DORA Compliance: 3 Critical Questions Every Board Must Ask

Why DORA Matters for Your Board

As an ILA Associate Director working with financial institutions across Luxembourg and the EU, I consistently observe a critical gap: boards that excel at financial risk oversight often struggle when transitioning to operational and ICT risk governance under DORA (Digital Operational Resilience Act).

The regulation isn’t just another compliance checkbox—it fundamentally redefines board responsibilities for technology resilience. With the January 2025 deadline now in effect, boards face a stark reality: demonstrable ICT oversight or regulatory intervention.

Question 1: Can We Demonstrate Independent ICT Risk Assessment?

The Challenge:
Many boards rely entirely on management presentations about ICT risk. DORA requires independent validation—boards must have mechanisms to verify claims about system resilience, cyber defenses, and incident response capabilities.

Board Action:

  • Establish direct access to independent technical advisors (Fractional CTO/CISO)
  • Require quarterly ICT risk dashboards with specific, measurable indicators
  • Mandate penetration testing results and third-party security assessments
  • Create a Board ICT Risk Committee with technical expertise

Red Flag:
If your board cannot explain your three most critical IT dependencies and their failure scenarios in plain language, you lack adequate oversight.

Question 2: Do We Understand Our Third-Party ICT Dependencies—Really?

The Reality:
Most financial institutions depend on 50+ critical ICT service providers. DORA mandates comprehensive oversight of these relationships, including:

  • Exit strategies for critical providers
  • Regular resilience testing of third parties
  • Contractual clauses ensuring regulatory access
  • Concentration risk assessment

Board Action:

  • Request a visual map of all critical ICT dependencies (not just a spreadsheet)
  • Challenge management: “If Provider X fails tomorrow, what’s our 24-hour plan?”
  • Ensure contracts include DORA-compliant terms (many legacy agreements don’t)
  • Review the register of critical third-party providers quarterly

Case Study:
A mid-sized Luxembourg bank discovered through independent review that their core banking system, payment gateway, and backup provider all used the same underlying cloud infrastructure—creating invisible concentration risk their board never saw.

Question 3: Can We Prove Our ICT Incident Management Works?

The Requirement:
DORA doesn’t just want incident response plans—it demands evidence of regular testing, lessons learned integration, and board-level incident reporting within tight timeframes.

Board Action:

  • Participate in annual ICT crisis simulation exercises
  • Require post-incident reviews for all significant ICT events
  • Establish clear escalation thresholds (when does an incident reach board level?)
  • Review incident trends quarterly—patterns reveal systemic weaknesses

Practical Test:
Ask your CISO: “Walk me through our last major incident. What went wrong? What did we change?” If the answer is vague or focused solely on technical fixes rather than process improvements, your incident management needs board attention.

The Board’s DORA Roadmap

Immediate Actions (Next Board Meeting)

  1. Request a plain-language DORA compliance dashboard
  2. Schedule an independent ICT risk assessment
  3. Review the register of critical ICT third-party providers
  4. Confirm board ICT risk training is scheduled

Quarterly Rhythm

  1. Review ICT risk indicators (defined in consultation with independent advisors)
  2. Assess new third-party dependencies and exit strategy updates
  3. Review significant ICT incidents and lessons learned
  4. Validate ongoing DORA compliance gaps and remediation progress

Annual Requirements

  1. Participate in full ICT crisis simulation
  2. Review and approve updated ICT risk appetite statement
  3. Assess adequacy of ICT governance framework
  4. Evaluate Board’s own ICT risk expertise and training needs

Why Independent Oversight Matters

DORA’s most profound shift is elevating ICT risk to board-level strategic oversight. But most boards lack the technical depth to challenge management’s ICT risk narratives effectively.

This is where independent fractional CTO/CISO oversight becomes invaluable—not replacing management, but providing boards with the technical fluency to ask the right questions and validate the answers.

Conclusion: From Compliance to Competitive Advantage

Boards that treat DORA as pure compliance will struggle. Those that embrace it as an opportunity to strengthen operational resilience will differentiate themselves with clients, investors, and regulators.

The three questions above aren’t just regulatory requirements—they’re fundamental governance disciplines that separate resilient institutions from those living on borrowed time.

Sergey Lebedev

About Sergey Lebedev

Fractional CTO and ILA Associate Director providing independent technology and ICT risk oversight for boards and PE-backed companies. Based in Luxembourg, with a focus on DORA readiness, ICT governance, and board-level AI strategy.

Need independent oversight or a second opinion? I support boards and executives navigating regulatory and technology risk.

Connect on LinkedIn Start a Conversation
← Back to DORA insights

Related Insights

Jan 10, 2026

EU AI Act: What Financial Services Boards Need to Know Now

The EU AI Act introduces unprecedented board-level accountability for AI systems in financial services. As...

Read More
Dec 05, 2025

Third-Party ICT Risk: The Board's Blind Spot

Most financial institution boards underestimate their third-party ICT exposure. With DORA now in effect, the...

Read More
View All Insights