DORA is now in force for 22,000+ EU financial entities. ICT risk management training is mandatory for management bodies. We prepare your team for every DORA obligation.
Which financial entities are in scope: banks, insurers, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party providers. Proportionality principle.
Art. 6-16 requirements: governance, identification, protection, detection, response and recovery, learning and evolving. Building and maintaining the ICT risk management framework.
Major ICT incident criteria, 4-hour initial notification, 24-hour intermediate report, one-month final report. Classification methodology and CSIRT coordination.
Basic testing (vulnerability assessments, network security testing) and advanced testing (threat-led penetration testing/TLPT). Testing frequency, scope, and reporting requirements.
Vendor risk management framework, contractual requirements for ICT providers, concentration risk, exit strategies, and the new oversight framework for critical ICT third-party providers.
Voluntary information sharing arrangements, threat intelligence sharing, operational learnings, and participation in financial sector information sharing groups.
Art. 5 obligations: defining ICT risk management strategy, approving policies, allocating budget, ensuring adequate training, and personal accountability for ICT risk oversight.
For financial services staff, board members, and ICT service providers who must comply with DORA's digital operational resilience requirements.
IT, compliance, risk management, and operations staff in banks, insurance companies, investment firms, and payment institutions subject to DORA.
Board members and senior management with Art. 5 responsibilities for ICT risk management strategy approval and oversight.
Critical and important ICT third-party service providers who must understand DORA requirements that flow through from financial entity contracts.
DORA training addresses the EU's dedicated framework for digital operational resilience in the financial sector.
Free 30-minute consultation — assess your DORA obligations, plan ICT risk training, get a proposal
DORA applies to virtually all EU-regulated financial entities: credit institutions, payment institutions, investment firms, insurance companies, pension funds, crypto-asset service providers, and crowdfunding platforms. It also creates an oversight framework for critical ICT third-party providers.
Yes. Art. 5(4) requires that 'members of the management body shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk.' This includes following specific training on ICT risks and their impact on the entity's operations.
DORA is lex specialis for the financial sector — it takes precedence over NIS2 for financial entities. However, DORA's requirements are generally stricter than NIS2. Financial entities comply with DORA (not NIS2) for cybersecurity, but may still need NIS2 awareness for group-level compliance.
DORA delegates penalty determination to national competent authorities (HNB, HANFA in Croatia). Penalties must be effective, proportionate, and dissuasive. For critical ICT third-party providers, the EU oversight framework can impose periodic penalty payments of up to 1% of average daily worldwide turnover.
All entities must perform basic testing (vulnerability assessments, network security, gap analysis, software testing). Significant entities must also conduct advanced threat-led penetration testing (TLPT) at least every 3 years, covering critical functions and live production systems.
DORA entered into force on January 17, 2025. All financial entities in scope must be fully compliant. If you haven't started implementation, urgent action is needed — begin with a gap assessment against DORA requirements and management body training.
DORA is in force. Your management body needs training, your ICT risk management framework needs to be in place, and your incident reporting procedures must be ready. Start with our comprehensive DORA training program.