Article 6 of DORA and Article 2 of the RTS on ICT risk management clearly assign to control function specific tasks in ICT risk management and monitoring. my understanding of the Article 2 of the RTS is that control function will be appointed to: 1) Define clear and measurable objectives in terms of ICT & Cyber Resilience in order to keep ICT risk within Risk Appetite limit 2) because of the mandate above, control function defines principles and provisions (what to do to be resilient) in the following areas of the RTS in order to be able to measure the defined objectives: (i) ICT Risk management, (ii) Asset Management, (iii) Encryption, (iv) ICT Security Operations, (v) Network Security, (vi) Physical Security, (vii) Project & Change Management, (ix)Security Awareness and Training , while 1st line of defense will in charge of deciding "how to" implement such principles/provisions in technical terms; 3) In the end, control function execute regularly control testing activities in order to asses the effectiveness of the controls implemented by the 1st line (article 2, 1c) Is my understanding correct? Moreover, considering that most of the remaining activities (e.g risk assessment, risk treatment) are also described in Article 3, is then thus confirmed that the control function is responsible of the implementation of requirements in scope of Article 2 and 3?