Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

ICT risk management under DORA: what must the board arrange?

Adopted 2026-06-28 ยท ≈ 1 min read ยท Dirk Baaijen

DORA requires financial entities to maintain a coherent ICT risk management framework with ultimate responsibility at the management body. Small, non-interconnected entities may use a simplified framework.

Short answer: DORA requires a coherent ICT risk management framework that is part of overall risk management. The management body (board) holds ultimate responsibility and must keep its knowledge of ICT risk up to date. Small, non-interconnected and micro-enterprises may use a simplified framework.

What the framework must contain

The entity identifies, protects, detects, recovers and learns: a full cycle around ICT systems and dependencies. This includes an up-to-date inventory of ICT assets and dependencies, security and access controls, anomaly detection, and a business continuity and recovery policy with backup and recovery objectives. The framework is reviewed periodically and after major incidents.

Board responsibility

DORA places responsibility explicitly with the management body: it approves the framework and risk tolerance, allocates resources, and stays demonstrably informed. Board members must keep their ICT-risk knowledge current. This is not a formality โ€” supervisors (in the Netherlands DNB and AFM) can test for it.

Proportionality

Not every entity runs the same regime. Small and non-interconnected undertakings may use a simplified ICT risk management framework that covers the core elements without the full weight. Determine your category first; the ESAs' technical standards describe both variants.

Lees ook: DORA guide and Incident reporting under DORA.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA), Chapter II โ€” ICT risk management; ultimate responsibility of the management body.
  2. https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-dora
    EBA/EIOPA/ESMA โ€” RTS for the ICT risk management framework (incl. simplified framework).

Share on LinkedIn

Read next

W

DORA readiness: a roadmap to prepare

DORA has applied since 17 January 2025. A practical roadmap to get a grip: determine scope, map ICT dependencies and the register, set up risk management and incident reporting, plan resilience testing, and review your vendor contracts.

U

Does my firm fall under DORA?

DORA applies to an exhaustively listed set of financial entities โ€” from banks and insurers to payment institutions, crypto providers and their critical ICT providers. Small, non-interconnected entities may use a simplified framework. This explainer helps you determine whether you are in scope.

W

DORA guide: does it apply to you and what must you arrange?

DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 to financial entities and their critical ICT providers. Five pillars: ICT risk management, incident reporting, resilience testing, third-party ICT risk and information sharing. This guide points the way per pillar.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.