Board Responsibility for Digital Operational Resilience under DORA is clearer than ever
Boards have always held ultimate responsibility for their organisations. With the EU’s Digital Operational Resilience Act (DORA), that responsibility has become more concrete, more explicit, and significantly more demanding.
What were once considered “support functions” are now central to the business. Information and cybersecurity are no longer peripheral concerns, they are integral to risk management. DORA makes it clear that boards can no longer rely solely on policies; they must understand, challenge, and actively follow up on the organisation’s digital resilience.
Digital Operational Resilience (DOM) is the practical framework through which organisations implement DORA. It defines the capabilities, processes, and controls needed to ensure operational continuity in a digital environment. The board is responsible for approving and overseeing the organisation’s DOM framework and ensuring that it meets DORA’s expectations. It’s not enough to simply approve a framework. The board is responsible for ensuring it is well-designed, properly implemented, and effective in practice.
Just like with credit and financial risk, the board must define the organisation’s appetite for digital risk. Is it clearly articulated? And does the organisation’s actual capability match the ambition level? To challenge management effectively, board members need sufficient knowledge. They must be able to discuss ICT risk with the same rigour as financial risk.
What the Board Needs to fulfil DORA Expectations
The mechanics of board work remain the same, reports, analysis, and discussion, but the content must evolve significantly. Boards now require recurring, structured reporting that gives clear visibility into digital resilience. This includes:
- Clear tracking of ICT risks – aggregated, and when needed, by risk category
- Continuity and incident reporting – what occurred, how it was handled, and how preparedness worked
- Status of planned activities and resilience projects – from both first and second line, including resource adequacy
- Oversight of critical third-party providers – their risks, monitoring results, and mitigation actions
This information enables the board to govern and verify the organisation’s digital resilience. DORA is explicit: digital operational resilience is a board-level issue, and this responsibility cannot be delegated.
So, the essential question is: Does your board receive the information it needs to carry this responsibility?
How Boards Can Take Control of Digital Risks and Make Informed Decisions
DORA clearly establishes digital risk as a board-level responsibility. Boards must not only approve frameworks but also ensure that they are effective in practice. This requires a clear risk appetite for digital disruptions, sufficient knowledge to challenge management, and structured reporting that provides visibility into ICT risks, incidents, resilience capabilities, and third-party dependencies.
While the board has always carried out ultimate responsibility, DORA sharpens expectations. Boards must be able to evaluate the organisation’s resilience capabilities, challenge management’s decisions, and ensure that digital risk is integrated into the overall governance framework.
The board of directors holds ultimate responsibility for setting and overseeing the organisation’s strategy for Digital Operational Resilience. This includes ensuring that digital resilience capabilities, controls, and processes are aligned with strategic objectives and regulatory expectations, and that roles and accountability are clearly defined. The board must monitor the organisation’s exposure to digital and operational risks, including cyber threats, system failures, third-party dependencies, and incident response capabilities. It is also responsible for ensuring adequate resources, competencies, and governance structures to safeguard continuity of critical operations. Through this oversight, the board ensures that digital operational resilience is maintained as a strategic asset and a foundation for long-term stability.
At Advisense, we see this shift in practice. This shift requires boards to elevate ICT risk from a technical concern to a strategic area of oversight. Boards must understand, monitor, and steer digital resilience:
- Approve and oversee the ICT risk management strategy
- Ensure adequate resources and cybersecurity competence
- Monitor testing, incident handling, and reporting
- Evaluate risks associated with external ICT providers
To fulfill its responsibilities, DORA requires boards to receive relevant, structured, and recurring information from the organisation:
1. Strategic Level – Risk Appetite and Resilience Goals
Boards need to understand the organisation’s risk appetite for digital disruptions: How much downtime can the business tolerate before critical processes or customer trust are affected? And how quickly should the organisation recover? This level involves policy decisions and risk culture, where the board sets ambition and tolerance thresholds.
2. Operational Level – Measurement and Reporting
Boards should receive regular reports that reflect the actual risk landscape, including number and severity of incidents, results of tests and exercises, information of critical systems and their dependencies as well as status of cybersecurity measures. Many boards now request visualisation by a Digital Resilience Dashboard that provides a clear overview of the organisation’s resilience and effective DOM governance.
3. Third-Party Dependencies – External Risk Control
Financial institutions increasingly rely on external cloud and IT providers. DORA requires boards to have insight into supplier risks, which providers are critical, how risks are managed, and what exit plans exist. Boards should be able to understand the consequences if their most important cloud provider is down for 48 hours.
To enable the board to fulfill its responsibilities, a well-structured information flow is essential. Management, especially CIO, CISO, and CRO, must collaborate to create a reporting model that makes digital risks comparable to financial and operational risks.
We often see companies struggling with fragmented reporting between IT and risk functions, lacking a clear link between cyber risk and business risk and failing to adequately train the board in digital resilience. To avoid these gaps, DORA must be integrated throughout the governance chain. Boards need a holistic view where Management must speak a language the board understands. And risk management must become proactive and decision oriented.
Companies that succeed with DORA do three things:
- Treat digital resilience as part of business strategy, not just IT security
- Create clear decision pathways between technology, risk, and the board
- Build a culture of learning and transparency, where incidents are seen as opportunities for improvement
DORA brings digital risk management into the boardroom. It marks a shift in how digital risk is viewed, from a technical matter to the core of corporate governance. The board’s responsibility is to ensure that the organisation not only meets regulatory requirements but is genuinely resilient in the digital domain. With the right structure, culture, and support, DORA can become a catalyst for stronger governance, safer operations, and increased trust across the financial sector.
