What DORA Is — and Why It Reaches the Boardroom
If a director learns only one thing about the Digital Operational Resilience Act, let it be this: DORA makes the board itself accountable for ICT and cyber resilience. It is not a matter you can fully delegate to the CISO and receive as a status slide. This lesson gives you the whole regulation in a single sitting.
The instrument, in one line
DORA is Regulation (EU) 2022/2554 — a Regulation, not a Directive, which means it is directly applicable as law in every EU Member State, identically, without national transposition. It entered into force on 16 January 2023 and has been fully applicable since 17 January 2025. For the board, that removes two comfortable excuses: there is no «we’re waiting for the national law», and no «it differs by country». The text your executives quote is the operative law, everywhere the group operates in the EU.
The five pillars — the whole framework on one page
| Pillar | Subject | The board’s one-line interest |
|---|---|---|
| 1 | ICT risk management (Art. 5–16) | Governance the board owns — you approve and oversee the framework. |
| 2 | Incident management & reporting (Art. 17–23) | A major incident becomes a regulatory event on a strict clock. |
| 3 | Resilience testing (Art. 24–27) | Including threat-led penetration testing (TLPT) for the largest entities. |
| 4 | ICT third-party risk (Art. 28–44) | Concentration on a few cloud providers is a board-level systemic risk. |
| 5 | Information sharing (Art. 45) | Voluntary threat-intelligence sharing — a board decision to record. |
That was your free preview
Enrol to unlock all 30 lessons, every knowledge check, the dedicated certification exam, the downloadable toolkit and your verifiable certificate — lifetime access.
Secure payment via Stripe · 30-day money-back guarantee.