Appearance
Operationalizing in Modulos
DORA execution works best when organization governance (OFF-16) and AI-system execution (MFF-16) are coordinated as one delivery program.
Recommended project structure
Most teams use:
- one organization project for
OFF-16governance obligations - one or more AI-system projects for
MFF-16execution obligations
Where in Modulos
Project → Settings → Frameworks: addOFF-16andMFF-16to relevant projectsProject → Requirements: assign owners and track readiness per requirementProject → Controls: execute controls and preserve review decisionsProject → Evidence: store incident, testing, third-party, and governance artifacts
A sequence that works
- Determine scope and proportionality (
ORF-303) and define accountability (ORF-304). - Establish ICT risk framework and control governance (
ORF-305,ORF-306,MRF-275). - Implement ICT risk operations across prevention/detection/response (
ORF-307toORF-317;MRF-276toMRF-286). - Run resilience testing and TLPT workflows (
ORF-318;MRF-287,MRF-288). - Operationalize ICT third-party risk and register workflows (
ORF-319;MRF-289toMRF-291). - Maintain threat-sharing and secondary-legislation update cycles (
ORF-320,ORF-321;MRF-292,MRF-293).
Evidence package baseline
A defensible DORA package usually includes:
- applicability and proportionality decision records
- management body governance and training evidence
- ICT inventory, risk assessment, and control operation evidence
- major-incident staging and reporting evidence
- resilience testing and TLPT outcomes with remediation tracking
- ICT third-party due diligence, contract, and register evidence
- delegated/implementing act impact assessments and control updates
Related pages
DORA overview
Framework structure and OFF-16/MFF-16 split
Testing and third-party risk
Resilience testing and ICT third-party execution model
Information sharing and secondary legislation
Ongoing obligations that require update governance
Disclaimer
This page is for general informational purposes and does not constitute legal advice.