ReferenceNIS2DORAISO 27001

What Is IT Governance? A Guide for EU Organisations

13 minUpdated 2026-03-18

Complete guide to IT governance for EU organisations covering COBIT, ISO 38500, alignment with NIS2 and DORA requirements, IT governance structures and decision-making frameworks, and integration with cybersecurity and compliance governance.

Key Takeaways

1
IT governance directs and controls the use of information technology at the organisational level. It is a governing body responsibility, distinct from IT management, and is now a legal obligation under NIS2 and DORA.
2
ISO 38500 provides governance principles while COBIT 2019 offers detailed implementation guidance. Choose your primary framework based on your regulatory obligations and organisational complexity.
3
IT governance structures must define explicit decision rights across IT principles, architecture, infrastructure, applications, and investment. Document who decides what and ensure decision authority aligns with regulatory accountability.
4
IT governance, cybersecurity governance, and compliance governance must be integrated — not siloed. EU regulation treats technology risk, security, and compliance as a unified domain.
5
Implement IT governance in phases: establish structures first, operationalise governance processes second, and optimise for maturity third. Early structural clarity delivers immediate value at minimal cost.

1. IT Governance Fundamentals

IT governance is the system of structures, processes, and relational mechanisms by which an organisation's governing body directs and controls the current and planned use of information technology. It is a subset of corporate governance, focused specifically on ensuring that IT investments support business objectives, IT-related risks are managed within accepted thresholds, and IT resources are used responsibly. The core distinction from IT management is identical to the governance-management distinction in other domains: governance sets direction and evaluates outcomes, while management plans, builds, runs, and monitors IT services.

ISO/IEC 38500:2024 (Governance of Information Technology) provides the foundational model, defining six principles for the governance of IT: responsibility (individuals and groups understand and accept their responsibilities), strategy (IT strategy satisfies current and future business needs), acquisition (IT acquisitions are made for valid reasons with appropriate analysis), performance (IT supports the organisation by delivering services at appropriate levels), conformance (IT complies with all mandatory legislation and regulations), and human behaviour (IT policies and practices respect human behaviour). These principles provide a universal framework that can be adapted to any regulatory context.

COBIT 2019 (Control Objectives for Information and Related Technologies), developed by ISACA, offers a more comprehensive and prescriptive governance framework. COBIT defines 40 governance and management objectives across five domains: Evaluate, Direct and Monitor (EDM — the governance domain), plus four management domains covering Align, Plan and Organise (APO), Build, Acquire and Implement (BAI), Deliver, Service and Support (DSS), and Monitor, Evaluate and Assess (MEA). COBIT's strength lies in its component model, which addresses processes, organisational structures, information flows, policies, culture, skills, and services/infrastructure for each objective. For EU organisations navigating complex regulatory landscapes, COBIT provides the granularity needed to map IT governance activities to specific regulatory requirements.

IT governance is about directing and controlling the use of IT at the organisational level — it is a governing body responsibility, not an IT department function. ISO 38500 and COBIT provide complementary frameworks: ISO 38500 for principles, COBIT for detailed implementation.

2. Alignment with EU Regulatory Requirements

EU regulation has transformed IT governance from a best-practice aspiration into a legal obligation for many organisations. NIS2 Article 21(2)(e) specifically mandates security in network and information systems acquisition, development, and maintenance — a core IT governance concern. Article 21(2)(a) requires policies for risk analysis and information system security, which presuppose an IT governance framework that defines how technology decisions incorporate security requirements. The management body obligations under Article 20 extend to IT governance decisions that affect the security of network and information systems, meaning the governing body cannot remain uninformed about how IT strategy intersects with cybersecurity risk.

DORA goes further, dedicating its entire Chapter II to ICT risk management governance. Article 5(1) requires the management body of financial entities to define, approve, oversee, and be responsible for the implementation of the ICT risk management framework. Article 5(2) specifies a detailed list of management body responsibilities including setting risk tolerance levels for ICT disruptions, approving the ICT business continuity policy, approving ICT audit plans, allocating adequate ICT budget, and approving arrangements for the use of ICT third-party service providers. This is prescriptive IT governance — the regulation tells governing bodies not just that they must govern IT risk but specifically what governance activities they must perform.

The General Data Protection Regulation (GDPR) introduces IT governance obligations through the lens of data protection. Article 25 (data protection by design and by default) requires that data protection considerations be embedded into IT acquisition and development processes — a governance-level decision about how technology procurement and software development are conducted. Article 32 requires appropriate technical and organisational measures for data processing security, which must be risk-assessed and proportionate. The Data Protection Officer role under Article 37 itself represents a governance mechanism, providing independent oversight of data processing activities. Organisations subject to multiple EU frameworks must ensure their IT governance structure accounts for all applicable regulatory requirements as first-class governance concerns, not afterthoughts appended to existing IT decision-making processes.

3. IT Governance Structures and Decision-Making

Effective IT governance requires explicit structures that define who makes what decisions and how accountability flows. The Weill and Ross framework, developed at MIT Sloan, identifies five key IT governance decisions: IT principles (high-level statements about how IT is used), IT architecture (technical choices that constrain and enable business capabilities), IT infrastructure (shared IT services providing the foundation), business application needs (specifying requirements for IT applications), and IT investment and prioritisation (decisions about how much and where to invest in IT). For each decision, the governance structure must define who has input rights and who has decision rights.

Common structural patterns include centralised governance (a single IT governance committee makes all significant technology decisions), federal governance (a central body sets principles and architecture while business units make application and local infrastructure decisions), and decentralised governance (business units make their own IT decisions within broad corporate guardrails). Most EU organisations of significant size operate a federal model, balancing central control of security, architecture, and regulatory compliance with business unit autonomy on application selection and service configuration. The optimal structure depends on organisational complexity, regulatory obligations, and the degree of IT standardisation required across business units.

The governance structure should include defined committees or forums at multiple levels. A board-level technology or IT risk committee provides strategic oversight and resource allocation decisions. An executive IT steering committee (including the CIO, CISO, CFO, and business unit leaders) translates strategic direction into investment priorities and architecture decisions. An architecture review board ensures technical decisions conform to enterprise standards and security requirements. A change advisory board governs operational changes to production systems. Each body requires a formal charter, defined membership, meeting cadence, decision authority, and escalation pathways. Without this structural clarity, IT governance degenerates into informal negotiations between the IT department and its loudest stakeholders.

Decision rights must be documented and communicated. A decision rights matrix (also known as a RACI or DACI matrix for IT governance) should specify for each decision type who is responsible, accountable, consulted, and informed. This documentation serves a dual purpose: it enables efficient decision-making during normal operations and provides evidence of governance structure for regulatory examinations. Supervisory authorities under NIS2 and DORA will expect to see not just that decisions were made but that they were made by appropriately authorised individuals within a defined governance framework.

Document your IT governance decision rights matrix and keep it current. When a supervisory authority asks 'who approved this technology decision and under what authority?' you need a clear, documented answer — not a retrospective reconstruction.

4. Integration with Cybersecurity and Compliance Governance

IT governance does not operate in isolation — it must integrate with cybersecurity governance, data governance, and broader compliance governance to form a coherent oversight system. The historical separation of IT governance (focused on value delivery and resource optimisation) from cybersecurity governance (focused on risk management and protection) has become untenable in the EU regulatory environment. NIS2 treats information system security as inseparable from system acquisition, development, and maintenance. DORA treats ICT risk as a unified domain encompassing operational resilience, security, and third-party management. Maintaining separate governance silos for IT and security creates gaps, inconsistencies, and duplicated effort.

Integration can take several forms. The strongest model is unified governance, where a single committee oversees IT strategy, cybersecurity risk, and regulatory compliance together. This ensures that technology investment decisions automatically incorporate security requirements and compliance obligations. The moderate model uses separate committees with formal coordination mechanisms — the IT governance committee and cybersecurity governance committee share members, align meeting schedules, and use common risk language and taxonomies. The weakest model (and unfortunately the most common) is informal coordination, where IT governance and cybersecurity governance operate independently and alignment depends on personal relationships between the CIO and CISO.

For EU organisations, the integrated approach is increasingly the regulatory expectation. DORA Article 6(8) requires the ICT risk management framework to be documented and reviewed at least once a year, or upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant testing or audit processes. This presupposes an integrated governance cycle where ICT risk assessment feeds into both technology investment decisions and cybersecurity measure prioritisation. Organisations should establish a common governance calendar that aligns IT strategy reviews, cybersecurity risk assessments, compliance audits, and regulatory reporting into a single cadence, ensuring that governance decisions are informed by the full picture rather than fragmented views of technology, security, and compliance.

5. IT Governance Performance Measurement

Governance without measurement is aspiration without accountability. IT governance performance should be tracked through a balanced set of metrics that cover strategic alignment, value delivery, risk management, resource management, and regulatory conformance. Strategic alignment metrics assess whether IT initiatives map to stated business objectives — for example, the percentage of IT projects directly linked to a strategic goal or regulatory requirement. Value delivery metrics evaluate whether IT investments achieve their intended outcomes — project delivery against scope, schedule, and budget targets, and business benefit realisation post-implementation.

Risk management metrics are particularly important in the EU regulatory context. Track the number and severity of IT-related incidents, the time to detect and resolve IT disruptions, the percentage of IT assets covered by risk assessment, and the status of risk treatment actions decided at governance level. For NIS2-subject entities, include metrics on Article 21 measure maturity across all ten categories. For DORA-subject entities, track ICT risk tolerance adherence, digital operational resilience testing coverage, and ICT third-party concentration risk. These metrics should be reported to the governing body in a format that enables governance decisions — not raw data, but contextualised analysis with trend indicators and threshold breaches highlighted.

Mature IT governance organisations adopt a governance scorecard approach, aggregating metrics into a concise dashboard that the board can review efficiently. The scorecard should use consistent rating scales (RAG status, maturity levels, or risk heat maps), compare performance against defined targets and prior periods, and flag items requiring governance action. Critically, the scorecard should include external benchmarks where available — ENISA's annual threat landscape report, sector-specific incident statistics, and peer organisation benchmarking data provide context that transforms internal metrics from abstract numbers into actionable governance intelligence. Review the governance scorecard at every board-level IT governance meeting and formally document the governance body's response to each metric — whether accepted, flagged for investigation, or escalated for remediation.

Governance metrics should enable decisions, not just report status. Each metric reported to the board should answer: are we within tolerance, are we trending in the right direction, and does the governance body need to act?

6. Building an IT Governance Programme: Practical Roadmap

Implementing IT governance is itself a governance decision — it requires executive sponsorship, defined scope, and a phased approach that delivers early value while building toward a mature capability. Begin with an IT governance maturity assessment that evaluates your current state across the dimensions described in this guide: structural clarity, decision-making effectiveness, regulatory conformance, integration with cybersecurity and compliance, and performance measurement. Use the assessment results to identify the highest-priority gaps and build a remediation roadmap that sequences improvements by regulatory urgency and organisational readiness.

Phase 1 (foundation, months 1-3) should establish the structural basics: define and document the IT governance framework charter, establish or formalise the governing committee(s), create a decision rights matrix for the five key IT governance decisions, and implement a basic governance meeting cadence with agenda templates and minute-taking protocols. These structural elements cost nothing to implement but create the foundation for everything that follows. For organisations already subject to NIS2 or DORA compliance obligations, Phase 1 should also include mapping current IT governance activities to the specific regulatory requirements to identify critical gaps.

Phase 2 (operationalisation, months 3-9) activates the governance processes within the established structures: implement a governance-level IT risk assessment cycle aligned with enterprise risk management, establish IT investment prioritisation criteria that include security and regulatory requirements, define governance-level performance metrics and build the initial governance scorecard, and integrate IT governance reporting with cybersecurity and compliance governance reporting. Phase 3 (maturity, months 9-18) focuses on optimisation: implement quantitative IT risk analysis to inform governance decisions, establish peer benchmarking, conduct a formal governance effectiveness review using an independent assessor, and evolve governance practices based on lessons learned from regulatory examinations and audit findings.

Throughout all phases, remember that IT governance is a means to an end, not an end in itself. The purpose of IT governance is to ensure technology serves the organisation's objectives while managing risk and meeting regulatory obligations. If governance processes become bureaucratic overhead that slows decision-making without improving outcomes, the governance framework needs recalibration. The best IT governance programmes are those where the governing body feels genuinely informed and empowered to direct technology strategy, and where technology leaders feel accountable to governance decisions without being paralysed by them.

Start with structure and decision rights — these are free to implement and immediately improve governance clarity. Sophisticated metrics and quantitative risk analysis can follow once the foundation is solid.

Frequently Asked Questions

What is the difference between IT governance and IT management?

IT governance is the system by which the governing body (board, executive committee) directs and controls the use of IT. It defines strategic direction, sets risk appetite for technology decisions, allocates resources, and evaluates outcomes. IT management is the operational function that plans, builds, runs, and monitors IT services within the governance framework. The CIO manages IT; the board governs IT. EU regulations like NIS2 Article 20 and DORA Article 5 specifically target the governance level, holding management bodies accountable for IT-related risk oversight, not just operational IT performance.

Which IT governance framework should we use — COBIT or ISO 38500?

ISO 38500 and COBIT are complementary rather than competing. ISO 38500 provides six high-level governance principles (responsibility, strategy, acquisition, performance, conformance, human behaviour) and a simple evaluate-direct-monitor model. COBIT 2019 provides granular governance and management objectives with detailed process descriptions and maturity models. For most EU organisations, ISO 38500 provides the philosophical foundation while COBIT provides the implementation detail. Start with ISO 38500's principles to frame your governance approach, then use relevant COBIT objectives to flesh out specific governance processes where more detail is needed.

How does DORA change IT governance for financial entities?

DORA (Regulation 2022/2554) imposes prescriptive IT governance obligations on financial entities that go significantly beyond general IT governance practice. Article 5 requires the management body to personally define and approve the ICT risk management framework, set ICT risk tolerance levels, approve ICT business continuity and disaster recovery policies, approve ICT audit plans, allocate adequate ICT budgets, approve digital operational resilience testing policies, and approve arrangements with ICT third-party providers. This represents a detailed governance mandate that requires financial entity boards to engage with ICT governance at a far more granular level than NIS2 alone requires.

Do we need a separate IT governance committee at board level?

Not necessarily — the right structure depends on your organisation's size, complexity, and regulatory obligations. Large organisations or those in highly regulated sectors (financial services under DORA, critical infrastructure under NIS2) benefit from a dedicated technology risk committee. Mid-sized organisations can integrate IT governance into an existing risk or audit committee, provided cybersecurity and technology risk receive dedicated agenda time and appropriate expertise is present. The critical requirement is that governance occurs — the specific structural form is secondary. Whichever structure you choose, document the charter, decision authority, and meeting cadence.

How do we measure whether IT governance is working?

Effective IT governance measurement combines outcome metrics and process metrics. Outcome metrics assess whether IT delivers value (project success rates, benefit realisation), manages risk (incident frequency and severity, audit findings), and supports strategy (alignment of IT portfolio to strategic objectives). Process metrics assess whether governance itself functions (decision timeliness, attendance and engagement at governance meetings, policy currency, risk assessment completion rates). Build a governance scorecard that reports these metrics to the board with trend analysis and threshold comparisons. The ultimate test is whether the governing body feels informed enough to make effective technology decisions and whether those decisions produce better outcomes than they would without governance.

Related Guides

Reference

Ready to Operationalise This?

Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.

Create Account Schedule Demo