(i) Paragraph 29 of the “Background and rationale” part of the EBA Guidelines on internal governance (EBA/GL/2017/11) refers to the first line of defence as being the “business lines”. However, other paragraphs in the guidelines also refer to “business lines and internal units”. Although the words “internal units” are not defined, we understand that they designate all other units than the business lines that perform operations and are therefore exposed to operational risks including legal risk. This is particularly the case of the support functions of a credit institution (e.g. IT function, human resources, purchasing, etc.). This seems to be confirmed by the EBA GL on ICT and security risk management (EBA/GL/2019/04), which state in paragraph 5 of their “Background and rationale” part that “The guidelines are compatible with the three lines of defence model, with the ICT operational units being the first line of defence”; Could you confirm that all units conducting business, but also performing operations in general such as the support functions, are included in the first line of defence? (ii) Considering the second line of defence, Paragraph 30 of the Rationale of the EBA Guidelines on internal governance only mentions the risk management function and the compliance function. However, we do not understand that it prohibits credit institutions to designate on their own choice additional independent units as control functions of the second line of defence (e.g. functions such as Legal, Tax or Finance), providing that they contribute to risk management and compliancy check. The question therefore is whether the composition of the LoD2 is limited to the risk and compliance functions only or an institution could make the choice to add also other functions exercising risk management and/or controls. Besides, we would like to have confirmation that this is possible for any kind of credit institution, be they small or complex ones.