DORA Management Body Accountability and Governance: What Boards Must Do

The Digital Operational Resilience Act (DORA) is widely understood in terms of its technical requirements — ICT risk management, incident reporting, resilience testing, and third-party risk management. What receives less attention, but is equally consequential, is DORA's governance framework. Articles 5 through 6 of DORA establish a governance model that places explicit, non-delegable accountability on the management body of every financial entity within scope. This is not a general "tone from the top" expectation. It is a specific, legally binding obligation that requires the board to approve, oversee, and be held personally accountable for the entity's ICT risk management framework and digital operational resilience strategy.

This article examines what DORA requires of management bodies: what they must approve, what they must oversee, what training they must complete, what liability they face, and how these obligations interact with existing governance requirements under MiFID II, the Capital Requirements Directive (CRD), and Solvency II.

Why DORA Governance Matters

Before DORA, EU financial regulation addressed ICT risk governance only indirectly. The EBA's Guidelines on ICT and Security Risk Management (EBA/GL/2019/04) established expectations for management body oversight of ICT risk, but these were guidelines — not binding regulation — and applied only to credit institutions and investment firms within the EBA's remit. For insurers, pension funds, and other financial entities, ICT governance expectations varied significantly by sector and Member State.

DORA changes this fundamentally. For the first time, a single, directly applicable EU regulation establishes uniform governance obligations for ICT risk management across all types of financial entities — credit institutions, investment firms, insurance and reinsurance undertakings, IORPs, trading venues, central counterparties, payment institutions, e-money institutions, crypto-asset service providers, and more. The management body of every in-scope entity must meet the same baseline governance obligations, regardless of sector, size, or jurisdiction.

This matters because ICT operational failures in the financial sector are, increasingly, governance failures. Major incidents are rarely the result of purely technical shortcomings. They result from inadequate risk assessment, insufficient investment, poor vendor management, absent business continuity planning, and — at root — from management bodies that did not understand, oversee, or resource ICT resilience adequately. DORA addresses this by making governance the first pillar of its requirements framework.

Article 5: The Core Governance Obligation

DORA Article 5 is the central governance provision. It establishes the management body's role in three dimensions: defining and approving, overseeing implementation, and bearing responsibility.

Article 5(1) — Ultimate Responsibility

Article 5(1) states that the management body of the financial entity shall define, approve, oversee, and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1). This is a comprehensive obligation. "All arrangements" includes not only the framework document itself but every policy, procedure, control, resource allocation, and organisational structure that comprises the framework. The management body cannot claim ignorance of any element — it is responsible for the entire framework.

Article 5(2) — Specific Duties

Article 5(2) enumerates specific duties of the management body. These include:

• Setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level for ICT risk
• Approving, overseeing, and periodically reviewing the implementation of the ICT business continuity policy and ICT response and recovery plans
• Approving and periodically reviewing the financial entity's ICT internal audit plans and ICT audits, and material modifications thereto
• Allocating and periodically reviewing the appropriate budget to fulfil the financial entity's digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training
• Approving and periodically reviewing the financial entity's policy on arrangements regarding the use of ICT services provided by ICT third-party service providers
• Putting in place reporting channels that enable it to be duly informed of ICT third-party arrangements for critical or important functions, ICT risk assessment results, major ICT-related incidents, and the results of digital operational resilience testing

Article 5(4) — Training Obligation

Article 5(4) establishes a personal training obligation for management body members. They must "actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate with the ICT risk being managed."

What the Management Body Must Approve

DORA Article 5 creates a specific approval mandate for the management body. The following items require formal management body approval — not merely acknowledgement or briefing, but documented, minuted approval:

1. ICT Risk Management Framework

The comprehensive ICT risk management framework required under Article 6(1). This includes identification of ICT assets and risks, protection and prevention measures, detection capabilities, response and recovery procedures, and learning and evolving mechanisms. The management body must understand the framework, assess its adequacy, and formally approve it. Subsequent material changes to the framework also require management body approval.

2. Digital Operational Resilience Strategy

Article 6(8) requires financial entities to define a digital operational resilience strategy as part of the overall ICT risk management framework. The strategy must set out how the ICT risk management framework is implemented, establish the methods to address ICT risk and attain specific ICT objectives, and explain how the framework supports the business strategy. The management body approves this strategy and the risk tolerance level it embodies.

3. ICT Business Continuity Policy

The ICT business continuity policy required under Article 11, including response and recovery plans for ICT-related incidents. The management body must approve the policy, ensure it is tested, and review the results of testing exercises. This is not a one-time approval — periodic review is mandatory.

4. ICT Internal Audit Plans

The plans and scope of internal audits relating to ICT. The management body must ensure that internal audit provides independent assurance over the ICT risk management framework and that the audit plan covers all material ICT risk areas. Material modifications to the audit plan also require management body approval.

5. ICT Budget

The budget allocated to digital operational resilience, including ICT security awareness programmes and training. The management body must ensure the budget is adequate for the entity's risk profile and must review it periodically. This provision is designed to prevent the common situation where ICT security is under-resourced because budget decisions are made at a level below the management body.

6. ICT Third-Party Risk Management Policy

The policy governing arrangements with ICT third-party service providers, including the decision to enter into or materially modify arrangements supporting critical or important functions. The management body must understand the entity's ICT third-party dependencies and approve the overall approach to managing them.

Ongoing Oversight Obligations

Approval is the first step. DORA also requires the management body to exercise ongoing oversight — active, documented monitoring of implementation and effectiveness. This means:

• Regular reporting: The management body must receive regular reports on the ICT risk management framework, including risk assessment results, incident reports, testing results, and third-party risk status. DORA Article 5(2)(e) specifically requires the establishment of reporting channels for this purpose.
• Review of incidents: The management body must be informed of major ICT-related incidents and their impact. For significant incidents, this should include the root cause analysis, the effectiveness of the response, and the lessons learned.
• Testing oversight: The management body must be informed of the results of digital operational resilience testing, including any findings from Threat-Led Penetration Testing (TLPT). The management body should understand what was tested, what was found, and what remediation actions are planned.
• Third-party oversight: The management body must be informed of ICT third-party arrangements, particularly those supporting critical or important functions. This includes being notified of material changes, concentration risks, and exit plan status.
• Periodic framework review: The management body must periodically review the ICT risk management framework itself — not just the reports it generates — to assess whether it remains fit for purpose given changes in the entity's risk profile, technology landscape, or regulatory environment.

The key word throughout is "documented." Supervisory authorities will assess management body oversight by examining minutes, board papers, decision logs, and reporting packs. Verbal briefings without documentation do not demonstrate compliance with DORA's governance obligations.

Training Requirements

DORA Article 5(4) establishes a personal obligation for each management body member to maintain sufficient ICT risk knowledge. This is not a collective obligation that the board as a whole must meet — it applies to each individual member. The practical implications are significant:

What Training Must Cover

• Understanding the ICT risk management framework and its key components
• Understanding the entity's ICT risk profile — the principal risks, the controls in place, and the residual risk position
• Understanding the entity's ICT third-party dependencies — particularly concentration on specific providers and the risks this entails
• Understanding the entity's digital operational resilience strategy — its objectives, the gap between current and target state, and the roadmap for closing that gap
• Understanding the incident reporting obligations — what constitutes a major incident, the reporting timelines, and the management body's role during an incident
• Understanding the results of digital operational resilience testing and what they mean for the entity's risk posture

Training Frequency and Format

DORA requires training "on a regular basis" — not as a one-time onboarding exercise. The frequency should be commensurate with the ICT risk being managed. For complex financial entities with significant ICT dependencies, annual training at a minimum is expected, with additional sessions when material changes occur (e.g., following a major incident, a significant change in ICT third-party arrangements, or a material update to the risk management framework).

The format should be substantive — not a brief slide deck or a compliance checkbox. Management body members should emerge from training with genuine understanding of the entity's ICT risk position, not just awareness that a framework exists. Many entities are finding that interactive workshops, scenario-based exercises, and incident simulations are more effective than traditional presentations.

Employee Training Obligation

Article 5(4) also requires the management body to "encourage the offering of similar training to all employees on a regular basis." While this is a "encourage" rather than "ensure" obligation for employees, the management body must demonstrate active promotion of ICT risk awareness training across the organisation.

Personal Liability

DORA Article 5(2) establishes that Member States shall ensure the management body bears the responsibility for the implementation of the ICT risk management framework. Combined with the enforcement provisions in DORA (Articles 50–51), this creates a clear basis for personal liability of management body members.

The liability framework operates at two levels:

Entity-Level Liability

Competent authorities can impose administrative penalties and remedial measures on financial entities for breaches of DORA requirements. These penalties are determined by Member State law within the framework established by DORA and the relevant sectoral legislation (CRD, MiFID II, Solvency II, etc.).

Personal Liability

DORA establishes that management body members can be held personally accountable. The specific mechanisms vary by Member State, but the legal basis is clear: where the management body has failed to approve, oversee, or be trained on the ICT risk management framework, and the entity suffers a breach of DORA requirements, the management body members who failed in their duties may face personal consequences. These can include administrative fines (determined by national law), temporary prohibition from exercising managerial functions, public statements identifying the person and the nature of the breach, and orders to cease the conduct constituting the breach.

This personal liability dimension is what distinguishes DORA governance from previous ICT governance expectations. Under the EBA Guidelines, the management body was expected to oversee ICT risk — but failure to do so was a supervisory finding, not a basis for personal liability. Under DORA, it is both.

ICT Budget Allocation

DORA Article 5(2)(b) requires the management body to allocate and periodically review the appropriate budget to fulfil the financial entity's digital operational resilience needs. This is a specific, actionable requirement — not a general governance principle.

The management body must ensure that:

• The ICT budget is sufficient to implement and maintain the ICT risk management framework, including all controls, tools, and processes required
• The budget covers ICT security awareness programmes and digital operational resilience training for employees
• The budget includes resources for digital operational resilience testing (including TLPT where applicable)
• The budget is reviewed periodically — at least annually — and adjusted to reflect changes in the entity's risk profile, technology landscape, or regulatory requirements
• The budget allocation is documented, with rationale linking spend to identified risks and resilience objectives

Supervisory authorities are expected to assess whether the ICT budget is adequate relative to the entity's size, risk profile, and ICT complexity. An entity that allocates a disproportionately low percentage of its overall budget to ICT security — relative to its risk profile and regulatory obligations — will face supervisory scrutiny. The management body must be prepared to justify the budget allocation with reference to the risk assessment and the resilience strategy.

Internal Audit and ICT

DORA Article 5(2)(c) requires the management body to approve and periodically review ICT internal audit plans and ICT audits. Article 6(6) further requires that the ICT risk management framework be audited on a regular basis by ICT auditors with sufficient knowledge, skills, and expertise in ICT risk. The auditors must conduct audits in line with applicable standards and the frequency of audits must be commensurate with the entity's ICT risk.

Key requirements include:

• Internal audit must have the independence, authority, and resources to assess the ICT risk management framework objectively
• The audit plan must cover all material ICT risk areas — not just technical controls, but governance, third-party management, incident management, and business continuity
• Audit findings must be reported to the management body, with action plans for addressing material issues
• The management body must monitor the remediation of audit findings
• The audit function itself must have ICT expertise — either through in-house specialists or qualified external resources

Management Body Reporting

DORA Article 5(2)(e) requires financial entities to establish reporting channels that enable the management body to be duly informed of critical matters. The following information must flow to the management body on a regular basis:

• ICT risk assessment results: The current risk profile, changes since the last assessment, and any new or emerging risks
• Major ICT-related incidents: The nature, impact, root cause, and response effectiveness of any major incident
• ICT third-party arrangements: Status of arrangements for critical or important functions, including concentration risks, performance issues, and exit plan readiness
• Digital operational resilience testing results: Findings from vulnerability assessments, penetration tests, scenario-based tests, and TLPT
• Regulatory and supervisory developments: Changes to DORA Level 2 standards, supervisory expectations, and cross-sector guidance that may affect the entity's obligations
• ICT budget status: Expenditure against budget, resource utilisation, and any budget shortfalls affecting resilience capabilities

The format and frequency of reporting should be defined in a management body reporting calendar, aligned to the regular meeting cycle. For most financial entities, quarterly ICT risk reporting to the management body is the minimum expected frequency, with ad hoc reporting for major incidents or material risk changes.

Relationship to MiFID II and CRD Governance

Financial entities subject to DORA are typically also subject to sectoral governance requirements under MiFID II (for investment firms), the Capital Requirements Directive/CRD V (for credit institutions), Solvency II (for insurance undertakings), or other sector-specific legislation. DORA's governance requirements supplement these existing frameworks rather than replacing them.

MiFID II Governance

MiFID II Articles 9 and 16 require the management body to approve and oversee internal control mechanisms, compliance, risk management, and the firm's organisational framework. The EBA/ESMA Guidelines on internal governance (EBA/GL/2021/05) further specify expectations for the management body's role in IT and security risk management. DORA adds specific ICT risk management obligations on top of these existing requirements — including the training obligation, the ICT budget approval obligation, and the Register of Information oversight.

CRD Governance

CRD Articles 74–76 and 88 require credit institutions to have robust governance arrangements, including clear organisational structure, effective risk management processes, and internal control mechanisms. CRD Article 76 specifically references operational risk management. DORA augments this by requiring the management body to approve and oversee an ICT-specific risk management framework, digital resilience strategy, and ICT business continuity policy — obligations that go beyond CRD's general operational risk governance provisions.

Solvency II Governance

Solvency II Articles 41–50 establish governance requirements for insurance and reinsurance undertakings, including risk management, internal controls, and internal audit. EIOPA's Guidelines on system of governance further address ICT-related expectations. DORA adds explicit ICT risk management governance obligations that complement the Solvency II framework.

Avoiding Duplication

Financial entities should avoid creating parallel governance structures for sectoral requirements and DORA. The most effective approach integrates DORA governance into the existing governance framework — adding ICT-specific items to existing board committee agendas, expanding existing risk reporting to include DORA-specific metrics, and incorporating DORA training into existing board development programmes. Duplication creates governance complexity, reporting overhead, and the risk of inconsistency between frameworks.

Practical Steps for Compliance

For financial entities establishing or validating their DORA governance arrangements, the following practical steps provide a structured approach:

Step 1: Governance Gap Assessment

Map existing management body governance arrangements (committee structures, reporting frameworks, approval authorities) against DORA Article 5 requirements. Identify which obligations are already met through existing governance processes and which require new or enhanced arrangements.

Step 2: Update Terms of Reference

Ensure that the terms of reference for the management body (and any relevant sub-committee, such as a risk committee or IT committee) explicitly include DORA governance obligations — approval of the ICT risk management framework, digital resilience strategy, ICT business continuity policy, ICT audit plans, ICT budget, and ICT third-party policy.

Step 3: Establish Reporting Channels

Define the content, format, and frequency of ICT risk reporting to the management body. Ensure that reporting covers all DORA-mandated topics: risk assessment results, major incidents, third-party arrangements, testing results, and budget status.

Step 4: Implement Training Programme

Design and deliver an ICT risk training programme for management body members that covers the entity's ICT risk profile, the risk management framework, key third-party dependencies, and the digital resilience strategy. Schedule regular refresher training — at least annually — and document attendance and content.

Step 5: Document Approval Evidence

Ensure that every management body approval required under DORA is documented in board minutes or decision logs. This includes the initial approval of the ICT risk management framework, subsequent reviews and material updates, and budget allocation decisions. Documented evidence is essential for demonstrating compliance to supervisory authorities.

Step 6: Integrate with Existing Governance

Avoid creating separate DORA governance structures where existing governance arrangements can be extended. Add DORA-specific items to existing board committee agendas, expand existing risk reports, and leverage existing internal audit and compliance functions.

Frequently Asked Questions