Back to Listing
office-scene-stock-image (1)
  • Dora
  • 25th May 2026
  • 1 min read

DORA Board Reporting: Your ICT Risk Dashboard Guide

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short..
  • DORA makes ICT risk oversight a direct board responsibility: Article 5 requires management bodies to actively oversee ICT risk, stay informed on incidents, and approve the ICT risk management framework.
  • Boards need governance dashboards, not technical reports: A compliant ICT risk dashboard should focus on KRIs, risk appetite alignment, incident trends, third-party exposure, resilience testing, and control effectiveness.
  • Risk appetite is the foundation of reporting: Every KRI should be RAG-rated against board-approved thresholds so directors can determine whether ICT risk sits within tolerance.
  • Board reporting and regulatory reporting are separate obligations: Internal governance reporting under Article 5 operates independently from the strict regulatory notification timelines in Articles 17–20.

DORA changes ICT risk reporting from an operational IT exercise into a formal governance obligation for the management body. Boards must receive structured, recurring reporting that enables real oversight decisions around resilience, third-party exposure, incident response, and control effectiveness. The most effective dashboards translate technical risk into governance intelligence: concise KRIs tied directly to risk appetite thresholds, supported by clear escalation paths and evidence of board engagement. Organisations that treat the dashboard as a live governance instrument, rather than a quarterly slide deck, are far better positioned for supervisory scrutiny under DORA.

Expert View

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

What our experts say about the board reporting gap in DORA compliance

 

“Most management bodies are receiving operational IT data where DORA requires governance intelligence: incident volumes without risk appetite context, vulnerability counts without remediation accountability, test results without a clear answer to whether the organisation’s ICT resilience is within tolerance. Building a compliant dashboard starts with asking what decisions the board needs to make, then working backwards to the data that informs those decisions.”

 

 

KEY FACTS

  1. Article 5(2): The management body must define, approve, oversee, and take ultimate responsibility for the ICT risk management framework.
  2. Article 5(4): Board members must maintain sufficient ICT risk knowledge and skills; training and competency development must be documented as evidence for regulatory examination.
  3. Article 5(2)(i)(iii): The management body must put in place reporting channels enabling it to be duly informed of major ICT-related incidents and their impact, response, recovery and corrective measures, and of any relevant planned material changes to ICT third-party arrangements.
  4. DORA incident reporting (Article 19): initial notification within 4 hours of classification as major (no later than 24 hours from first awareness); intermediate report within 72 hours; final report within one month.
  5. Meaningful KRI reporting requires a formally approved ICT risk appetite statement with explicit thresholds; each KRI is RAG-rated against those thresholds.

What Article 5 Actually Requires

DORA Article 5 establishes the management body's direct responsibility for ICT risk management. Article 5(2) requires the management body to define, approve, oversee, and take accountability for the implementation of the ICT risk management framework. Article 5(4) goes further: management body members must actively maintain sufficient knowledge and skills to understand and assess ICT risk and its impact on the organisation.

 

Article 5(2)(i) requires the management body to put in place reporting channels enabling it to be duly informed of major ICT-related incidents and their impact, response, recovery and corrective measures, as well as ICT third-party arrangements and material planned changes. This obligation implies structured, recurring reporting rather than ad hoc briefings; the management body must engage with the information substantively rather than merely acknowledge it.

 

The practical implication is that ICT risk reporting to boards must be designed for governance decision-making. Boards need to be able to answer: Is our ICT risk within appetite? Are we meeting our resilience obligations under DORA?

 

Are our critical ICT third parties performing to contractual and regulatory standards? A dashboard built around those questions is what Article 5(2) compliance looks like in practice.

What a DORA-Compliant ICT Risk Dashboard Looks Like

A DORA-compliant board-level ICT risk dashboard is a governance instrument. It translates operational ICT risk data into risk-framed indicators that allow the management body to assess whether the organisation's ICT risk posture sits within the board-approved risk appetite and whether corrective action is required.

 

The dashboard should be structured around DORA's five ICT risk pillars (governance, protection, detection, response and recovery, and learning and evolving) with a summary risk status for each, supported by a concise set of KRIs. Supporting detail should be available but held back from the default view: boards respond to dashboards, not documents.

 

Recommended Dashboard Structure

 

Dashboard Section

What It Shows

Source Data

ICT Risk Appetite Status

Current ICT risk level vs. board-approved risk appetite threshold (RAG-rated)

Risk register; risk appetite statement

Major ICT Incidents (Current Period)

Count, severity classification, and status of major ICT-related incidents; regulatory notifications issued

Incident management log; DORA incident classification register

Resilience Testing Status

Outcomes of most recent resilience tests; outstanding remediation actions; TLPT cycle status for applicable entities

Resilience testing programme; TLPT records

Third-Party Risk Exposure

Concentration risk summary; critical ICT third-party performance vs. SLA; any escalations or issues under Article 28 monitoring

TPRM register; third-party performance reports

Control Effectiveness

Percentage of key ICT controls assessed as effective in current period; trend vs prior periods

Internal audit results; control testing programme

Open Risk Items Requiring Board Decision

Any ICT risk items above escalation threshold requiring management body decision or acknowledgement

Risk register; escalation log

Six to Eight KRIs That Satisfy Article 5(2) Board Reporting Requirements

The following KRIs give management bodies the information they need to meet Article 5(2)'s active oversight obligation. Each is risk-framed: it tells the board whether ICT risk is within appetite, rather than telling the IT function what to fix.

 

KRI

What It Measures

DORA Article Reference

Reporting Frequency

1. Major ICT Incident Rate

Number of ICT-related incidents classified as ‘major’ under DORA's incident classification criteria in the reporting period, with trend vs. prior period

Articles 17–20 (incident classification and reporting)

Monthly (to risk committee); quarterly (to full board)

2. Mean Time to Recover (MTTR) for Critical Functions

Average recovery time for ICT-related disruptions affecting critical or important functions, measured against the organisation's Recovery Time Objectives (RTOs)

Article 11 (ICT business continuity); Article 12 (backup and recovery)

Quarterly; incident-triggered

3. Third-Party Risk Concentration Score

Proportion of critical or important functions dependent on a single ICT third-party provider or a small number of providers, expressed as a concentration ratio

Article 28(4)(c) (ongoing ICT third-party risk monitoring at portfolio level); Article 6(8)(b) (ICT risk tolerance framework including concentration limits). Note: Article 29 governs the pre-contractual concentration assessment before entering new arrangements; it is a trigger-event obligation, not an ongoing KRI.

Quarterly

4. Resilience Test Coverage Rate

Percentage of critical or important functions covered by at least one resilience test (scenario-based, tabletop, or technical) in the current annual testing cycle

Articles 24–26 (digital operational resilience testing)

Semi-annually

5. ICT Control Effectiveness Rate

Percentage of key ICT controls assessed as operating effectively in the most recent internal audit or control testing cycle, with trend and remediation status

Article 6 (ICT risk management framework); ongoing review obligation

Quarterly

6. Unresolved High-Severity Vulnerabilities

Count of ICT vulnerabilities rated high or critical severity that remain unresolved beyond the organisation's defined remediation SLA, with ageing profile

Article 8 (ICT risk identification, classification and risk management); Article 9 (protection)

Monthly (to risk committee); quarterly (to full board)

7. DORA Regulatory Notification Timeliness

Percentage of major ICT incidents for which regulatory notifications were submitted within DORA's required timelines (initial notification within 4 hours of classification as major, no later than 24 hours from first awareness; 72-hour intermediate; 1-month final report)

Articles 19–20 (reporting timelines)

Quarterly; incident-triggered

8. Management Body ICT Competency Status

Confirmation that management body members have completed required ICT risk training and skills development in the current period, per Article 5(4)

Article 5(4) (management body knowledge and skills obligation)

Annually

How to Frame Operational ICT Incidents for Board Consumption

Effective board incident reporting focuses on governance accountability rather than technical detail. What the management body needs is risk framing: governance information that allows it to assess resilience posture, regulatory compliance, and risk appetite status.

For each incident included in board reporting, four questions need answers.

  1. Classification: Was this a major ICT-related incident under DORA's criteria? If so, what was the client impact, service disruption duration, and affected critical functions?
  2. Regulatory status: Were notifications submitted to the competent authority within required timelines? Is the incident under ongoing regulatory scrutiny?
  3. Risk appetite: Did this incident push the organisation's ICT risk profile outside its stated appetite threshold, and if so, what remediation is in progress?
  4. Systemic implication: Does this indicate a control weakness requiring a board-level response (additional investment, a policy change, or a third-party review)?

Incidents falling below DORA's major classification threshold should still appear in board reporting as an aggregate count. The volume and trend of all ICT incidents is a governance indicator in its own right, even when individual incidents don't reach the reporting threshold.

Connecting the Dashboard to Risk Appetite

A DORA-compliant board reporting framework requires a formally approved ICT risk appetite statement; that document is the baseline every KRI is measured against, and its formal approval by the management body constitutes evidence of Article 5(2) compliance.

 

The ICT risk appetite statement should be approved by the management body (that approval documented as evidence of Article 5 compliance) and should set explicit thresholds for each dashboard indicator. For example:

  1. Major ICT incidents: Appetite threshold of no more than [X] major incidents per quarter before escalation to exceptional governance review.
  2. MTTR for critical functions: Appetite threshold of recovery within [X] hours, aligned to RTO commitments documented in the ICT Business Continuity Plan.
  3. Third-party concentration: Appetite threshold of no more than [X]% of critical function capability dependent on a single ICT provider.

Each KRI in the dashboard should display its current value, its trend, and its position relative to the appetite threshold. Where a KRI is outside appetite, the dashboard should surface the escalation item and link it directly to the required board response.

Reporting Frequency

DORA sets no fixed reporting schedule in Article 5. The following schedule reflects recommended governance practice aligned to Article 5(2) obligations; DORA prescribes no specific reporting frequencies and competent authorities have not published standard cadence expectations. Ad hoc or incident-triggered briefings alone don't satisfy the Article 5(2) oversight obligation.

  1. Monthly: ICT risk dashboard to the risk committee or equivalent board subcommittee. Full incident register and KRI trends.
  2. Quarterly: Summarised ICT risk dashboard to the full management body, including any risk appetite breaches, regulatory notifications issued, and resilience testing outcomes.
  3. Incident-triggered: Immediate escalation to the management body for any major ICT incident under DORA classification, or for any third-party event with material impact on critical functions.
  4. Annually: Full ICT risk framework review, updated risk appetite statement approval, and confirmation of management body competency development per Article 5(4).

This schedule reflects minimum governance practice. In active risk committee programmes, monthly engagement tends to surface material issues before the quarterly full-board cycle, improving the quality of board-level discussion when it matters most.

Ready to build a DORA-compliant ICT risk dashboard?

SureCloud's GRC platform automates KRI data collection, generates DORA-compliant board reports, and maintains an audit-ready record of management body engagement, eliminating the manual compilation cycle before each board meeting. See how SureCloud supports DORA board reporting: request a demo to see how the platform automates KRI data collection, maintains an audit-ready record of management body engagement, and generates board-ready ICT risk reports.
Book your Demo TODAY!
Related articles:
  • DORA

The 5 Pillars of DORA Explained – Building Digital Resilience in Financial Services

  • ISO 27001
  • DORA

DORA vs NIS-2 vs ISO 27001: Where They Overlap & How to Combine Them

  • Third-Party Risk

PRA SS1/26: The UK's Answer to DORA

Share this article

FAQ’s

What is the management body's specific responsibility under DORA Article 5?

Under DORA Article 5, the management body (which includes both executive and non-executive board members) is directly accountable for defining, approving, overseeing, and taking ultimate responsibility for the ICT risk management framework. This isn't a delegated function: Article 5(2) places accountability at management body level, not at CISO or IT management level. Article 5(4) additionally requires board members to maintain sufficient ICT risk knowledge and skills to exercise meaningful oversight.

Does DORA require a specific board reporting format?

DORA leaves the format of board-level ICT risk reporting to the organisation. Article 5(2) requires the management body to put in place reporting channels enabling it to be duly informed of major ICT-related incidents and material developments, but how those channels are designed is an organisational decision. Regulatory Technical Standards published by the ESAs provide guidance on incident classification and reporting to competent authorities, but internal board reporting design is for the organisation to determine. What the regulation requires is substantive oversight.

How does DORA board reporting interact with DORA's regulatory incident reporting obligation?

These are two distinct obligations. Regulatory incident reporting under Articles 17–20 requires financial entities to notify their competent authority of major ICT-related incidents within defined timelines: the initial notification within 4 hours of classification as major (and no later than 24 hours from first awareness), the intermediate report within 72 hours, and the final report within one month. Board-level ICT risk reporting under Article 5(2) is an internal governance obligation: the management body putting in place reporting channels to stay informed about risk posture and incident status. Both obligations must be met, but they operate independently.

What if our board lacks ICT expertise? How do we meet Article 5(4)?

Article 5(4) requires management body members to keep their ICT knowledge and skills 'sufficiently up to date' to assess ICT risk. It calls for governance-level understanding rather than technical expertise: board members need enough ICT literacy to exercise meaningful oversight, ask informed questions, and evaluate risk-framed reporting. The obligation can be met through structured training programmes, regular briefings from the CISO or Head of ICT Risk, and access to external advisers with ICT risk expertise. What counts is that training and competency development are documented; evidence of active engagement with ICT risk knowledge requirements will be required in any regulatory examination.

How frequently should we review our ICT risk appetite statement?

The ICT risk appetite statement should be reviewed and formally reapproved by the management body at least annually, and additionally following any material change in the organisation's ICT environment, risk profile, or following a major ICT incident. Under DORA Article 6(5), the ICT risk management framework itself (which the risk appetite statement forms part of) must be reviewed at least once a year and following significant ICT-related incidents. Document every review and the board's formal approval as evidence of Article 5(2) compliance.