La resilienza operativa digitale come materia di corporate governance: prime riflessioni a partire dal DORA

With the approval of the DORA Regulation the European legislator has established specific provisions on the governance of cyber risks by the management body of financial companies. This regulatory option offers the opportunity to make some considerations on the reflections that the governance of digital security risks is bound to have on certain fundamental elements of corporate governance itself, such as the duty to set up appropriate corporate structures, the duty to act in an informed manner, and the competences of the management body. By transcending the perimeter of general cybersecurity regulation and with the intention of intervening on the delicate balances of private autonomy in the provision of financial digital services, the DORA regulation proposes a new paradigm of all-encompassing management of cyber risks, which is not dependent on the business activity exercised or on the type of employed technologies. The proposed approach ultimately aims at the integrated management of cyber risks with the other relevant risk items in the financial sector. Conceived in terms of governance, the notion of digital operational resilience proposed by DORA is interpreted by the Author as the normative landing place of a necessary paradigm shift, worthy of being extended to general corporate governance law.