Digital Operational Resilience under DORA: the strategic role and responsibilities of the management body.

Within the framework of advanced training initiatives on digital resilience in the banking sector, Attorney Alessandro Del Ninno delivered an intensive four-hour course addressed to the Italian and Chinese management of Bank of China, entirely designed and taught by him, with a highly specialised and operational focus.

The course was dedicated to Regulation (EU) 2022/2554 on Digital Operational Resilience (DORA) and was structured around the central role of the management body in the governance of ICT and cyber risks. The presentation offered a systematic interpretation of the new principle of full and primary responsibility of the management body introduced by DORA, clarifying how the Board of Directors is required to become the key decision-making and supervisory hub of the entire ICT risk management framework, from the definition of strategies to operational and contractual oversight.

Significant attention was devoted to the analysis of the first- and second-level regulatory sources forming the DORA regulatory architecture, including the extensive set of Regulatory Technical Standards and Implementing Technical Standards adopted by the European Commission between 2024 and 2025. In this context, Attorney Del Ninno provided a structured overview of the obligations relating to ICT risk management, incident classification and notification, digital operational resilience testing – including threat-led penetration testing – and the regulation of relationships with third-party ICT service providers, with particular emphasis on concentration risk and the concept of critical providers.

The training also examined the organisational impact of DORA, highlighting the need to introduce new roles, functions and mandatory registers, as well as to strengthen internal control, audit and crisis management mechanisms. A specific focus was placed on ICT outsourcing policies, pre-contractual due diligence activities and the redesign of contractual clauses in line with the new European requirements, including audit, access and inspection rights granted to supervisory authorities.

Particular importance was attributed to the principle of proportionality, analysed as a criterion for calibrating obligations without reducing responsibilities, and to the strategic role of continuous training for management and staff as an essential component of digital operational resilience. The course also addressed the coordination between DORA and the national implementing framework, illustrating the new sanctions regime and the potential direct liabilities of members of management bodies.

The workshop was characterised by a strong international and managerial perspective, combining legal rigour, strategic vision and practical applicability, and provided Bank of China’s senior management with an advanced and coherent understanding of the regulatory, organisational and governance transformations required by the new European paradigm of cyber resilience in the financial sector.