DORA and the Boardroom – Why Digital Operational Resilience Has Become a Core Governance Responsibility

DORA governance responsibilities – For many years, digital risk sat comfortably at the periphery of corporate governance. It was discussed in specialist committees, delegated to IT and security teams, and addressed through technical controls, audits and assurance reports. Boards approved policies, received high-level incident summaries and relied on the assumption that “technology risk” was being managed somewhere below the surface.

That assumption is no longer tenable.

The Digital Operational Resilience Act (DORA) represents a structural shift in how digital risk is understood within the European financial sector. It does not simply introduce new requirements or harmonise supervisory expectations. It redefines where responsibility lies. Under DORA, digital operational resilience is no longer treated as a technical condition of systems, but as a governance attribute of the institution itself.

This distinction is crucial. DORA does not ask whether systems are secure in a narrow technical sense. It asks whether the institution is governed in a way that allows it to withstand, respond to and recover from digital disruption. That question can only be answered at board level.

This article explains DORA as a governance framework rather than a technical rulebook. It is written for board members, non-executive directors, audit and risk committee members and senior executives who must now demonstrate that digital resilience is not merely implemented, but actively governed.

Why digital risk has become a governance risk

The financial sector has undergone a profound structural transformation. Digitalisation is no longer a support function; it is the operating model. Payments, trading, asset management, insurance administration, customer onboarding and regulatory reporting are now inseparable from complex ICT ecosystems.

These ecosystems have three defining characteristics.

First, they are deeply interconnected. Systems no longer fail in isolation. A disruption in one component can cascade across processes, entities and even institutions.

Second, they extend beyond organisational boundaries. Core functions increasingly rely on cloud providers, platform vendors and specialised third-party service providers, often through multiple layers of subcontracting.

Third, their failure has immediate external impact. Digital outages are no longer internal inconveniences. They affect customers, counterparties, market confidence and, in some cases, financial stability.

These characteristics fundamentally change the nature of risk. Digital incidents are no longer merely operational events. They are potential governance failures. They expose weaknesses in decision-making, oversight, accountability and control.

DORA governance responsibilities digital operational resilience governance board responsibility under DORA DORA regulation explained ICT risk governance financial institutions third-party risk governance DORA proportionality under DORA

DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities DORA governance responsibilities

DORA is the regulatory response to this reality. It recognises that digital risk cannot be mitigated through technical measures alone. It must be governed.

What DORA deliberately does not regulate

One of the most important aspects of DORA is what it does not do. It does not prescribe specific technologies, security tools or system architectures. It does not mandate particular cloud providers, encryption standards or recovery solutions.

This is not an omission. It is a design choice.

Technology evolves too quickly for prescriptive regulation to remain effective. Governance principles, by contrast, endure. By focusing on responsibility, oversight and decision-making, DORA creates a framework that remains relevant regardless of technological change.

As a result, the supervisory question shifts. It is no longer:

“Does the institution have the right technical controls?”

but:

“Is the institution governed in a way that ensures digital resilience?”

This shift places boards at the centre of the regulatory landscape.

Read more from the EIOPA on Digital Operational Resilience Act (DORA) – EIOPA’s.

Digital resilience as a strategic choice, not a technical outcome

A recurring misconception is that digital resilience can be engineered independently of business strategy. In reality, resilience is the cumulative result of strategic choices.

Every financial institution makes trade-offs, whether explicitly or implicitly:

efficiency versus redundancy
speed to market versus stability
scalability versus dependency
innovation versus control

These trade-offs shape the institution’s digital risk profile. They determine how vulnerable the organisation is to disruption and how quickly it can recover.

DORA forces boards to acknowledge that these trade-offs are not operational details. They are strategic decisions with governance consequences. When a board approves a cloud migration, outsources a core process or accelerates digital transformation, it is also shaping the institution’s resilience.

Under DORA, boards can no longer distance themselves from these outcomes by framing them as “IT decisions”. If a choice affects the institution’s ability to remain operational in the face of digital disruption, it is a board-level matter.

The scope of DORA – broad, but not diluted

DORA applies to a wide range of financial entities across the European Union, including credit institutions, investment firms, asset managers, payment service providers, electronic money institutions and insurers.

This breadth is intentional. Digital operational resilience is not a banking-specific issue. It is a sector-wide concern.

At the same time, DORA recognises that institutions differ significantly in size, complexity and risk profile. It incorporates the principle of proportionality to allow flexibility in implementation. What it does not allow is flexibility in responsibility.

Regardless of size or label, every institution must be able to demonstrate that its management body understands digital dependencies, oversees associated risks and takes responsibility for resilience outcomes. Proportionality affects how governance is organised, not whether it exists.

Integrating digital resilience into existing governance structures

DORA does not introduce a parallel governance universe. It deliberately connects digital resilience to existing governance frameworks: risk management, internal control, business continuity, outsourcing oversight and board supervision.

The challenge for many institutions lies in fragmentation. Digital risk is often split across IT, risk, compliance and operations, with no single point of holistic oversight. Each function sees part of the picture; no one sees the whole.

DORA addresses this by anchoring responsibility at the level of the management body. It does not eliminate delegation, but it eliminates ambiguity. There is no longer any doubt about who is accountable when digital resilience fails.

The core message of Part I

The fundamental message of DORA can be summarised simply:

Digital operational resilience is not a technical capability; it is a governance responsibility.

DORA does not require institutions to eliminate digital risk. It requires boards to understand it, govern it and take responsibility for it. In doing so, it transforms digital resilience from an assumed condition into an explicit element of corporate governance.

In Part II, this governance logic will be translated into structure by examining the five pillars of DORA as an integrated governance architecture and explaining how they function together at board level.

Read more on the Digital Operational Resilience Act (DORA) on Euronext.

Part II – The five pillars of DORA as a governance architecture

From principle to structure: why DORA is built around pillars

Part I established that DORA is fundamentally a governance regulation. That immediately raises the next question for boards: how does this responsibility translate into concrete expectations? The answer lies in the structure of DORA itself. The regulation is organised around five interrelated pillars that together form a governance architecture for digital operational resilience.

These pillars are often approached as compliance domains. That is a mistake. They are better understood as mechanisms through which governance becomes visible and testable. Each pillar addresses a different dimension of digital dependency, but none of them functions in isolation. Supervisors do not assess them separately; they assess whether they operate as a coherent system under board oversight.

Pillar I – ICT risk management: making digital dependency visible

The first pillar concerns ICT risk management. Superficially, this appears to be a technical requirement: inventories, risk registers, asset classifications. In governance terms, however, this pillar serves a more fundamental purpose: it creates visibility.

Boards cannot govern what they cannot see. DORA therefore requires institutions to identify critical or important functions and map the ICT assets and dependencies that support them. This mapping is not an end in itself. It is intended to answer governance questions such as:

Where are our single points of failure?
Which services are critical to customers and markets?
Which dependencies limit our room for manoeuvre?

For boards, the quality of ICT risk management is not measured by the sophistication of tooling, but by the clarity of insight it provides. A risk framework that produces large volumes of data but fails to support prioritisation does not enable governance. DORA implicitly challenges boards to ask whether they receive information that allows them to make informed trade-offs.

Pillar II – Incident management: governance under stress

The second pillar addresses ICT-related incidents. DORA does not assume that incidents can be eliminated. Instead, it treats them as inevitable stress events that reveal the quality of governance.

Incident management under DORA is therefore not primarily about response playbooks or technical recovery times. It is about escalation, decision-making and accountability under pressure. Boards are expected to ensure that:

clear criteria exist for classifying incidents as material,
escalation thresholds are defined in advance,
management bodies are informed in a timely manner,
lessons learned are translated into structural improvements.

Supervisors pay particular attention to how boards engage with serious incidents. They are not looking for operational involvement, but for evidence that the board understands impact, challenges assumptions and demands follow-up. An incident handled efficiently but without board scrutiny may still be seen as a governance failure.

Pillar III – Digital resilience testing: challenging assumptions

The third pillar introduces structured testing of digital operational resilience. From a governance perspective, testing serves one core function: it challenges assumptions.

Many resilience strategies are built on beliefs rather than evidence:

that recovery plans will work as designed,
that third parties will meet contractual obligations under stress,
that systems will fail independently rather than simultaneously.

Testing exposes whether these beliefs hold in practice. DORA explicitly links testing to governance by requiring that results are reviewed and acted upon at an appropriate level. For boards, test outcomes are not technical metrics; they are indicators of whether strategic and operational choices remain defensible.

Repeated findings are particularly significant. They suggest not a failure of execution, but a misalignment between risk appetite, investment decisions and resilience objectives. In that sense, testing becomes a feedback loop for governance itself.

Pillar IV – ICT third-party risk: dependency as a board-level issue

The fourth pillar is widely regarded as the most challenging. DORA’s treatment of ICT third-party risk fundamentally reshapes the governance of outsourcing.

The regulation makes explicit what was often implicit: outsourcing does not transfer responsibility. Even where critical services are delivered entirely by third parties, the management body remains accountable for digital resilience outcomes.

This has far-reaching implications for boards. Third-party risk is no longer confined to contract management or vendor oversight. It becomes a strategic question:

How dependent are we on specific providers?
Where do we face concentration or lock-in risk?
Are exit strategies realistic or merely theoretical?

DORA requires boards to confront uncomfortable realities. In many cases, full exit is not immediately feasible. Governance maturity under DORA is not demonstrated by claiming otherwise, but by acknowledging limitations and managing residual risk transparently.

Pillar V – Information sharing: resilience beyond the firm

The fifth pillar recognises that digital operational resilience has a collective dimension. Large-scale ICT incidents and vulnerabilities do not respect institutional boundaries. They can affect entire markets and sectors.

DORA therefore promotes information sharing on cyber threats and vulnerabilities, within controlled frameworks. For boards, this pillar reinforces an important governance insight: resilience is not purely competitive. Excessive secrecy may protect reputation in the short term, but it can undermine systemic stability.

Participation in information-sharing arrangements signals a shift from firm-centric risk management to sector-aware governance.

How supervisors assess the pillars: coherence over completeness

A critical insight for boards is that supervisors do not assess each pillar in isolation. They assess coherence.

An institution may have comprehensive third-party contracts, but weak incident escalation. It may conduct extensive testing, but fail to translate results into decisions. In such cases, formal compliance exists, but governance does not function.

DORA therefore acts as an integrative test. It asks whether the institution’s governance system can:

identify digital vulnerabilities,
respond effectively under stress,
adapt based on evidence,
and maintain control despite external dependencies.

Where this system breaks down, accountability ultimately points back to the board.

The core message of Part II

The five pillars of DORA form a governance architecture that makes digital resilience observable, testable and enforceable. They translate the abstract principle of board responsibility into concrete mechanisms through which supervisors can assess whether governance works in practice.

In Part III, this architecture will be connected to proportionality, documentation and accountability. The focus will shift from structure to how boards demonstrate control without falling into bureaucracy.

Read more from ESMA on Why is DORA needed?

Part III – Proportionality, documentation and accountable governance

Proportionality: flexibility in form, not in responsibility

One of the most frequently cited concepts in DORA is proportionality. It is also one of the most frequently misunderstood. Proportionality does not mean that some institutions are “less subject” to DORA than others. It means that the way governance is organised may differ, not that the expectation of accountability is reduced.

Under DORA, all financial entities are subject to the same core principle: the management body is responsible for digital operational resilience. Proportionality allows institutions to tailor governance structures, reporting frequency and documentation depth to their specific risk profile. What it does not allow is informality, ambiguity or abdication.

Supervisors assess proportionality by looking at actual digital dependency and potential impact, not by reference to balance sheet size, headcount or market positioning. A small, digitally native payment institution with real-time customer exposure may face more demanding governance expectations than a larger firm with limited digital criticality. Boards must therefore be able to explain not only what they have implemented, but why that implementation is appropriate.

Proportionality, in this sense, is an active governance decision, not a passive exemption.

When proportionality becomes a governance risk

A recurring risk under DORA is that proportionality is used defensively, as a justification for minimalism. This typically manifests in vague statements such as “we are small”, “we rely on group arrangements”, or “our provider manages that risk”. Such reasoning may reduce workload, but it increases governance exposure.

DORA draws a clear line: simplicity is acceptable, opacity is not. Where governance structures are lean, the burden on the board to demonstrate understanding and control increases rather than decreases. Informal processes must still result in clear decisions, documented rationale and visible follow-up.

From a supervisory perspective, the most problematic institutions are not those with limited resources, but those that cannot clearly articulate:

which digital risks they face,
which risks they accept,
and why that acceptance is justified.

Proportionality that is not explicitly reasoned becomes a liability.

Documentation as evidence of governance, not bureaucracy

DORA places considerable emphasis on documentation. This is often perceived as administrative overhead. In governance terms, documentation serves a different function: it is evidence of decision-making.

Well-governed institutions can demonstrate:

which assumptions were made,
which alternatives were considered,
who took which decision,
and how outcomes were monitored.

Documentation is therefore not about volume, but about traceability. A concise board paper that captures a key trade-off may be far more valuable than extensive technical documentation that lacks governance context.

DORA implicitly shifts the question from “do we have documentation?” to “does our documentation show that we govern?”. Where decisions are undocumented, supervisors will assume that governance is either absent or ineffective.

From formal compliance to demonstrable control

One of the most important distinctions introduced by DORA is the difference between formal compliance and demonstrable control. Institutions may meet formal requirements by approving policies, establishing processes and producing reports. DORA goes further.

Supervisors assess whether boards:

actively engage with digital resilience topics,
receive and understand relevant information,
challenge management where necessary,
and ensure that weaknesses are addressed.

This distinction becomes particularly visible during incidents and testing exercises. Institutions that treat these events as technical matters often fail the governance test, even if operational recovery is swift. Conversely, institutions that demonstrate structured escalation, board-level discussion and clear remediation actions are seen as governance-mature, even where incidents occur.

DORA therefore rewards transparency and learning over superficial perfection.

Also read on the EU AI Ambition in: Axelera AI and the Governance of European AI Ambition.

The role of non-executive directors and board committees

DORA significantly elevates the role of non-executive oversight. Non-executive directors are not expected to master technical detail, but they are expected to test management narratives and challenge assumptions.

Key questions for non-executives include:

Do we understand where the institution is digitally vulnerable?
Are we overly dependent on specific providers or technologies?
How do we know that resilience measures actually work?
What would fail first under stress?

Audit and risk committees play a critical preparatory role, particularly in reviewing incident reports, test outcomes and third-party dependencies. However, DORA does not allow digital resilience to be fully delegated to committees. Ultimate accountability rests with the full board.

This reinforces an important governance principle: digital resilience is not a niche topic, but a core element of institutional oversight.

Accountability beyond the boardroom

DORA does not require a separate public resilience report, but it reshapes expectations around transparency. Increasingly, supervisors, investors and other stakeholders expect institutions to explain how digital resilience is governed, not merely that it exists.

This has implications for:

governance disclosures,
risk reporting,
internal control statements,
and supervisory dialogue.

Boards that can clearly articulate their approach to digital resilience enhance institutional credibility. Those that rely on generic statements or technical jargon risk appearing disengaged from one of the most significant governance challenges of the digital age.

Something similar has happened (but on a voluntary basis) in respect of accountability for the Report of the Managing Directors see this blog: IFRS Practice Statement 1 Management Commentary.

DORA as a mirror for governance quality

Ultimately, DORA functions less as a checklist and more as a mirror. It reflects whether governance arrangements are capable of dealing with complexity, dependency and uncertainty.

Institutions that approach DORA as a technical compliance exercise will struggle, because the regulation exposes governance gaps rather than filling them. Institutions that treat DORA as a governance framework gain something more valuable than compliance: clarity about how resilient they truly are.

Digital operational resilience is no longer a characteristic of systems alone. It is a characteristic of governance. DORA makes that explicit, and boards are now expected to act accordingly.

Also read this blog: Building Embedded Analytics In-House: A Governance Roadmap for CFOs and Data Leaders.

FAQ’s – DORA regulation explained

FAQ 1 – What are board responsibilities under DORA?

Consolidated and unconsolidated financial statements

Under the Digital Operational Resilience Act (DORA), responsibility for digital operational resilience sits explicitly with the management body of a financial institution. This means that the board is accountable for ensuring that digital risks are understood, governed and managed in a way that safeguards the institution’s ability to operate under stress.

DORA does not require board members to become technical experts. It does require them to exercise informed oversight. Boards must understand where the institution is digitally dependent, which risks are being accepted, and how resilience is embedded into strategy and decision-making. Key choices around outsourcing, cloud adoption, system architecture and investment priorities are therefore governance matters, not operational details.

Tasks may be delegated and execution may be outsourced, but accountability cannot be transferred. Supervisors assess whether boards receive meaningful information, challenge management assumptions and ensure that weaknesses are addressed. Formal policy approval alone is insufficient; DORA expects demonstrable board engagement and control.

FAQ 2 – Why is DORA considered a governance regulation rather than an IT regulation?

Although DORA focuses on digital risk, it does not prescribe specific technologies, security tools or system designs. Instead, it regulates responsibility, oversight and decision-making. This makes DORA fundamentally a governance regulation rather than an IT or cybersecurity rulebook.

Digital incidents rarely arise from isolated technical failures. They are usually the result of strategic trade-offs: efficiency versus redundancy, speed versus stability, scalability versus dependency. These are board-level decisions. DORA reflects this reality by placing accountability with the management body rather than with technical functions.

Supervisory assessments therefore focus less on technical sophistication and more on governance quality. The key question is not whether systems are advanced, but whether the institution is governed in a way that ensures resilience. This shift brings digital risk firmly into the boardroom.

FAQ 3 – How does proportionality work under DORA?

Proportionality under DORA allows flexibility in how governance arrangements are designed, but it does not reduce accountability. All financial entities are subject to the same core expectation: the board is responsible for digital operational resilience.

Proportionality affects the form of governance, not its existence. Smaller or less complex institutions may have simpler structures, fewer committees or lighter documentation. However, they must still be able to demonstrate that digital risks are understood, decisions are made consciously and oversight is effective.

Supervisors assess proportionality based on actual digital dependency and potential impact, not on size or market positioning. A small, digitally intensive institution may therefore face higher governance expectations than a larger organisation with limited digital criticality. Proportionality must be actively reasoned and documented, not assumed.

FAQ 4 – How does DORA change board oversight of ICT incidents?

DORA treats ICT incidents as a test of governance rather than merely operational events. Boards are expected to ensure that escalation thresholds are clearly defined and that material incidents are brought to the management body in a timely manner.

The board’s role is not to manage incidents operationally, but to understand impact, challenge assumptions and ensure that lessons are translated into structural improvements. Supervisors pay close attention to how boards engage during serious incidents, particularly whether follow-up actions are tracked and completed.

An institution that experiences incidents but demonstrates clear escalation, board involvement and remediation may be seen as governance-mature. Conversely, efficient technical recovery without board engagement can still result in supervisory concerns.

FAQ 5 – What does DORA require regarding third-party and outsourcing risk?

DORA makes it explicit that outsourcing does not transfer responsibility. Boards remain accountable for the digital resilience of services delivered by third parties, including cloud providers and subcontractors.

This shifts third-party risk from a contractual issue to a governance issue. Boards must understand where dependencies exist, whether concentration or lock-in risks arise, and how realistic exit strategies actually are. Paper-based exit plans without operational feasibility are increasingly scrutinised by supervisors.

Good governance under DORA does not require eliminating dependency, but it does require transparency. Boards are expected to acknowledge limitations, manage residual risk and document their reasoning. Honest assessment is viewed more favourably than unrealistic assurances.

FAQ 6 – How does DORA affect external reporting and accountability?

DORA does not mandate a separate public resilience report, but it reshapes expectations around governance disclosure. Supervisors and stakeholders increasingly expect institutions to explain how digital resilience is governed, not merely that it exists.

This affects governance statements, risk disclosures and internal control reporting. Effective disclosure focuses on board oversight, decision-making processes and accountability structures rather than technical detail. Transparency about trade-offs, incidents and dependencies enhances credibility.

Boards that can articulate their approach to digital resilience demonstrate governance maturity. DORA therefore strengthens the link between internal governance and external accountability.