DORA Board Reporting in Practice: A Quarterly Template for Art. 14 Compliance
The Reporting Gap
DORA Article 14 requires that financial entities ensure "adequate reporting to the management body on the ICT risk management framework." Article 5(2) requires the management body to "define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework." Together, these provisions create a governance loop: the board must receive reporting that enables it to fulfil its oversight responsibility.
The problem is not awareness — most boards know that DORA requires them to receive ICT risk reporting. The problem is substance. What should the report contain? How should it be structured? What level of detail is appropriate for a board that meets quarterly and has 15 agenda items? How do you balance the need for comprehensive coverage against the reality that board members have limited time and varied technical backgrounds?
The EBA's guidelines on internal governance specify that reporting should be "clear, concise and useful" and should enable the management body to "identify, manage and monitor" the risks. ESMA's guidance adds that reporting should be "proportionate to the nature, scale and complexity" of the entity's activities.
This guide provides a practical template that satisfies these requirements.
Template Structure
The quarterly board report should follow a consistent structure that the management body becomes familiar with over time. Consistency enables trend analysis and reduces the cognitive load of processing each report.
Section 1: Executive Summary (1 page)
The executive summary provides a single-page overview that a board member can read in 2 minutes and understand the overall posture:
- Overall ICT resilience posture: GREEN / AMBER / RED with trend arrow (improving/stable/deteriorating)
- Top 3 risks: The three most significant ICT risks, each with a one-sentence description and risk level
- Key developments since last quarter: 3-5 bullet points covering material changes
- Decisions required from the board: If any decisions are needed this quarter, list them here
- Regulatory engagement summary: Any NCA interactions, supervisory findings, or peer review outcomes
Section 2: Risk Appetite Dashboard (1 page)
The risk appetite dashboard shows the institution's ICT risk position against the board-approved risk appetite. Each metric should use a standardized RAG status:
| Risk appetite metric | Appetite (Green) | Tolerance (Amber) | Limit (Red) | Current | Trend |
|---|---|---|---|---|---|
| Maximum disruption to critical functions | <2 hours | 2-4 hours | >4 hours | [Actual] | [Arrow] |
| ICT asset register coverage | >95% | 90-95% | <90% | [Actual] | [Arrow] |
| Third-party concentration (max single provider) | <30% of critical | 30-40% | >40% | [Actual] | [Arrow] |
| Resilience testing coverage | >90% critical | 80-90% | <80% | [Actual] | [Arrow] |
| Open critical findings overdue | 0 | 1-2 | >2 | [Actual] | [Arrow] |
| Incident reporting compliance | 100% timely | 90-99% | <90% | [Actual] | [Arrow] |
Section 3: Pillar-by-Pillar Status (4-5 pages)
Each DORA pillar receives a dedicated sub-section with consistent formatting:
Pillar I — ICT Risk Management Framework (Art. 5-16)
| Metric | Value | Status | Commentary |
|---|---|---|---|
| Asset register completeness | [%] | [RAG] | [Brief note on changes, gaps, remediation] |
| Risk assessment currency | [Days since update] | [RAG] | [Brief note on trigger for next assessment] |
| Critical control effectiveness | [%] | [RAG] | [Brief note on any control failures] |
| Data classification compliance | [%] | [RAG] | [Brief note on enforcement gaps] |
| Backup recovery target achievement | [%] | [RAG] | [Brief note on last restoration test results] |
Pillar II — Incident Management (Art. 17-23)
| Metric | Value | Status | Commentary |
|---|---|---|---|
| Total incidents this quarter | [N] | Informational | [Trend vs. previous quarter] |
| Major incidents requiring NCA notification | [N] | [RAG] | [Brief description of each] |
| Average classification-to-notification time | [Hours] | [RAG] | [Compliance with 4-hour window] |
| Open remediation actions from incidents | [N] | [RAG] | [Overdue items highlighted] |
Pillar III — Resilience Testing (Art. 24-27)
| Metric | Value | Status | Commentary |
|---|---|---|---|
| Critical functions tested this quarter | [N/Total] | [RAG] | [Percentage of annual target completed] |
| New findings this quarter | [N by severity] | [RAG] | [Critical/High/Medium/Low distribution] |
| Finding remediation rate | [%] | [RAG] | [Percentage of findings remediated on schedule] |
| TLPT programme status | [Phase] | [RAG] | [Current status of TLPT cycle] |
Pillar IV — Third-Party Risk (Art. 28-30)
| Metric | Value | Status | Commentary |
|---|---|---|---|
| Register of information completeness | [%] | [RAG] | [Coverage of critical providers] |
| Art. 30 contractual compliance | [%] | [RAG] | [Contracts renegotiated vs. total in scope] |
| Concentration HHI (top category) | [Score] | [RAG] | [Category and primary driver] |
| Exit strategies documented for critical providers | [%] | [RAG] | [Coverage of critical provider exit plans] |
| Third-party incidents this quarter | [N] | [RAG] | [Impact on institution's services] |
Section 4: Material Incidents Since Last Report (1 page)
For each major incident since the last board report:
- Date and duration: When it occurred and how long it lasted
- Affected services: Which critical or important functions were disrupted
- Client impact: Number of clients affected, financial impact if quantifiable
- Root cause: Brief root cause description (or "investigation ongoing")
- NCA notification status: Initial, interim, or final report submitted
- Remediation status: Actions taken, outstanding remediation items
Section 5: Third-Party Risk Profile (1 page)
A concise view of the institution's third-party risk landscape:
- Top 5 critical providers: Name, services, concentration impact, recent performance
- Concentration risk summary: HHI by category, single-provider dependencies, trend
- Contract renegotiation progress: Percentage of in-scope contracts compliant with Art. 30
- Provider incidents: Any third-party incidents affecting the institution this quarter
Section 6: Testing Programme Status (1 page)
- Annual testing plan progress: Percentage complete, on track/behind schedule
- Key test results this quarter: Summary of findings with severity distribution
- Remediation pipeline: Open findings, overdue remediation, risk accepted exceptions
- Next quarter testing plan: What will be tested in the coming quarter
Section 7: Regulatory Developments (0.5 page)
- NCA engagement: Any supervisory examinations, findings, or requests
- RTS/ITS developments: New or amended technical standards
- Peer insights: Industry benchmarking, association coordination outcomes
- ESA guidance: New ESA publications relevant to the institution
Section 8: Decisions Required (0.5 page)
Board reports should distinguish between items for information and items for decision. The decisions section should explicitly state:
- What decision is requested: Approve budget, accept risk, approve policy change
- Recommendation: Management's recommended action
- Risk of inaction: What happens if the board does not act
Evidence Trail
The board report itself is an evidence artifact. Each report must be:
- Versioned: Document version control with draft/final status
- Archived: Stored in the evidence vault with SHA-256 integrity verification
- Board minutes linked: The board's discussion and decisions must be documented in the minutes and cross-referenced to the report
- Retained: Minimum 10 years, aligned with audit retention policy
Supervisors will request the report, the minutes, and evidence that the management body discussed and acted on the content. A report that was tabled but not discussed provides no governance value.
Use the DORA readiness assessment to evaluate your board reporting maturity, review the CISO KPI dashboard guide for the metrics that feed the report, and consult the glossary for regulatory terminology. The CRO guide provides context on integrating ICT risk reporting into the enterprise risk committee cadence.
Conclusion
Art. 14 board reporting is not a compliance formality. It is the governance mechanism that connects the management body to the institution's operational resilience posture. The template provided here is a starting point — institutions should adapt it to their size, complexity, and risk profile. But the principles are universal: consistent structure, quantified metrics with RAG status, trend analysis, clear distinction between information and decisions, and a complete evidence trail that demonstrates the board is not just receiving reports but governing based on them.
Resume en francais
L'article 14 de DORA exige un reporting regulier a l'organe de direction sur le cadre de gestion des risques TIC. Cet article fournit un modele de rapport trimestriel pratique structure en huit sections : resume executif (1 page), tableau de bord d'appetit au risque avec seuils RAG, statut pilier par pilier avec metriques quantifiees (Piliers I a IV), incidents materiels depuis le dernier rapport, profil de risque tiers, statut du programme de tests, developpements reglementaires et decisions requises du conseil. Le modele totalise 10-12 pages maximum, utilise une methodologie RAG standardisee et des indicateurs de tendance, et produit une piste de preuves complete (versionnage, archivage, lien avec les proces-verbaux du conseil, retention de 10 ans). Le rapport au conseil n'est pas une formalite de conformite — c'est le mecanisme de gouvernance qui connecte l'organe de direction a la posture de resilience operationnelle de l'institution.