Whitepaper Contents
office-scene-stock-image (1)

DORA Management Body Requirements: Board Obligations

  • DORA
  • Gabriel Few-Wiegratz
  • Published: 19th May 2026

Share this

Whitepaper Contents
Highlights
  • DORA Article 5 makes board accountability for ICT risk a legal obligation, placing 9 enumerated, non-delegable obligations on the management body (Article 5(2)(a) to (i)).
  • The management body means the board of directors or supervisory body, the entity's ultimate governance authority, rather than the executive committee or senior management team.
  • Under DORA Article 50(5), competent authorities may apply administrative penalties to individual management body members responsible for a breach, subject to the conditions set out in each member state's national implementing law.
  • Article 5(4) requires management body members to maintain adequate ICT risk knowledge and skills, with regular training commensurate to the risk being managed.
  • Supervisors examine board minutes and training records as primary evidence of board engagement, going well beyond framework documentation alone.
Expert View

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

What our experts say about DORA management body requirements

 

“When supervisors examine Article 5 compliance, they start with board minutes. They want to see that directors engaged with the substance: specific questions asked, challenges raised, decisions documented. A board that received and approved a framework with only minimal recorded discussion has created a paper trail that satisfies the letter of the requirement while falling short of its intent. That gap is precisely where supervisory attention concentrates. Evidence of genuine engagement is specific, recorded in real time, and very difficult to reconstruct after an incident.”

 

KEY FACTS

  1. DORA became applicable on 17 January 2025, applying directly across EU member states without national transposition.
  2. Article 5(2) sets out 9 enumerated management body obligations, lettered (a) to (i), covering ICT risk strategy, budget, training, reporting, business continuity, audit, third-party risk, resources, and reporting culture.
  3. DORA Article 50(5) requires member states to authorise competent authorities to apply administrative penalties to individual management body members responsible for a breach. The actual liability threshold and scope of personal exposure depends on each member state's national implementing legislation.
  4. Article 5(4) requires regular ICT risk training for board members, commensurate to the level of risk being managed by the entity.
  5. Under Article 19 and the implementing technical standards under Article 20, major ICT incidents require three reports: an initial notification within 4 hours of classification as major (and no later than 24 hours from first awareness of the incident); an intermediate report within 72 hours of the initial notification; and a final report upon completion of root cause analysis (the ITS sets a guideline of within one month of the intermediate report).
  6. The ICT risk management framework must be reviewed by the management body at least annually and following any significant ICT-related incident.
Why DORA's Management Body Provisions Are Different

Most governance frameworks recommend board involvement in risk oversight. DORA mandates it, with named obligations, an explicit knowledge requirement, and supervisory examination rights that extend to individual board members.

DORA entered into force on 16 January 2023 and became applicable on 17 January 2025. It applies directly across EU member states without national transposition, and its scope covers banks, investment firms, insurance undertakings, payment institutions, electronic money institutions, crypto-asset service providers, and a range of other regulated financial entities. In the UK, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) are developing aligned operational resilience requirements; UK boards in internationally active firms face both regulatory regimes.

The principle running through DORA's governance architecture is accountability without delegation. Article 5(2) is explicit: the management body is responsible for defining, approving, overseeing, and taking accountability for the implementation of all arrangements related to the ICT risk management framework. That accountability sits with the board. A Chief Information Security Officer, a risk committee, or an external consultant can support the work, but the obligation remains with the management body.

What 'Management Body' Means Under DORA

DORA's definition of management body follows the existing EU supervisory framework. It refers to the board of directors, administrative body, or supervisory body, as determined by the entity's governance structure. In a two-tier board structure, this means the supervisory board. In a unitary structure, it means the board of directors.

The management body sits above the executive layer. Article 5(1) draws this distinction explicitly: senior management and the CEO are responsible for implementing the ICT risk management framework; the management body defines, approves, and holds that implementation to account. These are distinct functions with distinct accountability.

For firms with complex group structures, DORA applies at the level of the regulated entity. Each regulated entity's management body carries its own Article 5 obligations. Regulated subsidiaries must meet their own Article 5 duties through their own governance, regardless of group-level oversight arrangements.

Management Body Obligations Under Article 5(2)

Article 5(2) sets out 9 enumerated obligations, lettered (a) to (i), that sit with the management body. Each is a potential supervisory examination point. The table below unpacks each one into its practical components for governance purposes.

Task

Article 5(2) Reference

What This Means in Practice

Define and approve ICT risk appetite

5(2)(a)

A formal, board-approved statement of the level of ICT risk the entity is willing to accept.

Approve ICT risk management framework

5(2)(a)

The board must formally resolve to adopt the framework document. Board minutes evidence this approval.

Review ICT risk management framework annually

5(2)(a)

Annual review with board sign-off; more frequent review required after significant incidents.

Approve ICT-related investments and budget

5(2)(b)

ICT spend is a board-level governance item, not solely a management decision.

Approve training on ICT risk for staff

5(2)(c)

Approve the training policy and programme, not just individual courses.

Receive and review ICT risk reports

5(2)(d)

Regular reporting to the full board, not only to a risk or audit committee.

Approve digital operational resilience strategy

5(2)(e)

The overarching strategy for achieving and maintaining DORA compliance.

Oversee incident reporting obligations

5(2)(f)

Board awareness of major ICT-related incidents and reporting to competent authorities.

Approve and review business continuity policy

5(2)(g)

Approve business continuity plans as they relate to ICT resilience.

Approve audit plans and findings for ICT risk

5(2)(h)

Internal audit of ICT risk must be reported to and approved by the board.

Oversee third-party ICT risk

5(2)(i)

The board is accountable for the entity's ICT third-party risk exposure.

Ensure adequate resources

5(2)(j)

The board must satisfy itself that sufficient resources, both financial and human, are allocated to ICT risk management.

Promote reporting culture

5(2)(k)

Active sponsorship of a culture where ICT risk is reported upward without fear of reprisal.

 

The breadth of this list is significant. It touches budget, audit, incident response, third-party risk, training, and culture. A board that engages with DORA only at the level of annual framework approval falls short of the standard Article 5 sets.

Personal Liability: What Article 5 Actually Says

Article 5(4) introduces an obligation that goes beyond institutional compliance: management body members must maintain adequate knowledge and skills to understand and assess ICT risk. The Florence School of Banking and Finance has noted that this provision represents a significant shift from the traditional model of institutional accountability toward individual board member responsibility.

This obligation is enforceable. Under DORA's supervisory framework, national competent authorities, including the FCA and PRA in the UK, and the ECB and national regulators within the EU, have the power to examine management body members directly. The Joint Committee of the European Supervisory Authorities (ESAs) has issued guidance on supervisory convergence that reinforces this expectation.

DORA Article 50(5) requires member states to confer on competent authorities the power to apply administrative penalties to individual management body members responsible for a breach, subject to the conditions set out in national law. The precise scope of personal exposure depends on the national implementing legislation in the member state where the entity is regulated. In all cases, competent authorities, including national regulators and, for significant institutions, the EBA, EIOPA, and ESMA, have the right to examine management body members directly.

What 'Adequate Knowledge and Skills' Means in Practice

Article 5(4) sets the requirement without specifying the curriculum. In practice, supervisors and regulators will assess this through a combination of board minutes, training records, and direct examination.

A credible board-level ICT risk competency programme should address:

  1. ICT risk taxonomy: the board should understand the categories of risk DORA addresses, including availability, integrity, continuity, and security, and be able to discuss them in terms of business impact rather than technical detail.
  2. Threat landscape awareness: sufficient understanding of major risk trends, including ransomware, supply chain attacks, and cloud concentration, to challenge management on the entity's exposure.
  3. Framework literacy: the board should be able to read and interrogate an ICT risk management framework, understanding risk appetite statements, tolerance thresholds, and control effectiveness reporting.
  4. Regulatory obligations: board members should understand what DORA requires of the entity, including the major incident reporting timelines under Article 19 (initial notification within 4 hours of classifying an incident as major, intermediate report within 72 hours, final report within one month per the implementing technical standards under Article 20).
  5. Third-party risk: given DORA's extensive Chapter V on ICT third-party risk management, the board should understand the entity's critical ICT third-party dependencies and the concentration risks they represent.

Training records serve an evidential function. They demonstrate that the board has been exposed to relevant content and given the opportunity to develop competency. Supervisors can and do probe beyond records: the board must be able to demonstrate understanding in direct examination.

How to Evidence Board Engagement for Supervisors

The gap between board accountability on paper and demonstrable board engagement in practice is where supervisory examination risk concentrates. Evidence of genuine engagement takes several forms.

Board minutes

Record substantive discussion alongside approvals. Minutes that capture only 'the board approved the ICT risk management framework' are weaker than minutes showing the board asked specific questions about risk appetite thresholds, challenged management on a control gap, or requested further information before approving.

Reporting cadence and content

Regular ICT risk reports to the full board, rather than exclusively to an audit or risk committee, demonstrate ongoing oversight. Reports should be in language accessible to non-technical board members and should address risk appetite utilisation alongside operational metrics.

Risk appetite statements

A board-approved ICT risk appetite statement that is specific, measurable, and connected to the entity's business model is strong evidence of genuine ownership. Generic statements that could apply to any firm are a supervisory red flag.

Training records

Document who attended, what was covered, when, and how comprehension was assessed. External training from recognised sources adds credibility.

Escalation records

Evidence that the board has received and acted on ICT incident escalations, including major incidents reported to competent authorities under Article 19, demonstrates that the accountability chain is functioning.

Third-party oversight

Board-level visibility of the Critical ICT Third-Party Provider (CTPP) register, key concentration risks, and exit strategies for critical providers demonstrates the breadth of engagement DORA requires.

Structuring Board Engagement: Practical Governance Design

Many in-scope firms have existing risk committee or audit committee structures. DORA leaves the choice of committee configuration to the entity. What the regulation requires is that the full management body retains the obligations Article 5 assigns to it. Delegation to a committee reduces the board's operational workload; the accountability remains with the management body.

A workable structure for most firms:

  1. Dedicated board agenda item for ICT risk. At least quarterly, with a standing paper covering risk appetite utilisation, major incidents, third-party risk concentration, and framework changes.
  2. Annual framework review. A formal board resolution approving the ICT risk management framework, with documented substantive discussion.
  3. Incident escalation protocol. A defined process for escalating major ICT incidents to board level, aligned with DORA Article 19 reporting timelines.
  4. Annual competency assessment. A structured review of board-level ICT risk knowledge, with training delivered by qualified practitioners.
  5. Supervisory examination preparation. A periodic exercise in which board members respond to likely supervisory questions, stress-testing their ability to articulate risk appetite, explain framework governance, and describe incident response oversight.

The evidence burden Article 5 creates is real, but it is manageable when governance infrastructure, processes, and reporting are properly aligned. The firms that struggle under supervisory examination are those that built their DORA response as a documentation exercise rather than a governance one

See Article 5 Governance Operationalised

Book a demo of SureCloud’s Orchestrate platform to see how board-level ICT risk reporting, framework approval workflows, incident escalation, and supervisory evidence management support DORA Article 5 obligations in practice.
Book your Demo TODAY!
Recommended Resources
  • Third-Party Risk

What Is Third-Party Risk Management? TPRM Explained

  • Risk Management

Third Party Risk Management Maturity Framework Guide 2026

  • Third-Party Risk

The Invisible Risk Vector: Why Third-Party Risk Can No Longer Be the Poor Relation

FAQ’s

What is the management body under DORA Article 5?

Under DORA, the management body refers to the board of directors, administrative body, or supervisory board, whichever holds ultimate governance authority for the regulated entity. Article 5 draws an explicit distinction between the management body's accountability role and senior management's implementation role. The management body sets, approves, and holds to account; senior management executes.

Can a board delegate its DORA Article 5 obligations to the CISO or a risk committee?

Article 5(2) states that the management body is accountable for the ICT risk management framework and the obligations listed within that article. Individual tasks can be supported by specialist functions; the accountability remains with the management body. A board that has passed all DORA oversight to its CISO or a subcommittee falls short of what Article 5 requires.

What personal liability do board members face under DORA?

DORA Article 50(5) requires member states to authorise competent authorities to apply administrative penalties to individual management body members responsible for a breach, subject to national law conditions. The degree of personal exposure varies by jurisdiction. In all cases, competent authorities have the right to examine management body members directly. Directors should take specific legal advice on the liability framework in their jurisdiction of operation.

What does 'adequate knowledge and skills' mean under DORA Article 5(4)?

Article 5(4) requires management body members to maintain sufficient understanding of ICT risk to fulfil their oversight responsibilities. In practice this means understanding the entity's ICT risk taxonomy, being able to interpret risk appetite statements, understanding DORA's reporting obligations including major incident reporting timelines under Article 19, and being able to challenge management on third-party ICT risk. Training records and board minutes are the primary evidence base for supervisors assessing this.

How often must the board review the ICT risk management framework?

DORA Article 5(2)(a) requires the management body to review the ICT risk management framework at least annually. The framework must also be reviewed following significant ICT-related incidents and after material operational or strategic changes. Each review should be formally recorded in board minutes, with any material changes to the framework separately approved.

What should ICT risk reports to the board contain?

DORA leaves the reporting format to the entity's discretion, but supervisors expect reporting that enables genuine oversight. Effective board-level ICT risk reports cover risk appetite utilisation against approved thresholds, status of major ICT incidents and regulatory reporting, third-party risk concentration, control effectiveness trends, and any material changes to the ICT risk profile. Reports pitched at operational or purely technical detail fall short of the management body's governance function.