TRAINING · CERTIFIED COURSE

DORA Compliance Training. Digital Operational Resilience

DORA is now in force for 22,000+ EU financial entities. ICT risk management training is mandatory for management bodies. We prepare your team for every DORA obligation.

Jan 2025

DORA entered into force

22,000+

EU financial entities in scope

Art. 5

Management body training obligation

Initial incident reporting deadline

01 / CURRICULUM

DORA Training Curriculum

Scope & Applicability

Which financial entities are in scope: banks, insurers, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party providers. Proportionality principle.

ICT Risk Management Framework

Art. 6-16 requirements: governance, identification, protection, detection, response and recovery, learning and evolving. Building and maintaining the ICT risk management framework.

Incident Classification & Reporting

Major ICT incident criteria, 4-hour initial notification, 24-hour intermediate report, one-month final report. Classification methodology and CSIRT coordination.

Digital Operational Resilience Testing

Basic testing (vulnerability assessments, network security testing) and advanced testing (threat-led penetration testing/TLPT). Testing frequency, scope, and reporting requirements.

Third-Party ICT Risk

Vendor risk management framework, contractual requirements for ICT providers, concentration risk, exit strategies, and the new oversight framework for critical ICT third-party providers.

Information Sharing

Voluntary information sharing arrangements, threat intelligence sharing, operational learnings, and participation in financial sector information sharing groups.

Management Body Responsibilities

Art. 5 obligations: defining ICT risk management strategy, approving policies, allocating budget, ensuring adequate training, and personal accountability for ICT risk oversight.

02 / AUDIENCE

Who Should Attend

For financial services staff, board members, and ICT service providers who must comply with DORA's digital operational resilience requirements.

01
Financial Services Staff
IT, compliance, risk management, and operations staff in banks, insurance companies, investment firms, and payment institutions subject to DORA.
02
Board & Management
Board members and senior management with Art. 5 responsibilities for ICT risk management strategy approval and oversight.
03
ICT Service Providers
Critical and important ICT third-party service providers who must understand DORA requirements that flow through from financial entity contracts.

03 / REGULATORY

Regulatory Framework

DORA training addresses the EU's dedicated framework for digital operational resilience in the financial sector.

REQ 01

DORA Art. 5-6: Management body governance responsibilities, ICT risk management framework requirements, and proportionality principle for different entity types.

REQ 02

DORA Art. 17-23: ICT-related incident management: classification, reporting timelines (4h/24h/1 month), notification to competent authorities and affected clients.

REQ 03

HNB Guidelines: Croatian National Bank implementation guidance for credit institutions and payment institutions under DORA.

REQ 04

HANFA Guidelines: Croatian Financial Services Supervisory Agency requirements for investment firms, insurance companies, and other non-bank financial entities.

Ready for DORA compliance training?

Free 30-minute consultation, assess your DORA obligations, plan ICT risk training, get a proposal

No commitmentResponse within 24hTailored program

FAQ

Frequently Asked Questions

Who does DORA apply to?

DORA applies to virtually all EU-regulated financial entities: credit institutions, payment institutions, investment firms, insurance companies, pension funds, crypto-asset service providers, and crowdfunding platforms. It also creates an oversight framework for critical ICT third-party providers.

Is management body training mandatory under DORA?

Yes. Art. 5(4) requires that 'members of the management body shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk.' This includes following specific training on ICT risks and their impact on the entity's operations.

How does DORA overlap with NIS2?

DORA is lex specialis for the financial sector, it takes precedence over NIS2 for financial entities. However, DORA's requirements are generally stricter than NIS2. Financial entities comply with DORA (not NIS2) for cybersecurity, but may still need NIS2 awareness for group-level compliance.

What are the penalties for DORA non-compliance?

DORA delegates penalty determination to national competent authorities (HNB, HANFA in Croatia). Penalties must be effective, proportionate, and dissuasive. For critical ICT third-party providers, the EU oversight framework can impose periodic penalty payments of up to 1% of average daily worldwide turnover.

What testing does DORA require?

All entities must perform basic testing (vulnerability assessments, network security, gap analysis, software testing). Significant entities must also conduct advanced threat-led penetration testing (TLPT) at least every 3 years, covering critical functions and live production systems.

What is the DORA compliance timeline?

DORA entered into force on January 17, 2025. All financial entities in scope must be fully compliant. If you haven't started implementation, urgent action is needed, begin with a gap assessment against DORA requirements and management body training.

RELATED TRAINING

Related Training Programs

AML Training

Anti-money laundering for financial compliance

Executive Training

Board-level cybersecurity governance

Incident Response Training

ICT incident handling and crisis management

DORA Resources

01Financial Compliance Guide→02What Is NIS2? Complete Guide→03ISO 27001 Implementation Guide→

RELATED SERVICES

Related compliance services

Financial Compliance Cybersecurity & NIS2 Training & Awareness Incident Response

GET STARTED

DORA compliance for your financial institution

DORA is in force. Your management body needs training, your ICT risk management framework needs to be in place, and your incident reporting procedures must be ready. Start with our comprehensive DORA training program.

View All Training Programs