depending on whether the entity is following the full DORA ICT risk-management framework or the simplified framework.
That means users and reviewers still have to record the scoping decision, but the framework does not pretend there is an automated descoping engine where none exists.
Governance outputs to maintain
- DORA entity-category determination by legal entity and service perimeter
- proportionality and simplified-framework rationale where applicable
- management body accountability and training records
- formally approved ICT risk-management framework and resilience strategy
- control-function, audit, and review independence records aligned to either the full framework or the simplified-framework posture
What this page does not do
This page covers only the governance foundation. It does not try to collapse later DORA incident, testing, or ICT third-party duties back into one generic “governance” layer.
Related pages
DORA overview
Framework structure and OFF-16/MFF-16 model
ICT risk and resilience operations
Operational resilience, incident, and reporting duties
Disclaimer
This page is for general informational purposes and does not constitute legal advice.