DORA is not an administrative framework — it is a decision-making framework.

5/4/2026

Many organizations still treat DORA as a compliance project.: Checklists. Deadlines. Documentation. That is a mistake. 

One of DORA’s strongest messages is clear: Digital resilience is not an IT issue. It is the responsibility of the management body.

This means:

  • ICT risk frameworks must be approved at board level
  • their effectiveness must be overseen
  • decisions — and their consequences — must be owned

After a major ICT incident, the key question changes:

  • not only “what happened?”
  • but also “were the right decisions made?”

“The biggest shift we see is that digital risk is no longer an IT issue—it’s a board-level liability exposure.”

DORA does not prescribe every technical detail.

Instead, it requires institutions to:

  • understand their operating model deeply
  • identify critical business functions
  • apply proportionate protection and recovery measures

Implications:

  • no “one-size-fits-all” compliance
  • decisions must be documented and justified
  • risk thinking becomes a core leadership capability

Typical DORA-Driven Management Risks

  • Poorly documented risk decisions
  • Delayed ICT investments due to cost pressure
  • Underestimation of third-party dependencies
  • Misinterpretation of supervisory expectations

These are not technical failures. They are decision risks.

DORA strengthens:

  • controls
  • processes
  • accountability

But it does not provide financial protection against:

  • business interruption
  • third-party failures
  • management liability

“This is where the gap appears. Controls reduce probability. Insurance addresses consequence. DORA makes the gap between the two visible.”

D&O Insurance in the DORA Context

A properly structured D&O policy can:

  • cover personal liability of executives
  • fund legal defense
  • respond to regulatory investigations

DORA changes the role of D&O:

  • It is no longer generic management protection
  • It becomes a tool for digital risk exposure

If D&O addresses decision risk, cyber insurance addresses operational consequences. Together, they form the financial dimension of digital resilience.

DORA and Cyber Insurance are strongly linked, but have different roles

DORA requires:

  • incident management
  • recovery
  • communication

Cyber insurance:

  • finances these events

“A cyber policy only works if it speaks the same language as your incident framework—DORA is forcing that alignment.”



Ádám Kalina
Chief Underwriting Officer, Hungarian branch