Digital operational resilience starts at the top: the ultimate responsibility of the management body under DORA

The Digital Operational Resilience Act (DORA) marks a turning point in how financial entities in the EU must approach ICT risk. Among other things, it requires digital operational resilience to be considered a matter of corporate governance. Article 5 of DORA prescribes that financial entities must establish an internal governance and control framework that ensures an effective and prudent management of ICT risk, with the management body bearing the “ultimate responsibility” for managing the financial entity’s ICT risk.

The responsibility of the management body in this area cannot be considered totally new, but DORA represents a deep change (see for instance Schneider 2022, Pérez Carrillo 2023 and Galle & Vletter-van Dort 2025). Indeed, it mandates that digital operational resilience is embedded in governance, risk management frameworks and strategic decision-making. This means that management bodies must be structurally involved in dealing with ICT risk.

Board-level accountability

Under DORA, ICT risk is considered a core business risk. Article 5 requires management bodies to define, approve and oversee the ICT risk management framework. This creates accountability: boards are expected to have anticipated, understood and governed ICT risks, especially if an ICT-related incident occurs. This implies a proactive role for management bodies. Board members, inter alia, must be able to investigate cyber threats, assess incident response capabilities, allocate an appropriate budget and take strategic decisions. They are not asked to all be IT experts, but they cannot passively oversee.

Embedding resilience in governance

DORA requires management bodies to embed digital operational resilience in governance structures. They must clearly define roles and responsibilities for ICT risk management and ensure coordination among ICT-related functions. Strategies, policies and procedures must be appropriate, documented and regularly reviewed. Management bodies must ensure an effectively functioning three lines of defence model and establish adequate controls and audits by auditors with sufficient knowledge, skills and expertise on ICT risk.

A more holistic vision

Management bodies must have visibility of the entire financial entity’s digital ecosystem, including relationships with ICT third-party service providers. They must approve and periodically review the policy on third-party arrangements and establish appropriate reporting channels in order to be duly informed. Understanding concentration risk, systemic dependences and potential single points of failure is now a board-level concern.

Knowledge is no longer optional

Article 5(4) is crucially important. It requires members of the management body to “actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis.” This means that board members must invest time in learning. Regular training on DORA requirements, and generally on cyber risk management, is now a key component of regulatory compliance and effective leadership.

Responsibility vs. opportunity

DORA charges management bodies with relevant responsibility, but this brings a meaningful opportunity. Indeed, boards that effectively invest in their own capabilities and embed digital operational resilience in governance and strategy will not only comply with regulation but will also strengthen financial entities. Boards must take the lead on ICT risk management. This is why – nowadays – digital operational resilience starts at the top.