DORA Compliance Overlay

Accountability Assessment

Map your AI agent's governance structure to DORA requirements. Three conditions define exercised accountability: design-time authority, ongoing monitoring mandate, and evidentiary chain.

0
Design-Time Authority
0
Monitoring Mandate
0
Evidentiary Chain

Overall Readiness

Complete all required fields across the three conditions to establish documented accountability for this AI agent under DORA. Your progress updates in real time.

Important: Template Framework, Not Regulatory Assurance

This tool is a structured template designed to help practitioners document AI agent governance aligned with DORA obligations. It is not a guarantee of regulatory compliance, legal advice, or a substitute for engagement with your competent authority or legal counsel.

Completing this assessment does not confirm compliance with DORA, the EU AI Act, or any other regulation. Your organization remains responsible for verifying that your governance structure meets the full requirements of applicable frameworks and satisfies your regulator's examination standards.

Use this tool to structure your thinking and document your governance decisions. Validate your approach with your compliance team, legal advisors, and regulatory body before treating this assessment as evidence of compliance.

Design-Time Authority
Has the PM documented acceptable behavioural parameters as an architectural commitment before deployment?
Incomplete
Concise statement of what decisions this agent makes and under what conditions. Example: "Approves credit decisions up to $50k for retail customers with utilisation <60%"
0/300
Specific rules: what decisions can be made, what cannot, what requires human override.
Field Name Field Type Value
What data can the agent access, from which systems, with what restrictions.
Field Name Field Type Value
This is not a compliance sign-off. This is the PM formally approving these parameters as architectural intent.
Describe where and how your parameters are documented. Where would a regulator or auditor find the original design decisions? How is it versioned?
0/300
DORA Anchor
Article 5(2): Management body must "define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework."

Article 6(1): Entities must maintain a "sound, comprehensive and well-documented ICT risk management framework."

Article 6(8): Framework must include a "digital operational resilience strategy" explaining how ICT risk will be addressed.
Ongoing Monitoring Mandate
Is someone actively monitoring the agent's behaviour against documented parameters on a continuous basis?
Incomplete
What metrics track whether the agent is operating within its documented parameters? Define measurable indicators.
Metric Name Measurement Method
At what values should alerts trigger? Define thresholds for each metric.
Metric / Condition Alert Threshold
Who holds explicit responsibility for monitoring this agent? Not optional, not shared.
The owner confirms they understand their accountability.
0/300
How often is monitoring reviewed? Daily, weekly, monthly?
Describe how monitoring metrics are organized and how the monitoring owner retrieves them. How are they queryable? What's the system/tool and how is access managed?
0/300
DORA Anchor
Article 10(1): Entities must have "mechanisms to promptly detect anomalous activities...including ICT network performance issues and ICT-related incidents" and test them regularly.

Article 10(3): Entities must "devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents."

Article 17(2): Entities must establish procedures for "consistent and integrated monitoring, handling and follow-up of ICT-related incidents."
Evidentiary Chain
Can you produce a connected record linking parameters, monitoring data, and decisions for regulatory review?
Incomplete
How are parameters version-controlled and auditable? Can you retrieve the exact parameters that were in effect on a specific date?
0/300
How do you connect a specific agent decision to monitoring metrics at that point in time? How would you audit a single decision?
0/300
How are deviations or incidents investigated and documented? How is root cause identified and linked back to parameters?
0/300
How are incidents involving this agent documented? How is root cause documented and linked back to the agent, parameters, and monitoring?
0/300
When were all three conditions last reviewed together? (Auto-updates on save.)
Confirm that this evidentiary chain would withstand regulatory examination.
DORA Anchor
Article 17(2): Entities must "record all ICT-related incidents" and establish procedures to ensure "root causes are identified, documented and addressed."

Article 17(3)(b): Requirements to "identify, track, log, categorise and classify ICT-related incidents."

Article 19(4): Mandatory submission of reports "after collecting and analysing all relevant information" including initial notification, intermediate reports, and final reports.
Feedback & Improvement
Help us improve this tool. Your anonymous feedback shapes how we refine the framework. Takes 2 minutes.
Overall Usefulness
Which sections were most valuable? (Select all that apply)
Were any fields confusing or unclear?
0/2000
What's missing? What would make this more useful?
0/2000
What's your context? (Optional)
Your email (Optional — only if you want follow-up)
Export Assessment
Generate governance artifacts from your assessment. Export as YAML for Jira configuration, Markdown for documentation, or JSON for system integration.

Published by 4iGov.cloud. Part of the Design-Time Contract governance toolkit. Free to use and adapt with attribution.

Citation: Source: 4iGov DORA Compliance Overlay v1.0 | 4igov.cloud/dora-overlay

Feedback & Data Privacy: All assessment data and feedback are stored locally in your browser (localStorage). We do not collect, transmit, or access this data unless you explicitly export it. Your assessment responses and feedback are yours alone. Email is optional and only for follow-up if you wish to hear back.

Not legal or compliance advice. For questions, reach out to [email protected]