Senior advisory on DORA and NIS2 for boards and executives who need to govern regulatory compliance, not just implement it
The Digital Operational Resilience Act creates direct, enforceable board accountability for ICT risk governance. Former advisory appointments at the FCA and NCSC built a first-hand understanding of regulatory expectations and the direction in which they continue to travel.
DORA is not an IT compliance project. It is a governance obligation with board-level teeth
Most firms have tasked implementation teams with DORA. Fewer have addressed what DORA actually requires of the board: direct, demonstrable accountability for ICT risk governance, approved frameworks, and active oversight of resilience. Implementation without board governance is a compliance gap that regulators can identify on first review.
The same governance logic applies to NIS2, which extends cyber security obligations to a broader range of sectors and explicitly names senior management accountability as a core requirement. For firms navigating both regimes, the board question is the same: can we demonstrate that we govern this, not just manage it?
Applies to financial entities and critical ICT third-party providers. Board management body accountability is a core pillar, not a secondary obligation.
Extends obligations to essential and important entities across more sectors. Senior management personal liability for non-compliance is an explicit provision.
Board accountability for important business service resilience. Deadline for full embedding passed March 2025. Regulatory attention on boards that cannot demonstrate active governance has intensified.
Where DORA and NIS2 advisory adds most value at board and executive level
Board Accountability Mapping
Clarifying precisely what DORA and NIS2 require of the board, not the implementation team, and identifying the specific governance gaps between current practice and regulatory expectation. Designed for boards preparing for regulator engagement.
ICT Risk Framework Review
Independent review of the ICT risk management framework from the board's perspective: does it cover the risks that matter, is it structured to enable board-level decisions, and does it satisfy the governance requirements DORA specifies?
Third-Party and Concentration Risk
DORA's third-party risk requirements, CTPP register, contractual requirements, oversight, are among the most operationally challenging. Advisory on how boards should govern this risk category, and where the most significant exposures typically sit.
Resilience Testing Governance
DORA mandates threat-led penetration testing (TLPT) for significant firms and basic resilience testing for others. Advisory on what boards need to understand and approve, and how to ensure testing programmes are fit for regulatory scrutiny.
Regulator Engagement Preparation
Preparing boards and executive teams for FCA, ECB, or national competent authority engagement on DORA obligations. Informed directly by former FCA advisory experience, understanding what regulators are actually looking for, not just what the regulation says.
Cross-Regime Alignment (DORA + PS21/3 + NIS2)
For firms facing multiple regulatory obligations simultaneously, advisory on building a coherent governance structure that satisfies DORA, FCA operational resilience, and NIS2 without duplicating effort or creating contradictory frameworks.
Financial services boards, executives, and regulated organisations navigating DORA for the first time
Banking and Payment Institutions
Firms in the core DORA scope where ICT risk governance, third-party dependency, and resilience testing obligations are most extensive. Particularly relevant for boards that have received implementation updates but have not yet addressed their own governance obligations.
Insurance and Lloyd's Market
Insurers, managing agents, and Lloyd's syndicates where DORA scope intersects with existing Solvency II and FCA obligations. The former Lloyd's market advisory appointment provides direct insight into how the market approaches regulatory alignment.
Asset Managers and Investment Firms
MiFID-regulated investment firms and AIFMD-regulated managers who may have underestimated their DORA exposure. Advisory on scoping, board obligations, and the interaction with FCA operational resilience requirements.
Critical ICT Third-Party Providers
Technology firms and cloud providers designated as CTTPPs under DORA who need to understand their obligations and prepare for regulatory oversight from EU supervisory authorities.
PE-Backed Financial Services
Private equity-owned financial services businesses where DORA compliance is a value-creation and exit-readiness issue, and where the board governance structure may need strengthening before regulatory engagement.
In-House Legal and Compliance Functions
General counsel and chief compliance officers who need an independent, senior technical perspective to pressure-test their DORA compliance assessments before presenting to the board or a regulator.
"The regulatory direction across FCA, DORA, and NIS2 is consistent: boards are accountable. Not management. Not the CISO. The board. That shift has been coming for a decade. It has now arrived."
Ali ZebDORA governance gap? Let's talk
Board-level advisory on DORA, NIS2, and FCA operational resilience. Informed by former FCA and NCSC advisory appointments. I respond to every enquiry personally.
Arrange a Conversation