Governance and organisation

Article 5 establishes that digital operational resilience starts at the top. The management body — board of directors, executive committee, or equivalent — bears ultimate and undelegable responsibility for ICT risk management. This is not a perfunctory obligation; DORA requires active engagement, not just annual rubber-stamping.

The management body must define and approve the ICT risk management framework, allocate adequate budgets for digital security initiatives, and set the organization's ICT risk tolerance. Members must maintain sufficient knowledge and skills to understand ICT risks and their impact on operations, with mandatory training obligations.

Financial entities must establish a clear organizational structure with well-defined roles and responsibilities for ICT risk management. This includes designating a dedicated ICT risk management function (or assigning these responsibilities to an existing control function) with appropriate independence and authority. The function must have direct reporting lines to the management body.

The article also requires entities to develop a digital operational resilience strategy aligned with the overall business strategy. This strategy must describe how the framework supports business objectives, establish the entity's ICT risk tolerance, and set clear objectives for information security. It must be reviewed and updated at least annually, or following major ICT incidents, testing results, or audit findings.