DORA and Banks – Digital Operational Resilience as a Prudential Governance Obligation

DORA governance banks – Although the Digital Operational Resilience Act (DORA) applies across the financial sector, it is impossible to understand the regulation without recognising that banks occupy a special position within its logic. This is not because DORA explicitly favours or targets banks, but because banks sit at the intersection of payments, liquidity, trust and financial stability. When digital resilience fails at a bank, the consequences rarely remain confined to that institution.

For boards of banks, DORA is therefore not simply another regulatory framework to be implemented. It is a prudential governance obligation. Digital operational resilience under DORA is closely linked to the same concerns that underpin capital adequacy, liquidity management and recovery planning: continuity, confidence and systemic impact.

This article examines DORA from a banking-specific governance perspective. It builds on the generic DORA governance framework and explains why supervisory expectations are inherently higher for banks, how proportionality operates between systemic banks and smaller institutions, and where boards are most exposed in practice.

This blog is part of a series of two other blogs:

1. DORA and the Boardroom – Why Digital Operational Resilience Has Become a Core Governance Responsibility,

2. DORA and Non-Banks – Digital Operational Resilience Beyond Banking Labels.

Banks as critical infrastructure, not just market participants

Banks differ from other financial institutions in one fundamental respect: they are embedded in the functioning of the financial system itself. They safeguard deposits, facilitate payments, provide credit and act as liquidity intermediaries. These functions are increasingly delivered through digital channels that operate continuously and at scale.

As a result, digital disruption at a bank has a public dimension. A prolonged outage can affect households, businesses and markets within hours. Even short disruptions can undermine confidence if they affect access to funds or payment services.

DORA reflects this reality implicitly. While the regulation does not create a separate legal regime for banks, it assumes that institutions with systemic relevance must demonstrate a higher degree of governance maturity. For banks, digital operational resilience is inseparable from prudential soundness.

Boards should therefore approach DORA in the same way they approach capital or liquidity governance: as a core element of institutional stability rather than a technical compliance exercise.

Digital risk as a prudential risk

Traditionally, prudential regulation focused on financial risks: credit, market and liquidity risk. Operational risk was recognised, but often treated as secondary. Digitalisation has fundamentally altered this hierarchy.

In modern banks, digital failures can trigger:

immediate disruption of payment flows,
inability to service customers,
breaches of regulatory obligations,
reputational damage leading to liquidity stress.

These effects blur the boundary between operational and prudential risk. A severe ICT incident may not directly erode capital, but it can rapidly undermine confidence, trigger supervisory intervention and, in extreme cases, threaten viability.

DORA governance banks DORA banking governance digital operational resilience banks board responsibility banks DORA prudential governance ICT risk third-party risk banks DORA proportionality DORA banks

DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks DORA governance banks

DORA formalises this shift by embedding digital operational resilience within the supervisory framework. It signals that digital risk is now prudentially relevant, and that boards are expected to govern it with the same seriousness as traditional financial risks.

Governance expectations for bank boards under DORA

For boards of banks, DORA translates into heightened expectations around oversight, challenge and accountability. Supervisors no longer accept a model in which digital resilience is delegated entirely to management layers or specialist functions.

Key governance expectations include:

clear board ownership of digital resilience,
regular and meaningful reporting on ICT risk,
explicit discussion of digital dependencies and trade-offs,
demonstrable follow-up on incidents and test findings.

Importantly, boards are not assessed on their technical expertise, but on their governance behaviour. Supervisors look for evidence that boards understand the institution’s digital risk profile, ask the right questions and make informed decisions.

Where boards rely solely on assurances from management or external providers, governance is considered weak, regardless of formal compliance.

Systemic banks versus smaller banks: proportionality without dilution

DORA explicitly incorporates proportionality, but for banks this principle operates within narrow boundaries. The difference between a global systemically important bank and a smaller domestic institution lies primarily in complexity and scale, not in the nature of responsibility.

Systemic banks face:

extensive digital ecosystems,
global outsourcing arrangements,
high levels of interconnectedness,
heightened supervisory scrutiny.

Smaller banks may operate simpler structures, but they often rely heavily on shared service providers, core banking platforms or group-level ICT arrangements. This can create concentration and dependency risks that are just as significant from a governance perspective.

Under DORA, proportionality affects:

the sophistication of governance structures,
the depth and frequency of reporting,
the scope of testing programmes.

It does not affect the core expectation that the board must be able to explain how digital resilience is governed and why accepted risks are appropriate.

Read more from the EIOPA on Digital Operational Resilience Act (DORA) – EIOPA’s.

The illusion of delegation in banking ICT governance

A persistent governance weakness in banking is the assumption that digital risk can be effectively managed through delegation: to IT, to group entities, or to third-party providers. DORA directly challenges this assumption.

Banks often operate within complex group structures where ICT services are centralised. While this can deliver efficiency and consistency, it also creates distance between the local board and the underlying digital infrastructure.

DORA makes clear that distance does not reduce responsibility. Local boards remain accountable for the resilience of services on which their institution depends, even if those services are delivered by group entities or external providers.

This creates a governance tension that many bank boards are still learning to navigate: how to exercise effective oversight over systems they do not control operationally. DORA does not offer an easy solution, but it makes the expectation explicit.

Early supervisory signals: what regulators focus on

Early supervisory engagement around DORA suggests that regulators are less concerned with documentation volume and more concerned with governance clarity. For banks, supervisory attention tends to focus on:

clarity of accountability at board level,
understanding of critical ICT dependencies,
realism of exit and recovery assumptions,
quality of incident escalation and board involvement.

Banks that approach DORA as a technical implementation project risk underestimating this focus. Those that embed DORA into their prudential governance framework are better positioned to meet supervisory expectations.

The core message of Part I

For banks, DORA is not simply another regulatory layer. It is a statement that digital operational resilience is now a prudential governance obligation. Boards are expected to treat digital resilience with the same seriousness as capital adequacy, liquidity and recovery planning.

In Part II, this prudential perspective will be translated into governance practice by examining how the five DORA pillars operate specifically within banks, with particular attention to incidents, testing and third-party dependencies.

Part II – How the DORA pillars operate in banking governance

From generic framework to banking reality

In the generic DORA framework, the five pillars form an integrated governance architecture. In banking, those same pillars take on a distinctly prudential character. This is not because the regulation changes, but because the risk context does. Banks operate in an environment where continuity, confidence and access to money are not private concerns but public ones.

For bank boards, the DORA pillars therefore function less as compliance domains and more as supervisory lenses through which regulators assess whether governance is capable of withstanding stress. Each pillar tests a different aspect of board oversight. Taken together, they reveal whether digital resilience is genuinely governed or merely assumed.

Read more on the Digital Operational Resilience Act (DORA) on Euronext.

Pillar I – ICT risk management: from inventory to board insight

In banks, ICT risk management frameworks are often extensive. Asset inventories, risk registers and control catalogues are usually well developed. Yet supervisory experience shows that volume does not equal governance quality.

From a board perspective, the key question is not whether ICT risks are documented, but whether they are translated into insight that supports prudential decision-making. Boards need to understand:

which ICT assets support critical banking functions such as payments, treasury and customer access;
where dependencies are concentrated;
which failures would have immediate prudential impact.

DORA implicitly challenges banks to move beyond technical classification and towards impact-driven risk visibility. A register that lists hundreds of systems but does not clearly identify the few that truly matter does not support governance. Supervisors increasingly expect boards to be able to articulate, in plain terms, where the bank is digitally fragile and why.

Pillar II – ICT incident management: the supervisory stress test

In banking, ICT incidents are not merely operational events; they are supervisory signals. Payment disruptions, online banking outages or data integrity issues immediately attract regulatory attention, regardless of duration.

Under DORA, incident management becomes a stress test of governance under pressure. Boards are expected to ensure that:

materiality thresholds are clearly defined;
escalation pathways function in practice, not just on paper;
board-level awareness is timely and substantive;
post-incident reviews lead to concrete changes.

Supervisors look closely at how boards engage during serious incidents. Not to manage recovery operationally, but to assess whether the board understands the prudential implications: customer trust, liquidity sensitivity, regulatory exposure and reputational damage.

A recurring weakness in banks is that incident handling is technically efficient but governance-light. Rapid restoration without board-level challenge or follow-up may resolve the immediate issue while leaving structural weaknesses untouched. DORA explicitly discourages this pattern.

Pillar III – Digital resilience testing: when prudence meets evidence

Banks are no strangers to testing. Stress testing is deeply embedded in prudential supervision. DORA extends this logic to digital operational resilience.

For banks, resilience testing under DORA is not about proving compliance, but about testing prudential assumptions. Many banking operations rely on implicit beliefs:

that recovery time objectives are achievable under real conditions;
that failover systems will function across geographies;
that third-party providers will perform under systemic stress.

DORA requires these assumptions to be challenged. For boards, test results should be treated as prudential intelligence. Repeated findings or unresolved weaknesses are not technical shortcomings; they are signals that risk appetite, investment priorities or outsourcing strategies may be misaligned with resilience objectives.

Supervisors expect boards to engage with testing outcomes in the same way they engage with capital stress tests: by asking whether current buffers, controls and dependencies remain acceptable in light of evidence.

Pillar IV – Third-party risk: concentration and lock-in as governance risks

No DORA pillar has more profound implications for banks than ICT third-party risk. Banking has embraced outsourcing, cloud services and group-wide ICT platforms at scale. These arrangements often deliver efficiency, but they also create structural dependencies.

DORA makes explicit that such dependencies are governance risks, not contractual details. Boards are expected to understand:

which third parties support critical banking functions;
whether dependencies are concentrated across the sector;
how realistic exit and substitution scenarios truly are.

For banks, this is particularly sensitive. Core banking platforms, payment processors and cloud providers are not easily replaced. Exit strategies often exist on paper but would be extremely difficult to execute under stress.

Supervisors do not expect boards to eliminate dependency. They do expect boards to be honest about it. Governance maturity under DORA is demonstrated by transparent acknowledgement of lock-in and residual risk, combined with credible mitigation and oversight.

Pillar V – Information sharing: banking resilience beyond the institution

Banks operate within dense networks of interdependence. DORA recognises that digital resilience cannot be managed solely at the level of individual institutions.

Information sharing on cyber threats, vulnerabilities and incidents is therefore encouraged within controlled frameworks. For banks, participation in such arrangements is increasingly seen as part of responsible governance rather than a discretionary activity.

Boards should view this pillar through a prudential lens. Excessive secrecy may protect short-term reputation, but it can undermine systemic stability. DORA subtly shifts expectations towards collective resilience, particularly for institutions whose failure could have wider impact.

The role of board committees in banking DORA governance

In banks, DORA governance typically involves audit committees, risk committees and sometimes dedicated technology or operational resilience committees. These structures can support effective oversight, but they also create a risk of fragmentation.

DORA does not permit digital resilience to be delegated entirely to committees. Ultimate accountability remains with the full board. Committees prepare, analyse and challenge, but they do not replace board-level ownership.

Supervisors increasingly assess whether:

committee discussions translate into board decisions;
digital resilience features regularly on full board agendas;
non-executive directors demonstrate understanding beyond technical summaries.

Where DORA remains confined to committee-level discussions, governance is likely to be judged insufficient.

The core message of Part II

For banks, the DORA pillars operate as a prudential governance framework. They expose whether boards truly understand and govern digital dependencies, or whether resilience is assumed rather than evidenced.

Incident handling, testing and third-party oversight are not operational exercises; they are governance mechanisms through which supervisors assess board effectiveness.

In Part III, the focus will shift to:

proportionality between systemic and smaller banks,
documentation as evidence of prudential governance,
the role of non-executive directors,
and how banks demonstrate DORA governance in supervisory dialogue and reporting.

Read more from ESMA on Why is DORA needed?

Part III – Proportionality, documentation and supervisory accountability

Proportionality in banking: differentiated form, undiluted responsibility

Proportionality is a core principle of DORA, but in the banking sector it operates within strict boundaries. While the regulation allows flexibility in how governance is organised, it does not permit a reduction in responsibility. For banks, proportionality is about how governance is demonstrated, not whether it is required.

Systemically important banks operate complex, cross-border ICT ecosystems and are therefore subject to intense supervisory scrutiny. Their governance structures are expected to be highly formalised, with frequent reporting, extensive testing programmes and explicit board involvement. For smaller or domestically focused banks, proportionality allows for simpler structures, fewer committees and more concise documentation.

What does not change is the supervisory expectation that the board must be able to explain:

where the bank is digitally vulnerable,
which risks are accepted and why,
how resilience is monitored and improved over time.

Supervisors increasingly assess proportionality by looking at digital dependency, not institutional size. A smaller bank that relies heavily on shared service providers, outsourced core banking platforms or real-time payment infrastructure may face governance expectations that are closer to those of larger peers. Proportionality, in this sense, is dynamic rather than categorical.

When proportionality becomes a supervisory concern

In practice, proportionality becomes problematic when it is used defensively. Banks sometimes invoke proportionality to justify limited board engagement, informal decision-making or reliance on group-level arrangements without sufficient local oversight.

DORA draws a clear supervisory line here. Where governance structures are lean, boards are expected to compensate with clarity, transparency and explicit reasoning. Informality does not excuse opacity. In fact, it increases supervisory sensitivity.

From a prudential perspective, the most concerning situation is not a bank with limited resources, but a bank that cannot articulate how digital risks are governed. Supervisors consistently signal that they prefer honest acknowledgement of constraints over optimistic assertions that are not supported by evidence.

Documentation as prudential evidence, not administrative burden

For banks, documentation under DORA serves a critical prudential function. It is not merely a record of compliance activities; it is evidence of governance in action.

Effective documentation allows supervisors to trace:

which digital resilience decisions were made,
on what basis,
by whom,
and with what follow-up.

This traceability is particularly important in banking, where supervisory judgement often hinges on governance quality rather than technical detail. A concise board paper that captures a difficult trade-off between resilience and efficiency may be far more valuable than extensive technical documentation that lacks decision context.

DORA does not require banks to document everything. It requires them to document what matters. Boards that view documentation as a governance tool rather than a compliance artefact are better positioned to meet supervisory expectations.

Demonstrable control versus formal compliance

A recurring supervisory theme in banking is the distinction between formal compliance and demonstrable control. Banks are generally proficient at producing policies, frameworks and reports. DORA raises the bar by asking whether these artefacts translate into effective governance.

Demonstrable control becomes visible when:

boards engage meaningfully with ICT risk reporting,
incident reviews lead to tangible changes,
test findings influence investment or outsourcing decisions,
third-party risks are discussed in strategic terms.

Supervisors increasingly look for this causal link between information, decision-making and action. Where documentation exists without evidence of board engagement, governance is likely to be judged weak, even if formal requirements are met.

The role of non-executive directors in banking DORA governance

Non-executive directors play a pivotal role in translating DORA into effective banking governance. They are not expected to master technical detail, but they are expected to challenge narratives and test assumptions.

Key questions for non-executives include:

Do we truly understand our most critical digital dependencies?
Are we over-reliant on specific providers or group arrangements?
How confident are we that recovery plans would work under stress?
What would fail first if multiple systems were disrupted simultaneously?

Audit and risk committees are central to this process, but DORA does not allow digital resilience to be confined to committee discussions. Full board ownership remains essential. Where non-executive challenge is absent or superficial, supervisory confidence erodes quickly.

Also read on the EU AI Ambition in: Axelera AI and the Governance of European AI Ambition.

DORA in supervisory dialogue and prudential reporting

DORA significantly reshapes the supervisory dialogue between banks and regulators. Discussions about digital resilience increasingly resemble discussions about capital, liquidity or recovery planning.

Supervisors are less interested in technical specifications than in governance clarity. They ask:

How does the board oversee digital resilience?
How are trade-offs between cost, efficiency and resilience made?
How are third-party dependencies managed at board level?
How does the bank learn from incidents and testing?

Banks that can articulate these points clearly and consistently across governance documents, supervisory meetings and internal reporting are perceived as governance-mature. Those that rely on fragmented or overly technical explanations are not.

DORA therefore reinforces the importance of coherent governance storytelling. Prudential credibility depends on consistency between what the board says, what the documentation shows and how the organisation behaves under stress.

DORA as a prudential mirror for bank governance

Ultimately, DORA functions as a mirror for banking governance. It reflects whether boards are equipped to govern in an environment defined by complexity, dependency and uncertainty.

Banks that treat DORA as a technical implementation project will struggle, because the regulation exposes governance weaknesses rather than masking them. Banks that treat DORA as a prudential governance framework gain something more valuable than regulatory compliance: a clearer understanding of their own resilience.

Digital operational resilience is no longer a secondary operational concern for banks. It is a condition for trust, stability and licence to operate. DORA makes that explicit, and it places responsibility squarely where it belongs: in the boardroom.

Something similar has happened (but on a voluntary basis) in respect of accountability for the Report of the Managing Directors see this blog: IFRS Practice Statement 1 Management Commentary.

FAQ’s – DORA banking governance

FAQ 1 – Why does DORA apply more strictly to banks than to other financial institutions?

Consolidated and unconsolidated financial statements

Although DORA applies across the financial sector, banks are subject to inherently higher governance expectations because of their role in payments, liquidity provision and financial stability. Digital disruption at a bank can have immediate and systemic consequences, affecting customers, counterparties and market confidence.

DORA does not create a separate legal regime for banks, but it assumes a higher level of governance maturity where potential impact is greater. For banks, digital operational resilience is closely linked to prudential soundness. An ICT failure may not immediately affect capital, but it can trigger reputational damage, liquidity stress and supervisory intervention.

Supervisors therefore assess banking DORA governance through a prudential lens. Boards are expected to understand digital dependencies, oversee resilience trade-offs and engage actively with incidents, testing and third-party risks. What might be acceptable governance for a non-bank may be insufficient for a credit institution.

FAQ 2 – What are board responsibilities under DORA specifically for banks?

For banks, DORA places clear responsibility on the board for governing digital operational resilience as a prudential risk. This includes setting direction, overseeing execution and ensuring follow-up where weaknesses are identified.

Boards are not expected to manage ICT operations, but they must understand where the bank is digitally vulnerable and how those vulnerabilities interact with core banking functions such as payments, customer access and liquidity management. Decisions on outsourcing, cloud adoption and system architecture are therefore board-level matters.

Supervisors assess whether boards receive meaningful information, challenge management assumptions and ensure that resilience is embedded into strategy and risk appetite. Formal approval of policies without active oversight is insufficient under DORA, particularly for banks.

FAQ 3 – How does proportionality work for systemic banks versus smaller banks?

Proportionality under DORA allows flexibility in how governance is organised, but it does not reduce responsibility. For systemic banks, governance structures are expected to be highly formalised, with extensive reporting, testing and board involvement. Smaller banks may apply simpler structures, but they remain fully accountable.

Supervisors assess proportionality based on digital dependency and potential impact, not just size. A smaller bank relying heavily on outsourced core banking platforms or shared service providers may face governance expectations similar to those of larger institutions.

Boards must therefore be able to explain why their governance arrangements are appropriate to their risk profile and how proportionality has been consciously applied. Proportionality that is assumed rather than reasoned becomes a supervisory concern.

FAQ 4 – Why are ICT incidents treated as a governance issue for banks under DORA?

In banking, ICT incidents are not merely operational disruptions; they are indicators of governance effectiveness. Payment outages, online banking failures or data integrity issues immediately attract supervisory attention because of their potential prudential impact.

Under DORA, boards must ensure that incident classification, escalation and reporting function in practice. Supervisors assess how boards engage with serious incidents, including whether impact is understood beyond technical metrics and whether lessons lead to structural improvements.

Efficient technical recovery without board-level challenge may still be seen as a governance failure. DORA explicitly uses incidents as a stress test of board oversight in banks.

FAQ 5 – How does DORA change third-party risk governance for banks?

DORA makes clear that outsourcing does not transfer responsibility. For banks, this has significant implications given their extensive reliance on third-party ICT providers, including cloud services and group-level platforms.

Boards must understand where critical dependencies exist, whether concentration or lock-in risks arise and how realistic exit strategies truly are. In many cases, full exit is not immediately feasible. Governance maturity is demonstrated by transparent acknowledgement of dependency and credible risk mitigation, not by unrealistic assurances.

Supervisors increasingly view third-party risk as a strategic governance issue rather than a contractual matter. For banks, this is one of the most scrutinised aspects of DORA.

FAQ 6 – How does DORA affect supervisory dialogue and reporting for banks?

DORA reshapes supervisory dialogue by bringing digital resilience into the core of prudential governance discussions. Supervisors are less interested in technical detail than in governance clarity.

They expect boards to explain how digital resilience is overseen, how trade-offs are made and how incidents and test results influence decisions. This affects internal reporting, board papers and supervisory engagement.
Banks that present a coherent governance narrative—consistent across documentation, board discussions and supervisory meetings—are perceived as governance-mature. Those that rely on fragmented or overly technical explanations face increased scrutiny under DORA.