Learn about DORA, IFRS 16, NIS2 and contract management | House of control

DORA: Board and executive responsibilities | House of Control

Written by House of Control | 28 Aug 2025

DORA board responsibilities and executive accountability are central to the EU’s new digital resilience framework. Here’s what you need to know on a strategic as well as operational level to master DORA.

Digital resilience is no longer just an IT issue. On January 17, 2025, the EU’s Digital Operational Resilience Act (DORA) came into full effect, placing responsibility for compliance firmly with the board and senior management. This shift is more than regulation: it is a call to leadership.

DORA is changing the rules of governance. It shifts digital resilience from being an IT responsibility to a board and executive duty. This requires knowledge, commitment, and collaboration. If handled well, it also opens the door to stronger businesses and lasting trust.

For companies in financial services and related industries, this means digital risk and resilience must be treated with the same seriousness as financial risk. The key question is not “is the IT department ready?”, but “are we, as leaders, ready?”

DORA and the board: Why governance and leadership matter

At its core, DORA gives the board two clear responsibilities:

  • Set the framework for managing ICT risk and digital resilience.

  • Supervise and monitor that framework to ensure it is actually working.

In other words, governance is not optional – it is a legal duty. The board must ensure that the company has the right structures, processes, and resources to meet regulatory expectations.

Digital risk is not a side issue. It must be integrated into the company’s overall risk management. Boards are expected to take a holistic approach: embedding ICT risk into the broader risk picture, ensuring clear reporting lines, and demanding regular updates on cyber risks, resilience testing, incident handling, and vendor oversight.

And perhaps most importantly: boards must demonstrate digital competence. Not knowing is no longer a defense. Directors are expected to have the knowledge and skills needed to understand ICT risks and ask the right questions.

Executive responsibilities under DORA: From decision to daily action

If the board defines the framework, management makes it work. Under DORA, executives are responsible for embedding ICT risk management into daily operations.

The CEO carries ultimate accountability, but responsibility is distributed across key roles:

  • CIO: Ensures the technical side of ICT risk management works.

  • CISO: Leads information security and resilience.

  • Compliance: Monitors follow-up and alignment with regulation.

The CEO must also allocate the right resources, establish incident response procedures, and ensure suppliers are properly vetted. Importantly, DORA requires an independent control function to oversee ICT risk. This control function should be separate from daily operations to avoid conflicts of interest.

What makes the difference is culture. Executives must foster a company-wide mindset where resilience is everyone’s job, supported by training, awareness, and cross-functional collaboration.

Incident reporting: Acting fast when it matters most

One of the most concrete obligations in DORA is incident reporting. Significant ICT-related incidents must be reported quickly to the authorities. In some cases, it must be carried out within hours.

This means boards and executives need to:

  • Ensure there are clear procedures for detecting and classifying incidents.

  • Set up rapid reporting lines internally, so decision-makers are informed immediately.

  • Guarantee that compliance teams can handle the strict timelines for regulatory notifications.

Being prepared here is not just about avoiding penalties. Transparent and timely reporting is also about protecting trust – with customers, partners, and regulators.

Testing resilience: Proving that frameworks actually work

DORA also requires regular testing of operational resilience. This includes basic vulnerability assessments, scenario-based tests, and advanced threat-led penetration testing (TLPT) carried out by independent experts.

For executives, this means ensuring:

  • There is a plan for regular testing of systems, controls, and recovery processes.

  • The results of these tests are reported back to the board and acted upon.

  • Weaknesses discovered in testing lead to clear remediation actions.

Testing is where strategy meets reality. It is how leaders can be confident that resilience is not just a policy, but a working capability.

Third-party risk: Governance beyond your own walls

A large share of ICT risk sits with third-party providers, for example cloud services, fintech partners, or other critical suppliers. DORA is explicit: boards and executives remain accountable for risks, even if the service is outsourced.

This requires:

  • Due diligence before onboarding new ICT providers.

  • Clear contracts that define security, resilience, and reporting obligations.

  • Ongoing monitoring of vendor performance and resilience.

  • Exit strategies in case a provider can no longer deliver safely.

For leaders, this is about recognizing that resilience is a supply chain issue. Strong governance of vendors is now a regulatory expectation – and a business necessity.

Supervisory expectations: Dialogue and documentation

DORA also sets out how regulators will coordinate supervision across Europe. This means companies must expect closer scrutiny and more requests for documentation.

Boards and executives should ensure that:

  • Governance decisions and risk assessments are well-documented.

  • There are clear records of incidents, testing, and vendor management.

  • The company can demonstrate not just intent, but evidence of execution.

In practice, this means being ready for supervisory dialogue, and treating regulators as stakeholders in digital resilience.

How boards and executives can make DORA governance work in practice

Compliance cannot be reduced to a checklist. Effective governance means creating a cycle where planning, implementation, testing, and evaluation are seamlessly connected.

Boards and executives should focus on:

  • Measurable goals: Define clear targets for resilience and risk reduction.

  • Regular reporting: Make sure progress and incidents are visible to leadership.

  • Cross-functional collaboration: Create forums where CIOs, CISOs, compliance officers, and risk managers align efforts.

  • Vendor oversight: Recognize that many risks lie with third parties and manage them accordingly.

When these elements come together, resilience becomes part of how the business operates. Then you have moved beyond resilience being just a compliance requirement.

The real risks of ignoring DORA responsibilities

Failure to comply with DORA carries consequences that go beyond fines. Yes, regulators can impose significant penalties, and in cases of gross negligence, board members or executives can be held personally liable.

But the real damage is often reputational. A cyber incident that reveals weak governance can hurt customer as well as investor trust, and weaken competitiveness. For financial institutions in particular, where trust is everything, reputational loss may be the most serious risk of all.

Beyond compliance: How DORA strengthens trust and competitiveness

Here’s the good news: companies that take DORA seriously don’t just avoid risk – they also build strength. By embedding resilience into governance and operations, they:

  • Reduce exposure to cyber threats.

  • Strengthen trust with customers, partners, and regulators.

  • Position themselves ahead of competitors in a market where resilience is a differentiator.

In short, DORA is not only about staying compliant. It is about showing leadership, building trust, and giving your business a competitive edge.
View full post