Skip to content

DORA

DORA Article 6: the framework on paper, and the RTS that makes it real

Article 5 put the management body on the hook. Article 6 describes the thing they are on the hook for: the ICT risk management framework. And here is where most DORA write-ups stop too early, because Article 6 is only half the text you need. The other half lives in a delegated regulation most people have never opened. Today I want to connect the two.

DORA Article 5: what the management body actually signs up for

DORA gets treated like an IT project. Article 5 says otherwise. It is the first substantive article of the regulation, it is about governance, and it puts the board on the hook before a single firewall rule is mentioned. Today I want to walk through what Article 5 requires, what the defined terms actually mean, and what this looks like in practice.