DORA6 min readUpdated Feb 2026

DORA Governance Requirements: Management Accountability

DORA places direct accountability for digital operational resilience on the management body of financial entities. This represents a significant shift from treating ICT risk as a purely technical matter delegated to IT departments.

Robin Coste

•

Co-founder

Robin is a co-founder of Bastion, bringing extensive experience in compliance automation and security strategy. Previously, he led compliance as a tech lead at Palantir. He helps startups navigate the complexities of SOC 2 and ISO 27001 certification.

SOC 2ISO 27001Compliance AutomationSecurity Strategy

Board members, executives, and senior leaders must now actively engage with ICT risk management, undergo training, and take personal responsibility for their organization's digital resilience.

Key Takeaways

Point	Summary
Management body ownership	The board/executive team must define, approve, and oversee the ICT risk framework
Personal accountability	Individual liability for management body members
Training requirement	Senior leaders must undergo regular ICT risk training
Resource allocation	Management must ensure adequate ICT budget and staffing
Active oversight	Regular review of ICT matters, not passive delegation

Quick Answer: DORA requires the management body (board of directors, executive management, or equivalent) to take direct responsibility for ICT risk management. This includes approving the ICT risk framework, ensuring adequate resources, undergoing training to understand ICT risks, and actively overseeing implementation. Individual members can be held personally liable for failures, with potential penalties up to 1 million per individual.

Who Is the Management Body?

DORA's governance requirements apply to the "management body," defined in line with sectoral legislation:

Sector	Management Body
Banks (CRD)	Board of directors, executive management
Investment firms (MiFID II)	Governing body
Insurers (Solvency II)	Administrative, management or supervisory body
Payment institutions (PSD2)	Directors, managers
Other entities	Equivalent governing body

In practice, this means the board of directors and senior executive team.

Core Governance Responsibilities

Framework Ownership

The management body must:

Responsibility	Description
Define	Set the overall approach to ICT risk management
Approve	Formally approve the ICT risk management framework
Oversee	Actively supervise framework implementation
Be accountable	Take responsibility for effectiveness

This cannot be fully delegated. While day-to-day management may be assigned to others, the management body retains ultimate accountability.

ICT Risk Management Framework

Specific management body obligations regarding the framework:

Obligation	Details
Set objectives	Define digital operational resilience objectives
Approve policies	Approve ICT risk management policy
Review framework	Regularly review framework effectiveness
Approve arrangements	Approve use of ICT services for critical functions
Designate responsibilities	Ensure clear roles for ICT risk management

Resource Allocation

The management body must ensure adequate resources:

Resource	Consideration
Budget	Sufficient ICT security spending
Staffing	Appropriate ICT risk management personnel
Training	Investment in staff capabilities
Tools	Security and monitoring technologies
External support	Access to expertise when needed

Business Continuity

Specific obligations for business continuity:

Approve the ICT business continuity policy
Ensure continuity plans are in place
Review testing results
Oversee crisis management arrangements

Training Requirements

Management Body Training

DORA explicitly requires management body members to:

"Actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity."

This means regular training on:

Topic	Coverage
ICT risk landscape	Current threats and vulnerabilities
Regulatory requirements	DORA obligations and developments
Technology trends	Relevant technological changes
Incident lessons	Learning from sector incidents

Training Format

Training may include:

Board-level briefings from ICT leadership
External expert presentations
Industry conferences and events
Formal training programs
Scenario exercises and simulations

Documentation

Maintain evidence of management body training:

Training records
Meeting minutes reflecting ICT discussions
Attendance at relevant events
Qualifications and certifications

Oversight and Reporting

ICT Risk Reporting to Management

The management body should receive regular reporting on:

Topic	Frequency
ICT risk status	Quarterly or more frequently
Major incidents	Immediately and in regular updates
Testing results	Following significant testing
Third-party risk	Regular updates, significant changes
Compliance status	Periodic compliance reporting
Audit findings	Following internal/external audits

Board Agenda Items

ICT risk should be a regular board agenda item:

Review of ICT risk metrics and trends
Significant incident reviews
Third-party risk updates
Testing and audit results
Resource and budget discussions
Regulatory developments

Decision Documentation

Document management body decisions on ICT matters:

Policy approvals
Resource allocations
Risk acceptance decisions
Third-party arrangements
Framework changes

Organizational Structure

ICT Risk Management Function

For non-microenterprises, DORA requires an ICT risk management function that is:

Independent from operational ICT functions
Adequately staffed and resourced
Capable of reporting directly to senior management

Reporting Lines

Clear reporting lines for ICT risk matters:

Text

1Management Body
2       ↑
3   ICT Risk Reports
4       ↑
5ICT Risk Management Function
6       ↑
7   Information from
8       ↑
9ICT Operations, Security, Third-Party Management

Roles and Responsibilities

Define clear responsibilities for:

Role	Typical Responsibilities
Board/CEO	Ultimate accountability, framework approval
CTO/CIO	ICT strategy, operational oversight
CISO/Security Lead	Security controls, incident response
Risk/Compliance	Risk framework, regulatory compliance
ICT Operations	Day-to-day system management

Personal Liability

Individual Accountability

DORA creates personal liability for management body members:

Liability Basis	Description
Framework failures	Failure to approve or oversee adequate framework
Resource failures	Failure to allocate adequate resources
Training failures	Failure to maintain ICT risk knowledge
Oversight failures	Failure to actively supervise implementation

Potential Consequences

Individual penalties may include:

Consequence	Description
Financial penalties	Up to 1 million per individual
Temporary bans	Prohibition from management functions
Reputational damage	Public statements identifying individuals
Regulatory attention	Enhanced scrutiny of individual

D&O Insurance

Directors should review their D&O insurance coverage regarding:

DORA-related claims
Regulatory investigation costs
Defense expenses
Limitations and exclusions

Practical Implementation

Board Education

Start with management body education:

Brief board on DORA requirements and implications
Explain personal accountability provisions
Define what active oversight means in practice
Establish ongoing training cadence

Governance Enhancements

Consider structural changes:

Enhancement	Purpose
ICT risk committee	Dedicated focus on ICT matters
Board ICT expertise	Member with ICT background
Regular agenda item	Consistent ICT risk discussion
Clear escalation paths	Defined triggers for board attention

Documentation Practices

Maintain robust documentation:

Board minutes reflecting ICT discussions
Approval records for policies and frameworks
Training records for management body
Decision rationale for significant choices

Common Questions

Can we delegate ICT risk management entirely to the CTO?

No. While day-to-day management may be delegated, the management body retains ultimate accountability for the framework. Active oversight, approval, and resource allocation remain management body responsibilities.

How often should the board discuss ICT risk?

ICT risk should be a regular agenda item, at minimum quarterly. Significant incidents or changes warrant immediate board attention.

What training is required?

DORA requires management body members to maintain "sufficient knowledge and skills" to understand ICT risk. The specific training depends on individual background and entity complexity, but regular updates are essential.

Does this apply to non-executive directors?

Yes. All management body members share accountability for ICT risk management, including non-executive directors. They must be sufficiently informed to provide effective oversight.

How do we demonstrate compliance?

Maintain evidence of governance activities: meeting minutes, training records, approval documents, reporting materials, and decision documentation. Regulators may request this evidence during examinations.

How Bastion Helps

Bastion supports management bodies in meeting DORA governance requirements:

Board briefings: Executive-level presentations on DORA obligations
Training programs: Tailored training for management body members
Governance design: Establishment of appropriate oversight structures
Reporting frameworks: Design of ICT risk reporting to management
Documentation: Support for governance documentation

Ready to strengthen your ICT risk governance? Talk to our team

Sources

DORA Article 5 - Governance and organisation
DORA Article 13 - Learning and evolving
DORA Article 50-52 - Penalties and liability provisions

← PreviousDORA for Fintechs and Startups: What You Need to Know Next →DORA Register of Information: Requirements and Preparation

Back to DORA guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company