analysis

Board-Level Accountability Under DORA: What Article 5 Means for Management Bodies

DORA Atlas Editorial9 min read
Board-Level Accountability Under DORA: What Article 5 Means for Management Bodies

The Buck Stops at the Board Table

For decades, ICT risk in financial institutions lived in a comfortable organizational grey zone. The CISO managed cybersecurity. The CTO managed infrastructure. The compliance department managed regulatory reporting. The board received a quarterly update — typically a color-coded heat map that reduced a complex technology landscape to reassuring green, cautionary amber, and alarming red — and moved on to the next agenda item.

DORA dismantles this arrangement. Article 5 does not merely suggest board involvement in ICT risk management. It mandates it, specifies what it looks like, and creates a chain of personal accountability that reaches every member of the management body.

This is not a governance aspiration. It is a regulatory requirement with supervisory enforcement.

What Article 5 Actually Says

Art. 5(1) establishes the foundational principle: "The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1)."

Four verbs. Four distinct obligations:

Define. The management body must participate in defining the ICT risk management framework — not merely rubber-stamp a document prepared by the second line. This means engaging with the architecture of ICT risk governance: the organizational structure, the risk appetite, the tolerance thresholds, the escalation pathways.

Approve. Formal approval of the ICT risk management framework, the digital operational resilience strategy (Art. 6(8)), business continuity plans (Art. 11), incident response plans (Art. 17), and the resilience testing programme (Art. 24). These are board-level approvals — not delegatable to committee without the board's explicit authorization and oversight.

Oversee. Ongoing oversight of implementation — not a single approval event followed by absence. The management body must monitor whether the framework is being implemented as approved, whether deviations are being addressed, and whether the framework remains adequate as the threat landscape and business model evolve.

Be responsible. Ultimate accountability. When a supervisor asks "who is responsible for the adequacy of your ICT risk management framework?", the answer is the management body — collectively and individually.

The Knowledge and Skills Mandate

Art. 5(4) introduces a requirement that has no precedent in prior EU financial regulation at this level of specificity: "Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis."

This is not a recommendation. It is a regulatory obligation that supervisors can examine and enforce. The implications are significant:

Sufficient knowledge. Board members must understand ICT risk at a level that enables them to assess the adequacy of the framework, challenge management's assumptions, and make informed decisions about ICT risk appetite and investment. "I am not a technology person" is no longer an acceptable position for a board member of a regulated financial institution.

Regular training. The training must be ongoing — not a one-time induction. The threat landscape, the technology stack, and the regulatory requirements evolve continuously. Board members who last received ICT training two years ago are not in compliance with Art. 5(4).

Proportionate depth. The level of knowledge required is proportionate to the entity's ICT risk profile. A globally systemically important bank requires deeper board-level ICT expertise than a small payment institution. But even the smallest in-scope entity must demonstrate that its management body has the competence to fulfill its Art. 5 obligations.

Supervisory expectations around Art. 5(4) are already becoming concrete. National competent authorities have begun requesting evidence of board-level ICT training programmes, including curricula, attendance records, and knowledge assessment outcomes. Boards that cannot demonstrate structured, ongoing ICT risk education will face findings.

What the Board Must Approve

DORA distributes specific approval obligations across multiple articles, all flowing from the Art. 5 accountability principle:

ICT risk management framework (Art. 6(1)): The comprehensive framework covering identification, protection, detection, response, recovery, and learning. Board approval is mandatory, and the board must review the framework at least annually or upon significant changes.

Digital operational resilience strategy (Art. 6(8)): The strategy covering ICT risk management objectives, the evolution of the ICT architecture, and the link between business strategy and ICT strategy. The board approves this strategy and must ensure alignment with the overall business strategy.

ICT business continuity policy (Art. 11): Business continuity plans with defined RTO/RPO, covering critical and important functions. Board approval ensures that continuity targets reflect business priorities, not just technical capabilities.

ICT response and recovery plans (Art. 11(3)): Specific response plans for ICT incidents. Board approval creates the governance link between incident response capability and business continuity commitments.

Resilience testing programme (Art. 24-26): The programme of testing activities, including the scope, methodology, and frequency of tests. Board approval ensures that testing ambition matches risk appetite and regulatory expectations.

ICT risk tolerance levels (Art. 6(8)(b)): The acceptable levels of ICT risk. This is a strategic decision that balances business agility against resilience investment. The board — not the CISO — makes this call.

Budget allocation (Art. 5(2)): Art. 5(2) requires the management body to allocate "an appropriate budget" to fulfill ICT risk management and digital operational resilience needs, "including relevant awareness-raising programmes and digital operational resilience training." This means the board must actively assess whether ICT resilience is adequately funded — and is accountable when underfunding leads to control gaps.

Personal Liability: The Governance Equation Changes

The combination of Art. 5's explicit accountability mandate and national supervisory enforcement powers creates a personal liability exposure that board members have not previously faced for ICT risk.

Under DORA, a supervisor can:

  • Examine whether the management body fulfilled its Art. 5 obligations
  • Request evidence of board-level ICT training (Art. 5(4))
  • Assess whether budget allocation was adequate (Art. 5(2))
  • Determine whether oversight was substantive or ceremonial
  • Issue findings directed at the management body itself, not just the institution

In jurisdictions where national law allows administrative penalties against natural persons (as many EU member states do for financial supervision), individual board members who failed to exercise adequate ICT risk oversight face personal consequences — not just institutional fines.

This changes the governance equation. When ICT risk was the CISO's problem, board members could claim reasonable reliance on management. Under DORA, that defense is substantially weakened. The regulation explicitly assigns the obligation to the management body and requires that body to maintain the knowledge to exercise the obligation meaningfully.

Board Reporting Requirements: Article 14

Art. 14 complements Art. 5 by mandating what information must flow to the board and how often:

Art. 14(1) requires financial entities to report "at least on a yearly basis" to the management body on "ICT risk and its impact on the financial entity's operations, on the relevant ICT risk limits set and on the degree of compliance with those limits."

Art. 14(2) requires the management body to be informed "without delay" of major ICT-related incidents and their impact, response, and recovery measures.

The board reporting obligation under Art. 14 is not satisfied by the traditional quarterly CISO dashboard. It requires:

  • Annual comprehensive review: A structured assessment of the ICT risk posture, the framework's effectiveness, compliance with risk tolerance levels, and alignment with the evolving threat landscape
  • Incident escalation: Real-time notification of major incidents with impact assessment — not post-facto summary in the next quarterly report
  • Testing outcomes: Results of the resilience testing programme, including identified vulnerabilities and remediation status
  • Third-party risk profile: Concentration risk exposure, critical provider dependencies, and contractual compliance status
  • Remediation tracking: Status of previously identified deficiencies and the effectiveness of corrective actions

What a DORA-Compliant Board Agenda Looks Like

For institutions translating Art. 5 into governance practice, the board agenda must evolve:

Quarterly ICT risk committee session (or dedicated board session):

  • ICT risk dashboard review — beyond heat maps to quantified metrics: compliance scores, testing coverage, incident frequency and severity trends, third-party concentration indices
  • Major incident review — for any major incidents since the last session, the root cause analysis, remediation actions, and framework improvements implemented
  • Testing programme progress — which tests were executed, what they found, and the remediation pipeline
  • Third-party risk update — new arrangements, concentration risk changes, exit strategy readiness
  • Budget adequacy assessment — ICT resilience spend relative to risk profile and regulatory expectations

Annual framework review session:

  • Comprehensive ICT risk management framework review and re-approval
  • Digital operational resilience strategy update
  • ICT risk tolerance calibration
  • Resilience testing programme approval for the coming year
  • Board training programme review and scheduling

Ad-hoc escalation protocol:

  • Major incident notification within hours (Art. 14(2))
  • Significant change in threat landscape requiring risk tolerance reassessment
  • Regulatory findings or supervisory observations requiring board response
  • Critical third-party service disruption affecting the institution

The Training Imperative

The most practically challenging element of Art. 5(4) is the "sufficient knowledge" requirement. Board members of financial institutions are typically drawn from finance, law, audit, and general management backgrounds — not technology or cybersecurity. Bridging this knowledge gap requires structured, sustained effort.

Effective board-level ICT risk training programmes include:

  • Foundational modules: ICT risk taxonomy, common threat vectors, the DORA framework structure, key terminology (RTO/RPO, TLPT, concentration risk)
  • Scenario-based sessions: Simulated incident briefings where board members practice classification, escalation, and decision-making under time pressure
  • Technology deep-dives: Architecture reviews of the institution's critical systems, dependency maps, and single points of failure — presented at an appropriate level of abstraction
  • Regulatory updates: Changes in supervisory expectations, enforcement actions at peer institutions, and evolving technical standards
  • External perspective: Guest sessions with cybersecurity experts, former regulators, or peer institution board members

The training evidence must be documented: curricula, dates, attendance, and ideally competence validation. Supervisors will request this evidence.

The Strategic Opportunity

Art. 5 is often framed as a burden — another compliance obligation for already-crowded board agendas. This misses the strategic dimension.

A management body that genuinely engages with ICT risk — that understands the institution's technology dependencies, its resilience testing outcomes, its third-party concentration exposure, and its incident response capability — makes better strategic decisions. Investment decisions, digital transformation initiatives, vendor selection, market expansion, and product launches all have ICT risk dimensions that an informed board can assess and govern.

Institutions that invest in board-level ICT competence, supported by purpose-built governance platforms like Valendir that deliver real-time compliance scoring and board-ready reporting aligned to DORA Art. 14, will find that Art. 5 compliance produces a more resilient, better-governed organization. Those that treat it as a box-checking exercise will discover that ceremonial governance is the most expensive kind — it costs as much as real governance but delivers none of the protection.

This analysis reflects DORA Regulation (EU) 2022/2554 as applicable from January 2025. Readers should consult national transposition measures and supervisory guidance for jurisdiction-specific enforcement approaches.

Share