Governance in the DORA era

Why signing is just the beginning

For many financial institutions, the signing of an ICT contract has historically been treated as the end of the process. Due diligence completed, signatures secured and the deal filed away.

But the Digital Operational Resilience Act (DORA) challenges that view. Under DORA, the contract is actually the beginning of a new cycle of management, oversight and accountability.

Why? Because resilience is not static. Providers evolve, services change, risks grow and threats shift. A contract signed today may be irrelevant to the risks you face tomorrow.

That is why DORA demands ongoing governance.

The governance imperative

At the core of DORA’s requirements is the principle that accountability for ICT risk remains with the financial entity. That accountability cannot be delegated to a vendor.

This is why DORA elevates the role of the management body. Senior leadership must not only approve contractual arrangements but also take an active role in governing them.

That means:

• The management body must be directly involved in decisions about ICT providers supporting critical or important functions.

• Risk assessments must be performed before contracts are signed and revisited regularly.

• Contractual arrangements must align with the firm’s broader risk management framework, information security policy, continuity planning and incident reporting obligations.

In other words, governance is more than an administrative function – it is strategic oversight.

Management in practice

So what does ongoing management look like under DORA?

1. Implementation and monitoring

Once a contract is signed, it must be actively implemented, monitored and managed. That means setting clear KPIs for provider performance, testing resilience and monitoring compliance with regulatory expectations.

2. Documentation and record-keeping

DORA places significant emphasis on record keeping. Firms must maintain a register of information on ICT providers, with detailed documentation of contractual arrangements. This ensures transparency, auditability and consistency across the organisation.

3. Exit strategies and termination plans

One of the most overlooked aspects of management is planning for exit. Providers can fail, relationships can deteriorate, services can be disrupted. DORA requires financial entities to have exit and termination strategies in place. That means knowing how to transfer services without major disruption.

4. Risk assessments

Risk assessments are not one-off exercises. They must be repeated whenever arrangements change, and reviewed at consolidated and sub-consolidated levels. Risks must be considered not just in isolation, but across the entire ICT landscape.

The role of senior management

One of the most significant shifts under DORA is the explicit accountability of senior management.

Providers can no longer be treated as purely technical or procurement decisions. The management body must:

• Assign clear responsibilities for oversight of ICT provider relationships.

• Ensure reporting lines are established and monitored.

• Involve business units, internal control functions and compliance teams in governance.

• Review ICT policies at least annually and ensure updates flow through into contractual arrangements.

In other words, governance cannot be siloed. It must be cross-functional, embedded and visible from the top down.

Independent review and audit

DORA also makes independent review a requirement. That means ICT services supporting critical or important functions must be part of the audit plan. They must be subject to independent scrutiny. Not just internal testing, but external validation where appropriate.

This ensures resilience is tested objectively, and that blind spots are identified before they become failures.

Lessons from failures

History provides examples of what happens when ongoing oversight is neglected.

A European payments provider suffered weeks of disruption when its outsourced ICT partner introduced a change without sufficient oversight. The contract existed, but management had no ongoing monitoring in place.

Several banks have been caught unprepared by changes in their providers’ subcontracting arrangements, only discovering dependencies after incidents occurred.

Firms have faced regulatory penalties not for the initial incident, but for failing to evidence governance, oversight and risk management once the provider relationship was in place.

In each case, the lesson was the same – that resilience cannot be delegated.

Embedding oversight into operating models

To comply with DORA, and more importantly, to build real resilience, financial entities must embed oversight into their operating models. That means:

• Governance structures. Clear committees, reporting lines and responsibilities for ICT provider management.

• Integrated risk management. ICT provider oversight fully aligned with enterprise risk management frameworks.

• Regular reviews. Annual reviews of ICT provider policies and ongoing monitoring of key relationships.

• Skills and capability. Ensuring staff overseeing ICT providers have the necessary knowledge, experience and authority.

Ultimately, good governance is a culture.

The strategic opportunity

It is tempting to see DORA’s requirements as burdensome. More meetings, more documentation, more oversight.

But reframed, governance is an opportunity. Firms that excel in ongoing management will:

• Build stronger relationships with providers.

• Identify risks earlier and act faster.

• Demonstrate credibility with regulators and clients.

• Create competitive advantage by showing resilience as a core capability.

In an industry where trust is everything, that advantage is powerful.

Governance is resilience

The message from DORA is that contracts alone are not enough. Resilience is not something you sign once and store in a drawer – it is something you manage every day.

Ongoing governance, senior management accountability, independent audits and clear oversight are the tools that turn contracts into living resilience frameworks.

In the DORA era, real resilience is built in the boardroom, the audit committee and the daily management of ICT providers.