Every bank or financial institution employee is aware of their potential liability for errors and omissions in their work. For example, if banking secrecy is breached and an employee intentionally or unintentionally discloses a bank customer’s data to a third party, the employee is liable. This often leads to liability for damages to the financial institution and the customer. However, the situation is different under DORA, which may impose administrative penalties on specific employees.
Relationship between responsibility, management function and liability in DORA
According to DORA’s Article 5(2)(a), a financial institution’s management is responsible for managing the risks associated with ICT services and operational resilience strategies.
The management is responsible for defining, approving, and supervising the implementation of the ICT risk management framework, as well as ensuring its full implementation. According to recital 45 of DORA, management bodies must focus not only on measures to ensure the resilience of ICT systems but also on people and processes through a set of policies. Awareness of cyber risks and commitment to strict compliance with cybersecurity hygiene rules must be built at every level of the corporate structure and among all employees.
While responsibility under DORA refers to the duty of the management body—including board members—to ensure that their organization complies with the regulation’s requirements, liability goes a step further. It implies the potential legal and financial consequences that individuals may face if they fail to fulfill those responsibilities. DORA explicitly places the burden of oversight and strategic decision-making on the board, making them responsible for embedding digital operational resilience into the organization’s governance framework. However, if this responsibility is neglected—such as by failing to implement adequate risk management or incident response mechanisms—board members may be held personally liable. This distinction is crucial: responsibility is about what leaders must do, while liability is about what happens if they don’t.
What are the penalties for not complying with DORA?
As mentioned in the previous chapter, DORA introduces several sanctions. These relate to unintentional omissions and intentional actions that reduce the digital operational resilience of a financial entity. Sanctions for financial entities that do not comply with DORA are severe and range from public reprimands to the withdrawal of licenses for supervised activities.
Furthermore, although DORA is an EU regulation, it has a global impact. Therefore, financial institutions operating in the EU or working with EU customers must comply with DORA, regardless of their location. ICT service providers must also comply with DORA and select their own suppliers accordingly because they may face consequences for failing to do so.
A detailed discussion of the financial penalties for noncompliance with DORA can be found in the article on the consequences for individuals and institutions.
Consequences for the management board in the context of DORA
Like NIS2, DORA extends beyond the level of management board responsibility in the areas of criminal, civil, and compensatory liability, adding administrative liability. This type is characterized by the immediate enforceability of the penalty and the subsequent possibility of appeal, unlike previous types. In the article on the management board’s tasks in the context of DORA, we mentioned those related to DORA implementation. Actions management can take to reduce the risk of personal consequences include:
- Selecting the most competent person on the management board for ICT risk management and appointing them to oversee the issue.
- Verifying the competence of the compliance and security departments in developing policies, plans, and procedures that must be approved by the management board.
- Approving ICT security policies, procedures, and plans, as well as supervising their implementation.
- Deciding on the implementation of appropriate tools to help the organization manage risk.
- Training the management board to ensure this group has the knowledge necessary to make important decisions in ICT risk management is also essential.
Appointment of a board member
The board of management has many responsibilities and is accountable for the organization’s overall success. DORA recognizes this and does not expect all management board members to address ICT security issues. According to paragraph 3 of Article 5, financial entities that are not microenterprises must establish a function to monitor and supervise the risks associated with ICT services. This person may be a management board member or a senior management representative. This person should oversee, among other things, exposure to risks associated with cooperation with external ICT providers and relevant documentation.
See how risk management implementation in accordance with DORA should be overseen by a designated management board member.
Acceptance of policies
The management board is not responsible for carrying out tasks arising from DORA. The scope of activities that must be carried out far exceeds this team’s capabilities and available time. Instead, the management board’s role is to approve plans, policies, procedures, and roles within the organization that contribute to the implementation of DORA requirements. These include:
- Establishing and reviewing clear roles and responsibilities for all ICT-related functions
- Establishing management arrangements
- Establishing and reviewing reporting channels for external ICT service providers
- Planned significant changes in external ICT service providers
- Potential impact of such changes on critical or important functions
- Serious ICT incidents
- Implementing and reviewing policies on data availability, authenticity, integrity, and confidentiality
- Approving and reviewing the financial entity’s ICT business continuity policy and ICT response and recovery plan
- Approving ICT internal audit plans, modifications, and reviewing results.
- Assigning and reviewing digital operational resilience.
The management board must regularly review these documents to ensure they align with the organization’s needs.
Implementation of appropriate tools
A major problem financial entities face is that risk analysis is spread across different people and departments. This results in inconsistent data and a lack of comprehensive, multidimensional risk analysis, which must be presented to the KNF in its entirety. Consequently, the board and senior management may struggle to make informed decisions.
It is worth considering the implementation of a Governance, Risk & Compliance tool. However, note that most use a process-based risk management methodology. The DORA Regulation, however, requires an asset-based methodology. RIG DORA is a GRC tool that uses the asset-based approach methodology. With RIG DORA, you have full knowledge of the risk assessment methodology and access to all necessary documents, enabling you to manage risk effectively. RIG DORA operates in accordance with ISO standards. It is also a document and risk analysis archive. It automates the mapping of information about resources, safeguards, and processes. This allows you to clearly present key risks and appropriate countermeasures. RIG DORA also allows you to track tasks and provides an overview of the organization’s ICT risk level.
Training for the management board
According to Section 4 of Article 5, members of the management board must actively update their knowledge and skills. This enables them to understand and assess the risks associated with the ICT environment and its impact on the financial entity’s operations. Training may cover topics such as:
- Basic technical and organizational features of ICT security and resilience;
- The importance of ICT security and resilience for the organization;
- A catalog of ICT-related risks to which the financial entity is exposed;
- Measures available to mitigate these risks.
Training can be conducted through lectures, workshops, and case studies. It is also advisable to document the scope of the training in case of inspections.
Date of entry into force of DORA
Financial entities are facing new challenges. Regulations such as NIS2 and DORA impose many new obligations and responsibilities on them. DORA went into effect on January 17, 2025.. For this reason, the boards and management of these organizations must be working to ensure security and protect themselves from personal administrative liability.
For this reason, we invite you to familiarize yourself with the DORA implementation schedule prepared by our team. We have divided the tasks into groups according to the respective teams’ areas of expertise and specified the time needed for each activity.
