DORA Regulation (II): Impact on governance. The management body's role

April 2, 2025

The Digital Operational Resilience Act (DORA) has already received significant attention, primarily because it compels financial entities to adopt measures that ensure digital operational resilience. These measures include technical and organizational requirements. One of the key elements of the Regulation is the mandatory documentation institutions must produce and maintain—ranging from strategic policies to operational procedures.

The central question we must ask is: how should this documentation approval be managed? Defining the appropriate approval level is essential to ensuring effective governance while avoiding both excessive bureaucracy and the absence of oversight in critical decision-making processes.

Defining the appropriate approval level is essential to ensuring effective governance while avoiding both excessive bureaucracy and the absence of oversight in critical decision-making processes.

This series of articles will explore in detail the key aspects of the Regulation, its implications, the challenges and progress seen across the financial sector, and how DORA is influencing the evolution of security, resilience, and modernization within the industry.

Types of documentation and their approval level

To better understand how DORA affects internal governance structures, we begin by distinguishing among several types of documentation. These include, among others:

  • Policies: These are high-level directives that establish strategic principles. They must be approved by senior management or the board of directors.
  • Procedures: These outline the operational steps required to implement policies. Typically, they fall under the approval remit of the Chief Information Security Officer (CISO), Chief Information Officer (CIO), or designated security leads.
  • Plans and strategies: This category includes business continuity plans, operational resilience frameworks, or incident management strategies. Given their strategic impact, they may require senior-level approval.
  • Records and audits: These document activities and regulatory compliance. They are usually handled and approved by technical leads and audit departments.
Defining the appropriate approval level is essential to ensuring effective governance while avoiding both excessive bureaucracy and the absence of oversight in critical decision-making processes.

Regarding approval levels, Article 5 of the DORA Regulation stipulates that the Management Body is responsible for approving the ICT risk management framework, including all core policies.

Beyond this explicit requirement, there are other instances where the Regulation outlines the involvement of the Management Body, such as:

  • Approval of business continuity and recovery plans, as defined in Article 11.
  • Oversight of third-party management, including approval of the ICT third-party service provider policy and regular review of risks associated with external providers, in accordance with Article 28.

■ These responsibilities underscore the pivotal role the Management Body plays in the document management process, reinforcing the extent to which DORA influences Cyber Security governance and resilience within financial institutions.

Practical examples of approval levels

Based on DORA’s approval requirements, the following examples illustrate how this might be implemented in practice:

Example 1: ICT risk management

  • ICT Risk Management Policy → Management Body
    • This document outlines how the institution handles ICT-related risks. Given its critical impact on operational resilience, it requires senior leadership endorsement.
  • ICT Risk Assessment Procedure → CISO / Risk Officer
    • This document describes the methodology used to assess risks. Since it is primarily operational, it may be approved by those responsible for its execution.

Example 2: Access Control

  • Access Management Policy → Management Body
    • This defines the overarching principles and rules for accessing critical systems and data. Because of its broad applicability across the organization, senior leadership should approve it.
  • Access Control Procedure → CISO / Security Officer
    • This outlines the detailed steps for granting, modifying, and revoking access. It can therefore be approved at a more operational level.

Example 3: ICT vendor management

  • ICT Vendor Oversight Policy → Management Body
    • Given that ICT vendors may pose systemic risks, strategic-level approval is warranted.
  • ICT Vendor Assessment Procedure → Third-Party Management Officer (if such a role exists)
    • This document specifies the controls and checks applied during periodic assessments.

Clearly, the specifics will depend on the institution's internal structure. Not all organizations will have the same number of technical officers or defined roles, which means some responsibilities may need to be distributed accordingly.

Correctly defining the approval level is not only a regulatory requirement—it directly impacts governance and operational efficiency.

Impact on governance and decision-making

Delving deeper into the Regulation’s structure, we see that it introduces a regime of sanctions focused specifically on financial institutions' digital and operational security.

By looking at these examples, it becomes evident that defining the proper approval level is not just about compliance—it is a foundational element of internal governance and operational efficiency:

  • Balancing control and agility: If the Management Body approved every technical procedure, day-to-day operations would grind to a halt. Delegating approval authority to operational roles enables agile execution while preserving strategic oversight.
  • Clarifying accountability: Each organizational tier knows exactly which decisions fall under its remit. This prevents overlaps and blind spots, ensuring better regulatory compliance and more efficient decision-making.
  • Optimizing organizational structure: Clear assignment of approval responsibilities fosters effective division between strategic and operational functions. This specialization supports both accountability and efficiency.
  • Ensuring regulatory compliance: A clearly defined approval structure allows organizations to demonstrate alignment with DORA requirements during audits, minimizing penalty risk.

Furthermore, a well-designed documentation governance model makes it easier to adapt to new regulations, allowing improvements to be integrated without requiring a complete overhaul of the existing document management framework.

Strategic policies must be approved by the Management Body, whereas technical procedures can be delegated to operational managers.

Conclusion: Governance's key strategy

DORA mandates that key policies and strategies be approved by the Management Body, while technical procedures may be delegated to operational stakeholders. This division of responsibilities is central to optimizing governance and digital operational resilience.

The crux of the matter is that without a well-defined approval responsibilities assignment, organizations risk inefficiency, overlapping functions, and inadequate supervision. Properly defining these levels not only ensures DORA compliance but also strengthens the internal control framework and enhances the organization’s ability to respond to ICT-related risks.

Therefore, each institution must review and adapt its documentation processes to ensure that they not only meet regulatory obligations but also enable agile and effective management of digital operational resilience.

A well-defined assignment of responsibility for document approval not only ensures compliance with DORA but also strengthens the internal control framework and improves the institution’s responsiveness to ICT risks.

Moreover, executive involvement in approving critical documents reinforces a culture of compliance and accountability. When senior leaders endorse key documentation, it cultivates an environment where all levels of the organization understand the importance of following established procedures. This reduces risk and improves preparedness for audits and potential incidents. Over time, it also accelerates decision-making and improves the effectiveness of execution.

Finally, direct supervision by senior management in the approval process enhances the company’s credibility with regulators, clients, and partners. It signals a genuine commitment to cybersecurity, business continuity, and risk management—all central pillars of DORA Regulation.

With a robust and top-down approved documentation framework, the organization becomes more resilient, reducing uncertainty and increasing its ability to adapt to new regulatory demands and operational challenges.

Direct supervision by senior management in the document approval process strengthens the company’s credibility and demonstrates a genuine commitment to cybersecurity and risk management.

■ MORE OF THIS SERIES

DORA Regulation (I): challenges in the digitalization of the financial sector
Telefónica Tech
DORA Regulation (I): challenges in the digitalization of the financial sector
March 19, 2025
DORA Regulation (III): The European Supervisory Authorities in DORA. Keys to their regulatory role
Telefónica Tech
DORA Regulation (III): The European Supervisory Authorities in DORA. Keys to their regulatory role
April 15, 2025

■ RELATED

Mastering DORA: Practical strategies to ensure operational resilience in the financial sector
Telefónica Tech
Mastering DORA: Practical strategies to ensure operational resilience in the financial sector
March 27, 2025