*We customize the course outline and content to your specific needs and relevant use cases.
Module 1: Introduction to DORA and the resilience context
- Basic definition, purpose, and strategic intent of DORA
- Background of the regulation and expected benefits of implementation
- Relationship between DORA and the broader concept of operational resilience
- Why cyber resilience is now a board level and enterprise wide concern
Module 2: Scope, affected entities, and structure of DORA
- Which sectors, institutions, and service relationships fall within scope
- Main objectives and the protection goals addressed by DORA
- Overview of the regulation, supporting documents, and implementation logic
- Core terminology, obligation areas, and how they relate to one another
Module 3: Embedding DORA into existing structures
- How DORA can be integrated into existing governance and control structures
- Links to governance, risk management, compliance, and information security management systems
- Mapping DORA to existing operating models, committees, and reporting lines
- Avoiding duplication by aligning resilience work with current organizational practices
Module 4: DORA strategies, governance, and implementation foundations
- Requirements for an operational resilience strategy
- Focus of DORA related strategy work, especially ICT risk management
- Technical and organizational requirements at a high level
- Monitoring, oversight, and internal ownership as part of sustainable implementation
Module 5: ICT risk management under DORA
- Core expectations for identifying, protecting, detecting, responding, and recovering
- Practical relationship between DORA, COBIT oriented controls, and ISO 27001 style governance
- Structuring an ICT risk management approach that is proportionate and auditable
- Building a usable internal plan that connects risk, controls, ownership, and escalation
Module 6: Business continuity and operational stability
- Challenges from cyber attacks and wider operational disruption scenarios
- Impact of DORA on continuity planning, crisis structures, and emergency management
- Building an effective BCM and disaster recovery approach in the DORA context
- Practical recommendations for linking continuity, IT emergency management, and resilience priorities
Module 7: Cloud computing and third party considerations
- Fundamentals of cloud computing in the context of financial sector resilience
- Cloud security and resilience expectations in regulated environments
- BaFin related cloud considerations and their practical implications for institutions
- Strengthening oversight, accountability, and control over external ICT dependencies
Module 8: ICT incident management and reporting obligations
- Processes for detecting, classifying, managing, and escalating ICT related incidents
- Organizing reporting flows and communication channels inside the institution
- Regulatory reporting obligations and expectations for consistency and timeliness
- Common implementation challenges in aligning operational response with reporting duties
Module 9: Digital operational resilience testing
- Purpose and structure of resilience testing under DORA
- Basic and more advanced forms of testing and how they fit into the broader control framework
- Linking testing to remediation, assurance, and management oversight
- Practical planning considerations for evidence, follow up, and institutional readiness
Module 10: Threat led testing and advanced assurance
- Position of threat led penetration testing within the DORA testing framework
- Planning assumptions, scope boundaries, and organizational preparation for TLPT
- Coordination between business, security, technology, and third parties during advanced testing
- Translating test findings into governance decisions and resilience improvements
Module 11: Implementation approaches, success factors, and change management
- Possible implementation paths for different types of financial institutions
- Success factors and best practices for sustainable DORA implementation
- Importance of the right mindset in resilience programs and transformation efforts
- Strategies for change management, internal adoption, and enterprise wide multiplication of resilience practices
Module 12: Leadership, awareness, and long term operating model
- Building a cybersecurity culture supported by leadership and visible accountability
- Training and awareness as part of resilience, not as a separate compliance task
- Connecting governance, risk, continuity, incident handling, testing, and third party oversight into one operating model
- Developing a practical checklist for long term DORA readiness and resilience maturity
