The overall demand for a stable and reliable �financial system prompted the legislators to react by passing regulations preventing further crises. A central part of those regulations is the handling of operational risks in the economy. Financial institutions have to provide more comprehensive capabilities to handle those risks. In order to decrease the vulnerability to risks and since information technology (IT) has become central within the �nancial system, the induced laws imply consequences to IT systems. Adequate risk management is necessary to meet the legal obligations.
Although IT governance and compliance are common parts within IT management, the derivation of concrete measures for existing systems is not trivial. We propose a method to derive concrete legal obligations, classifi�ed in requirements, goals and principles. Furthermore we show how existing enterprise models can be enhanced with those demands using the modeling language ArchiMate. We have created several normative models for di�erent areas in IT and discuss one of them, namely "User Authorization Management".