DORA compliance
DORA deliverables map: governance → operations → evidence
A systemic view of DORA deliverables in three levels: steering & governance, operational execution, and evidence — with article references.

Many entities accumulate policies without articulating who decides, who executes, who proves. This map organises DORA deliverables in three levels: Steering & Governance → Operational → Evidence.
Level 1 — Steering & governance
DORA strategy · ICT Risk Committee · Resilience Committee · Major Incident Committee · Critical Third-Party Committee · RACI (Board / CISO / compliance / IT) · risk-acceptance arbitration mechanisms.
Without this level, the rest produces documents — not demonstrable governance.
Level 2 — Operational
Foundational inventories
Critical business functions · third-party-dependent processes · critical ICT assets · inventory owners and update rules. See register guide.
Resilience chain
Protection → Detection → ICT incident management (incl. major-incident criteria) → Response & recovery → Learning (awareness, RCA). See incident cheat sheet.
Strategic pillar: ICT third-party risk
Third-party risk strategy · critical/important ICT services policy · register of information · exit plans. See TPRM and exit plan.
Level 3 — Evidence
Regulatory: ICT incident register, RoI, logging, major-incident notifications, risk-framework review, ICT audit plan.
Steering: committee minutes, policy reviews after tests/incidents, risk-acceptance decisions, ICT BCP test documentation.
How to read the map
Governance first → inventories next → operational chain → continuous evidence (not rebuilt the day before an inspection).
Axenia’s role. Axenia links requirements, controls, evidence, third parties and incidents on one foundation — so the deliverables map is a living framework, not a slide deck.
