Governance Briefing — January 17, 2025
EU financial entities must comply with the Digital Operational Resilience Act, elevating boards’ accountability for ICT risk governance, incident testing, and oversight of critical service providers.
Executive briefing: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) applies from 17 January 2025. Boards of banks, insurers, payment institutions, and investment firms must approve ICT risk management frameworks, review testing programmes, and direct contractual governance of third-party technology providers.
Key governance signals
- Board ownership of the ICT risk framework. Article 6 requires management bodies to approve and periodically review the ICT risk management framework and allocate clear roles and responsibilities.
- Threat-led penetration testing becomes strategic. Article 26 mandates that significant institutions run threat-led penetration testing at least every three years and address remediation overseen by the board.
- Critical third-party service oversight formalised. Under Articles 28–30, entities must maintain a register of ICT providers, assess concentration risk, and ensure contracts include audit and exit clauses subject to board review.
Action checklist
- Update board charters and annual agendas to reflect explicit DORA oversight duties, including escalation thresholds for material ICT incidents.
- Approve a multi-year resilience testing plan covering scenario-based testing, threat-led penetration tests, and follow-up reporting cycles.
- Review critical service provider inventories, confirm contractual rights for information and termination, and assign board committees to monitor concentration risk.
Sources
- Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector
- European Commission DORA Frequently Asked Questions
Zeph Tech advises EU financial boards on mapping DORA responsibilities, maturing resilience testing dashboards, and negotiating compliant ICT outsourcing clauses.