DORA Article 14: Board Reporting Requirements That Most Directors Don't Know About
The Personal Liability Question
In the boardrooms of European financial institutions, a question is beginning to surface that most directors would prefer not to confront: what, exactly, am I personally responsible for under DORA?
The answer is more than most directors expect. DORA Art. 5(2) does not merely suggest board awareness of ICT risk. It requires that "the management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework." The operative word is "responsible." Not "informed." Not "consulted." Responsible.
Art. 5(4) adds another dimension: members of the management body must "actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis commensurate to the ICT risk being managed." Directors who cannot demonstrate that they have maintained sufficient ICT risk knowledge — through documented training — are personally exposed to supervisory action.
And Art. 14 closes the loop: financial entities must ensure "adequate reporting to the management body on the ICT risk management framework" including, at minimum, "the ICT-related incidents and the notifications submitted to the competent authorities, the conclusions of any testing activities, and any relevant developments regarding the ICT third-party risk management."
This is not a suggestion to include a brief cybersecurity update in the annual board retreat. This is a legally binding governance framework that places ICT operational resilience on the same level as financial risk, credit risk, and market risk in terms of board accountability.
What Art. 14 Actually Requires
Art. 14 specifies the minimum content that must be reported to the management body. The language is precise and creates a clear compliance checklist:
| Art. 14 requirement | Content | Frequency (minimum) | Evidence needed |
|---|---|---|---|
| ICT risk management framework status | Overall health of the ICT risk framework, key risk indicators, material changes | Annual (Art. 14(1)) | Board minutes recording framework review |
| ICT-related incidents | Major incidents, NCA notifications submitted, root causes, remediation status | Annual + post-major-incident | Incident reports, NCA notification confirmations |
| Testing activities | Results of resilience testing programme (Art. 24-27), key findings, remediation tracking | Annual | Testing programme report, finding register |
| Third-party ICT risk | Status of critical third-party providers, concentration risk, exit strategy readiness | Annual | Third-party register summary, concentration analysis |
| Relevant developments | Threat landscape changes, regulatory developments, supervisory findings | As needed / quarterly recommended | Briefing materials, training records |
Art. 14(2) adds that the management body must receive reporting on "the response to, and recovery and communication plans related to ICT-related incidents." This means boards must receive not just incident summaries, but assessment of whether the entity's response and recovery capabilities are adequate.
The Art. 5 Foundation: Board Obligations Beyond Reporting
Art. 14 reporting is one leg of a three-legged governance structure. The other two are Art. 5(2) (framework approval) and Art. 5(4) (training).
Art. 5(2): Framework Approval and Oversight
The management body must:
Approve the ICT risk management framework. Not delegate approval to a committee. The full management body must review and approve the framework, creating a documented governance trail that demonstrates board-level ownership.
Oversee its implementation. Approval without oversight is meaningless. The board must establish a mechanism to monitor whether the framework is being implemented as designed — through reporting (Art. 14), through internal audit, and through direct engagement with the CISO or CTO.
Allocate adequate resources. Art. 5(2)(c) requires the management body to "approve and review the budget and overall budget allocation for the ICT risk management framework, including those for ICT-related training for the management body." Budget approval is a board responsibility — and the budget must be adequate to support the framework the board has approved.
Art. 5(4): Mandatory ICT Risk Training
DORA does not leave director competence to market norms. Art. 5(4) requires "specific training on a regular basis" for management body members, commensurate to the ICT risk being managed. This means:
- Training must be documented (dates, content, participants, provider)
- Training must be regular (annual minimum, more frequent if the risk profile changes)
- Training must be substantive (not a 30-minute presentation; commensurate to the complexity of ICT risk)
- Training must be specific to ICT risk (general governance training does not satisfy the requirement)
The NCA can request evidence of director training as part of its supervisory process. A board that cannot demonstrate documented, regular, substantive ICT risk training is non-compliant with Art. 5(4) — regardless of the directors' background or professional credentials.
The Board Reporting Framework
Most financial entities have some form of ICT risk reporting to the board — typically a quarterly CISO report or an annual information security review. DORA requires a more structured, comprehensive, and evidence-based approach. The following framework translates Art. 14's requirements into a practical reporting cadence.
Quarterly Board Briefing Structure
While Art. 14 specifies an annual minimum, quarterly reporting is the practical cadence for maintaining board awareness and enabling timely decision-making. The recommended quarterly briefing has five sections:
Section 1: ICT Risk Dashboard (1 page)
Key risk indicators with trend arrows and threshold status:
| KPI | Target | Current | Trend | Status |
|---|---|---|---|---|
| Major ICT incidents (quarter) | 0 | 1 | Up | Amber |
| Mean time to recover (critical systems) | < 4h | 6.2h | Stable | Red |
| Critical vulnerability remediation (30-day) | > 95% | 87% | Up | Amber |
| Third-party SLA compliance | > 98% | 96.5% | Down | Amber |
| Testing programme completion (YTD) | > 75% by Q3 | 68% | Up | Amber |
| DORA compliance maturity score | Level 4 | Level 3.2 | Up | Amber |
Section 2: Incident Summary (1 page)
All ICT-related incidents classified as major or significant during the quarter. For each: classification, impact (customers affected, systems impacted, duration), root cause, remediation status, lessons learned. If an NCA notification was submitted: confirmation of submission, timeline compliance, and any supervisory follow-up.
Section 3: Testing Programme Progress (1 page)
Testing activities completed during the quarter against the annual plan. Key findings by severity. Remediation tracking: how many findings from previous quarters remain open, what is the average time-to-remediate by severity. If TLPT was conducted: summary of scope, key findings (appropriately sanitized for board consumption), and remediation plan.
Section 4: Third-Party Risk Update (1 page)
Status of critical third-party providers. Any material changes: new providers onboarded, existing providers migrated, contract renewals with changed terms. Concentration risk metrics: HHI score, single-point-of-failure count, exit strategy readiness for top 5 critical providers. Any third-party incidents that affected or could have affected the entity.
Section 5: Strategic Items (1 page)
Items requiring board decision or awareness: budget requests, regulatory developments (new RTS/ITS, supervisory guidance, enforcement actions at peer institutions), threat landscape changes affecting the entity's risk profile, and upcoming obligations (TLPT cycle, annual framework review, NCA interactions).
Annual Comprehensive Report
Art. 14 requires at least annual comprehensive reporting. The annual report aggregates the quarterly briefings and adds:
- Year-over-year trend analysis for all KPIs
- Full testing programme results and maturity assessment
- Comprehensive third-party risk register summary
- Framework review and recommended changes for board approval (Art. 5(2))
- Budget review and allocation for the coming year (Art. 5(2)(c))
- Director training plan for the coming year (Art. 5(4))
- Regulatory compliance self-assessment against DORA requirements
- Comparison with industry benchmarks and peer performance
The Director Training Requirement
Art. 5(4) is the most overlooked DORA provision in board governance. Many directors assume their professional experience — in banking, law, accounting, or general management — provides sufficient ICT risk understanding. DORA disagrees. The requirement is for specific, documented, regular training that is commensurate to the ICT risk being managed.
Minimum Training Curriculum
For a board member of a mid-to-large financial entity, the following training areas represent the minimum required to demonstrate compliance with Art. 5(4):
| Training module | Content | Duration | Frequency |
|---|---|---|---|
| DORA governance overview | Art. 5, 14 obligations, personal liability, framework approval duties | Half-day | Annual |
| ICT risk fundamentals | Threat landscape, attack vectors, incident types, business impact | Half-day | Annual |
| Cyber incident simulation | Tabletop exercise: board-level decision-making during cyber incident | Half-day | Annual |
| Third-party risk governance | Concentration risk, exit strategies, CTPP oversight regime | 2 hours | Annual |
| Testing programme literacy | Understanding TLPT, scenario testing, how to read testing reports | 2 hours | Annual |
| Regulatory developments | New RTS/ITS, enforcement actions, supervisory expectations | 1 hour | Quarterly |
Each training session must be documented: date, duration, content, trainer credentials, attendees. This documentation is the evidence that demonstrates Art. 5(4) compliance during supervisory review.
The Accountability Gap
The governance structure that DORA creates — framework approval (Art. 5(2)), training (Art. 5(4)), and reporting (Art. 14) — is designed to close an accountability gap that supervisors have observed across the European financial sector.
Before DORA, many boards treated ICT risk as a technical matter delegated to the CISO or CTO, with minimal board engagement beyond an annual security presentation. When a cyber incident occurred, the board could plausibly claim insufficient information. When a regulatory finding identified governance gaps, the board could point to delegation structures.
DORA eliminates these defenses. Art. 5(2) makes the board responsible for the framework. Art. 5(4) makes directors personally responsible for maintaining competence. Art. 14 makes the reporting obligations explicit and minimum-specified. A board that receives a major incident report for the first time during a supervisory inspection — rather than through its Art. 14 reporting process — has a governance failure that is attributable to the management body, not to the CISO.
This is not theoretical. The ECB's 2024 cyber stress test included assessment of governance structures and crisis communication — including board-level decision-making during cyber incidents. Banks where board engagement was superficial received more pointed supervisory feedback than those demonstrating genuine board involvement in ICT risk governance.
Practical Implementation Steps
Month 1: Gap assessment. Compare current board reporting against Art. 14 requirements. Identify what is missing: incident reporting completeness, testing programme visibility, third-party risk transparency, framework approval documentation.
Month 2: Reporting framework design. Build the quarterly briefing template and annual report structure. Define KPIs, data sources, and the process for collecting and validating reporting inputs from across the organization.
Month 3: Training programme. Design and schedule the annual director training curriculum. Engage qualified trainers (internal CISO, external specialists, or regulatory experts). Document the programme in the board calendar.
Month 4: First quarterly briefing. Deliver the first structured quarterly briefing under the new framework. Collect board feedback and refine the format.
Month 5-12: Cadence establishment. Run the quarterly briefing cycle, conduct annual training, and build the annual comprehensive report. Establish the evidence trail that demonstrates ongoing compliance.
Art. 14 is not the most technically complex provision in DORA. But it may be the most consequential for organizational change. When the management body is genuinely informed about ICT risk, genuinely trained to understand it, and genuinely accountable for the framework that manages it, the downstream effects on resource allocation, strategic priority-setting, and organizational culture are substantial. DORA does not just require a report to the board. It requires a board that can understand, challenge, and act on that report.
This guide reflects DORA Regulation (EU) 2022/2554 Articles 5, 14, and associated governance provisions. Board liability frameworks may vary by member state implementation and national corporate governance law.