Role Definition
| Field | Value |
|---|---|
| Job Title | DORA ICT Risk Officer (ICT Risk Manager / Digital Operational Resilience Officer) |
| Seniority Level | Mid-Level (3-7 years experience) |
| Primary Function | Manages the ICT risk management framework mandated by the EU Digital Operational Resilience Act (DORA) within a financial entity. Identifies, classifies, and monitors ICT risks; oversees third-party ICT provider risk; coordinates ICT incident reporting to competent authorities; maintains the Register of Information; supports TLPT programmes; and reports ICT risk posture to the management body. Operates as the second-line control function required under DORA Article 6(4). |
| What This Role Is NOT | NOT a CISO (sets enterprise security strategy at executive/board level — scored 83.0). NOT a Cybersecurity Risk Manager (manages broader cyber risk beyond DORA scope — scored 52.9). NOT an IT Auditor (third-line independent assessment of controls). NOT a Compliance Officer (owns regulatory compliance broadly). NOT an AI Risk Manager (AI-specific risk — scored 62.8). This role owns the DORA-mandated ICT risk control function — narrower than general cyber risk, deeper than compliance, operationally focused on digital operational resilience in financial services. |
| Typical Experience | 3-7 years in ICT risk, information security, or financial services technology risk. Certifications: CRISC, CISM, ISO 27001 Lead Implementer, DORA-specific training (PECB DORA Foundation/Lead Manager). Reports to CISO, CRO, or Head of Operational Risk. |
Seniority note: A junior DORA compliance administrator focused on register maintenance and template population would score Yellow. A senior Head of Digital Operational Resilience with management body advisory and multi-entity oversight would score higher Green.
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Fully digital, desk-based. GRC platforms, risk registers, regulatory portals, stakeholder meetings. |
| Deep Interpersonal Connection | 1 | Reports ICT risk posture to management body, coordinates with ICT third-party providers, liaises with national competent authorities during incident reporting. Requires influence but not deep trust-based relationships. |
| Goal-Setting & Moral Judgment | 2 | Determines ICT risk tolerance levels, classifies ICT incidents by severity (major vs non-major under Article 19), makes judgment calls on third-party concentration risk, interprets DORA RTS/ITS for novel scenarios. Risk appetite decisions involve genuine judgment. |
| Protective Total | 3/9 | |
| AI Growth Correlation | 1 | DORA creates a fixed regulatory demand floor — every financial entity needs this function. AI adoption in financial services creates new ICT risks (AI model dependencies, AI-powered third-party services) that expand scope. But the role exists because of regulation, not AI growth. Weak positive. |
Quick screen result: Protective 3 + Correlation 1 = Likely Yellow or low Green (proceed to quantify).
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| ICT risk management framework governance | 20% | 2 | 0.40 | AUG | AI drafts framework policies, maps DORA articles to controls, benchmarks against RTS/ITS. Human designs framework architecture, selects risk methodologies, adapts to entity-specific ICT landscape, presents to management body for approval. DORA Article 6(1) requires framework to be "sound, comprehensive and well-documented" — human owns design and sign-off. |
| ICT third-party risk oversight | 20% | 3 | 0.60 | AUG | AI pre-screens vendor documentation, automates contract clause extraction, monitors provider performance metrics, flags concentration risk thresholds. Human evaluates critical provider dependencies, assesses substitutability, negotiates exit strategies, makes concentration risk decisions. DORA Articles 28-30 mandate detailed oversight — significant AI acceleration but human leads assessment. |
| ICT incident reporting & classification | 15% | 3 | 0.45 | AUG | AI triages ICT incident alerts, matches against known patterns, pre-populates incident notification templates for competent authorities. Human classifies major ICT-related incidents (Article 19), determines root cause in novel scenarios, makes regulatory notification decisions, manages cross-border reporting obligations. |
| Digital operational resilience testing oversight | 10% | 2 | 0.20 | AUG | AI schedules testing cycles, tracks remediation actions, analyses test results against benchmarks. Human designs the testing programme, interprets TLPT results, determines remediation priorities, ensures testing covers critical functions. Articles 24-27 require human-led testing strategy. |
| Regulatory interpretation & gap analysis | 15% | 2 | 0.30 | AUG | AI maps DORA articles and RTS/ITS to existing controls, identifies gaps, tracks regulatory updates from ESAs. Human interprets novel regulatory guidance (delegated acts still being published through 2026), resolves ambiguities, determines proportionate implementation for the entity's size and risk profile. |
| Stakeholder communication & management body reporting | 10% | 1 | 0.10 | NOT | Presenting ICT risk posture to management body, advising on ICT risk appetite, communicating with competent authorities. Article 5(2) requires management body to "define, approve, oversee and be responsible" for ICT risk management — the officer IS the communication channel. |
| Register of Information maintenance & evidence management | 10% | 4 | 0.40 | DISP | Maintaining contractual register of ICT third-party arrangements (Article 28(3)), compiling evidence for supervisory review, updating risk registers, generating compliance dashboards. Structured, template-based, deterministic. GRC platforms (ServiceNow, Archer, MetricStream) automate end-to-end with human exception review. |
| Total | 100% | 2.45 |
Task Resistance Score: 6.00 - 2.45 = 3.55/5.0
Displacement/Augmentation split: 10% displacement, 80% augmentation, 10% not involved.
Reinstatement check (Acemoglu): Moderate. DORA's phased RTS/ITS rollout creates ongoing interpretation requirements through 2027+. AI-powered third-party services (LLM APIs, AI-as-a-Service) introduce novel ICT concentration risks requiring new assessment methodologies. TLPT scope expansion to cover AI-dependent critical functions creates new testing requirements. Net new work, but bounded by the regulation's finite scope.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 1 | ECB actively recruiting ICT Risk Experts for DORA third-party oversight. Savvi Recruitment: DORA "opening up cybersecurity careers in finance." Title fragments across ICT Risk Manager, Operational Resilience Manager, DORA Compliance Officer. EU-centric demand limits total posting volume vs global cyber roles, but direction is clearly positive. |
| Company Actions | 2 | Deloitte Wave 3: 96% of financial entities estimated DORA compliance costs (EUR 2-5M each). 39% dedicate 5-7 FTEs to compliance. Only 50% expected full compliance by end-2025, 38% targeting 2026 — hiring still ramping. ESAs building oversight teams for critical third-party providers. EIOPA establishing EU-wide oversight framework. Strong institutional investment. |
| Wage Trends | 1 | Selby Jennings Europe 2026: Associate/AVP risk management EUR 65K-100K. Mid-level DORA specialists EUR 75K-120K. Glassdoor IT Risk Manager US: $117K. Premium over general risk roles but not dramatic growth above inflation. DORA-specific premium emerging but not yet quantified separately. |
| AI Tool Maturity | 0 | GRC platforms (ServiceNow, Archer, MetricStream) now offer DORA-specific modules for register maintenance, control monitoring, and evidence collection — displacing 10% of task time. AI-powered third-party risk tools (Panorays, Bitsight, TrustCloud) automate vendor screening. But framework design, incident classification, and regulatory interpretation remain human-led. Anthropic observed exposure: Compliance Officers 12.1%, Financial Risk Specialists 26.5% — both low. Mixed impact. |
| Expert Consensus | 1 | Fintechfutures: talent attraction ongoing priority for European banking. Copla: DORA compliance not just 2025 — ongoing obligation with continuous improvement. Panorays: 46% of institutions cite Register of Information as most challenging compliance area. Consensus: regulation-driven demand with structural protection, bounded by DORA's specific scope. |
| Total | 5 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 2 | DORA Article 6(4) mandates financial entities "assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence." Legal requirement — the role exists because regulation demands it. CRISC/CISM certifications expected. Financial regulators (ECB, EBA, EIOPA) enforce compliance. |
| Physical Presence | 0 | Fully remote-capable. |
| Union/Collective Bargaining | 0 | Financial services professional role, no union representation typical. |
| Liability/Accountability | 2 | DORA Article 5(2): management body bears "overall responsibility" — but the ICT risk officer is the named control function owner. Major incident misclassification delaying regulatory notification creates direct supervisory exposure. Fines up to 1% daily turnover for critical providers, 2% global turnover for the entity. Personal accountability chain is structural. |
| Cultural/Ethical | 1 | Financial regulators and management bodies expect a human accountable for the ICT risk control function. Third-party providers expect human counterparts for contract negotiation and exit strategy discussions. Cultural resistance to AI owning regulatory reporting decisions. |
| Total | 5/10 |
AI Growth Correlation Check
Confirmed at 1 (Weak Positive). DORA creates a regulatory demand floor — every in-scope financial entity must have an ICT risk control function. AI adoption introduces new ICT third-party dependencies (LLM APIs, AI scoring services) that expand the Register of Information and create novel concentration risk questions. But the role's growth driver is regulation, not AI itself. Existence is not causally driven by AI adoption the way AI Security Engineer's is.
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 3.55/5.0 |
| Evidence Modifier | 1.0 + (5 x 0.04) = 1.20 |
| Barrier Modifier | 1.0 + (5 x 0.02) = 1.10 |
| Growth Modifier | 1.0 + (1 x 0.05) = 1.05 |
Raw: 3.55 x 1.20 x 1.10 x 1.05 = 4.9203
JobZone Score: (4.9203 - 0.54) / 7.93 x 100 = 55.2/100
Zone: GREEN (Green >=48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 45% |
| AI Growth Correlation | 1 |
| Sub-label | Green (Transforming) — >=20% task time scores 3+ |
Assessor override: None — formula score accepted. Score sits 2.3 points above Cybersecurity Risk Manager (52.9), reflecting stronger regulatory barriers and company action evidence. Sits 7.6 points below AI Risk Manager (62.8) due to lower growth correlation and narrower scope. Without barriers, score drops to 49.6 — still Green but borderline.
Assessor Commentary
Score vs Reality Check
The 55.2 places this role solidly Green, 7.2 points above threshold. The premium over Cybersecurity Risk Manager (52.9) is driven by stronger barriers and evidence — DORA Article 6(4) mandates the control function in a way general cybersecurity risk management is not mandated. Task resistance is slightly lower (3.55 vs 3.60) because DORA's structured requirements make more task time amenable to platform automation. The score is modestly barrier-dependent — removing barriers drops it to 49.6, still Green but borderline. The 46% of institutions citing Register of Information as most challenging (Deloitte Wave 3) confirms institutional demand is real and ongoing.
What the Numbers Don't Capture
- Regulatory ceiling as well as floor. DORA creates the role but constrains its scope. Unlike the Cybersecurity Risk Manager who can expand into AI risk, cloud security, or OT security, this role's mandate is regulation-bounded. When initial compliance matures (2027-2028), build workload drops to maintenance — though RTS/ITS updates and supervisory inspections sustain demand.
- Entity-size determines role independence. At tier-1 banks, this is a dedicated team. At smaller payment providers or crypto-asset service providers, DORA ICT risk is absorbed into CISO or CRO functions. The standalone role is strongest at large, complex financial entities.
- Concentration in EU/EEA. Geographically constrained to EU/EEA-regulated entities and their critical ICT third-party providers. UK follows separate PRA/FCA operational resilience framework. US institutions not in scope. Limits total addressable market.
- Platform automation advancing. ServiceNow, Archer, and MetricStream now offer DORA-specific modules. The 10% displacement today could reach 20-25% by 2028 as platforms mature.
Who Should Worry (and Who Shouldn't)
If you own the DORA ICT risk framework design, present to management body, classify major incidents, and make third-party concentration risk decisions — you hold the strongest version of this role. Article 6(4) mandates your function. Regulators will inspect your framework. The management body is personally accountable under Article 5(2), which means they need you.
If your primary value is maintaining the Register of Information, populating incident templates, and tracking remediation actions — those tasks are what GRC platforms automate fastest. The officer whose day looks like a DORA compliance administrator faces greater compression than the score suggests.
The single biggest separator: whether you interpret DORA for novel situations or execute established DORA processes. The officer who tells the management body "this new AI-powered payment processor creates concentration risk our framework doesn't address" is protected. The officer who populates registers is being replaced by ServiceNow.
What This Means
The role in 2028: The surviving DORA ICT Risk Officer is a regulatory risk advisor — interpreting evolving delegated acts for the entity's specific ICT landscape, assessing novel third-party concentration risks (especially AI-powered services), classifying complex incidents that don't fit standard templates, and advising management body on proportionate resilience measures. GRC platforms handle register maintenance, evidence compilation, and routine monitoring.
Survival strategy:
- Own the management body relationship. DORA Article 5 creates personal accountability for management bodies. Be the person they rely on for ICT risk posture, not the person who feeds dashboards.
- Master third-party concentration risk. DORA's most complex requirement — assessing whether ICT dependencies create systemic risk — requires judgment platforms cannot provide. Especially as AI-as-a-Service creates new concentration patterns.
- Build cross-regulation expertise. DORA intersects with NIS2, EU AI Act, GDPR, and PSD2. The officer who navigates overlapping requirements provides value beyond DORA-specific compliance.
Timeline: 5-7+ years. The regulatory mandate provides a durable floor. The compressed timeline (2-3 years) applies to junior DORA compliance administrators without framework design authority or management body access.
