Contents
Business Strategy
Purpose of the Requirement
The requirement ensures that the digital operational resilience strategy is anchored in, supportive of, and coherent with the financial entity’s business strategy and organisational objectives.
It obliges financial entities to articulate clearly how the ICT risk management framework contributes to business stability, growth, competitiveness, service delivery, regulatory compliance, and client protection.
This creates a direct linkage between corporate strategy, ICT risk governance, and digital operational resilience, ensuring that ICT risk is not managed in isolation but integrated into the broader strategic and operational decision-making process.
Scope of Application
This requirement applies to all financial entities, except microenterprises where proportional provisions apply. It must be reflected:
- at entity level,
- sub-consolidated or consolidated level for groups,
- across all business lines, functions, and services relying on ICT assets, information assets, or ICT third-party service providers.
It encompasses current business activities, planned expansions, digital transformation initiatives, product development, client-facing platforms, operational capabilities, and risk appetite settings.
Mandatory Components
To comply with Article 6(8)(a), the digital operational resilience strategy must explicitly explain, demonstrate, and document the alignment between the ICT risk management framework and the financial entity’s business strategy.
At a minimum, it must address the following:
Strategic Alignment Statement
The strategy must include a clear narrative explaining:
- how ICT risk management supports the achievement of the business strategy, business model, and commercial objectives;
- how digital operational resilience underpins key business outcomes (e.g., reliability of customer services, operational efficiency, market trust, regulatory soundness);
- how ICT risk considerations are embedded into strategic planning cycles and corporate governance processes.
Integration into Business Objectives
The strategy must describe how the ICT risk management framework supports:
- long-term corporate goals and programme portfolios,
- strategic initiatives involving digitalisation, cloud adoption, or outsourcing,
- transformation programmes (e.g., digital channels, automation, AI, payments modernisation),
- resilience objectives expressed by the management body (e.g., service uptime targets, RTO/RPO expectations).
Business objectives must be translated into specific ICT resilience requirements, including operational capacities, protection needs, testing regimes, and risk tolerance thresholds.
Support for Critical or Important Functions
The strategy must identify how ICT risk management ensures the stability of critical or important functions, including:
- the resilience of core platforms,
- continuity of regulated services,
- protection of customer data,
- management of ICT third-party dependencies,
- prevention of disruptions that could affect financial stability or client interests.
This includes demonstrating how business-critical dependencies are protected through robust ICT controls, BCP/DR strategies, and third-party oversight mechanisms.
Resource Allocation and Prioritisation
The strategy must explain how ICT risk management informs:
- the prioritisation of ICT investments,
- staffing and capability development,
- budget allocation for cybersecurity, resilience testing, ICT operations, and governance,
- planning of major ICT programmes or projects (e.g., migrations, modernisation).
It must show that digital resilience is a strategic enabler and a resource allocation criterion.
Risk Appetite and Impact Tolerance Integration
The strategy must describe how:
- the ICT risk tolerance level (Article 6(8)(b) DORA) is aligned with business risk appetite,
- impact tolerances for disruptions support the continuity requirements of business processes,
- strategic decisions (e.g., cloud concentration, outsourcing, new product lines) are assessed through an ICT risk lens.
There must be a demonstrable linkage between business criticality and ICT protective measures.
Dependency and Growth Considerations
The strategy must explain how ICT risk management supports:
- the planned evolution of the business model,
- expected growth in clients, transactions, data volumes, or digital engagement,
- introduction of new services that rely on ICT assets or ICT third-party service providers.
It must describe how ICT capacity, resilience, and security requirements scale with business ambitions.
Governance Integration
The strategy must describe:
- how the management body oversees the alignment between ICT risk management and business strategy,
- how ICT risk information flows into strategic decision-making processes,
- how deviations are escalated.
It must also demonstrate integration with the overall risk framework, internal control system, and audit planning.
Interdependencies with Other DORA Requirements
Alignment with business strategy is intrinsically connected to:
- Article 6(8)(b)–(h) DORA (full digital operational resilience strategy components)
- ICT risk tolerance (Article 6(8)(b))
- Information security objectives (Article 6(8)(c))
- ICT reference architecture (Article 6(8)(d))
- Incident detection and protection mechanisms (Article 6(8)(e))
- ICT-related incidents and preventive control outcomes (Article 6(8)(f))
- Digital operational resilience testing (Article 6(8)(g))
- Communication strategy (Article 6(8)(h))
- ICT third-party risk strategy (Article 28(2))
- Multi-vendor strategy (Article 6(9))
- ICT business continuity and response/recovery framework (Article 11)
- ICT BIA (Article 11(5))
- Annual ICT risk management review (Article 6(5))
Thus, the articulation under Article 6(8)(a) forms the strategic anchor for the entire DORA implementation.
Documentation Requirements
The strategy must be documented, approved, reviewed, and maintained as part of the ICT risk management framework. Documentation must include:
- written statements linking ICT risk management to business strategy
- mapping of business objectives to ICT controls and resilience structures
- evidence of strategic decision-making integration (e.g., board minutes, strategy papers)
- version history and rationale for updates
- integration into supervisory submissions when requested under Article 6(5)
Documentation must be searchable and capable of demonstrating supervisory-level accountability.
Governance and Oversight
The management body must:
- set and approve the digital operational resilience strategy
- ensure clear articulation of ICT–business alignment
- periodically review and update the strategy
- supervise the implementation of ICT risk management practices that support business goals
- ensure that ICT risks are considered in strategic decisions
- allocate resources sufficient to meet the strategic resilience requirements
Board- and senior-management-level oversight must be explicit, documented, and consistent with the three lines of defence model and Article 6(4) DORA.