DORA and the Second Line: Why Technical Expertise Is Now a Strategic Necessity

While DORA brings many new requirements, one of the most fundamental, and perhaps underestimated, shifts is the expectation for stronger technical understanding in the second and third lines of defense. For second line professionals and board members alike, this signals a need to rethink how oversight and assurance are delivered. 

The role of the second line is changing 

Traditionally, the second line has focused on providing independent oversight through policy setting, governance frameworks, training, and risk monitoring. However, DORA demands a deeper, more technically grounded engagement. Second line professionals are now expected to: 

• Challenge the adequacy of ICT controls, not just on paper but in actual implementation. 

• Understand ICT risk at the system and infrastructure level. 

• Engage meaningfully in areas such as cyber resilience testing, ICT third-party risk, and incident response readiness. 

This requires more than just familiarity with regulatory expectations, it calls for hands-on knowledge of how ICT systems operate, how technical risks manifest in real time, and how they can cascade through interconnected systems. Traditional second-line approaches, such as high-level governance reviews and policy setting, will remain important, but they are no longer sufficient on their own.  

That said, the role of the second line will also evolve over time, depending on the maturity of ICT risk management within the organization and the progress made in implementing DORA. In less mature organizations, the second line may initially take on a more supportive role, where oversight through policy setting, governance frameworks, and even assistance in structuring and verifying operational procedures may be sufficient. However, as organizational maturity increases, a deeper technical understanding will become essential for the second line to provide effective and credible oversight. 

Supervisory focus  

This evolving expectation is clearly visible in recent thematic reports from the Norwegian FSA (NFSA) on ICT risk, published in 2024 and 2025. These reports highlight recurring weaknesses in the independent controls carried out by the second line. A central recurring concern is whether the second line has sufficient expertise, resources and independence to adequately fulfill its critical responsibility in overseeing the ICT risks and governance.  

The NFSA also points to underdeveloped reporting processes to the boards in respect of ICT risk, where KPI and KRI metrics are immature, which limits the board’s ability to carry out its responsibilities. Multiple examples further illustrate deficiencies in second-line control processes as key ICT risks and regulatory requirements, such as documentation, outsourcing, internal control, continuity, training, risk assessments are not fully being met according to the reports.

High-level reviews are no longer enough 

For board members, this evolution means assurance must go deeper. Reports that rely solely on high-level governance or aggregated assessments no longer provide sufficient visibility into ICT risks. Boards must be confident that second line risk and compliance functions have technical insight and independence to challenge IT and security teams, and to detect when risks are not fully understood or mitigated. 

This shift will require: 

• Targeted upskilling within risk and compliance functions. 

• Recruitment of second-line professionals with ICT and cybersecurity backgrounds. 

• A shift in board expectations, from governance compliance to technical understanding and the ability to challenge assessed levels of ICT risk. 

Third line alignment is crucial 

Internal audit, as the third line, faces similar pressures. DORA expects audits of ICT risk and digital resilience to go beyond policy reviews and delve into areas such as penetration testing, incident response simulations, and ICT risk management. 

Collaboration between the second and third lines is crucial to ensure consistent coverage and avoid gaps or double assurance. This also enables the board to gain a clearer, more integrated view of ICT risks and how they are being managed across all three lines of defense. 

Board accountability and strategic oversight 

Under DORA, ultimate responsibility for digital operational resilience rests with the management body, which includes the board. This means board members must: 

• Ensure the second line has sufficient resources, expertise, and independence. 

• Demand risk reporting that goes beyond qualitative heat maps and provides clear insights into ICT vulnerabilities, threat trends, and technical control maturity. 

• Promote a culture where technical challenges and escalation are supported, not sidelined. 

The way forward 

DORA represents a decisive regulatory pivot, one that recognizes the strategic importance of ICT resilience in the modern financial ecosystem. For second-line professionals, it’s a call to deepen technical capabilities and to shift from governance-centric oversight to truly understanding and challenging technical risk. For board members, it’s a prompt to ask new questions: 

Does our risk function truly understand our ICT stack? Can they challenge it? Are we getting meaningful assurance—not just formal comfort? Do we, as a board, have the right competence to understand and challenge the assessment of ICT risk levels? 

Investing in the technical acumen of the second and third lines isn’t just about meeting compliance deadlines in 2025. It’s about building long-term operational resilience, protecting customer trust, and future-proofing the institution in an era of digital disruption.

Explore how we support financial institutions in meeting DORA requirements here.

Ragnar Malmros

Director- Advisory Sweden Operational risk/ICT

Send email

+46768518980

Carl Olsson

Head of Advisory & Head of Advisense, Norway

Send email

+4740346009