Skarp
Mastering DORA: Digital Operational Resilience Act Expert Track
This course takes you from foundational understanding to expert-level mastery of the EU Digital Operational Resilience Act (DORA). You will learn the full regulatory framework, its interaction with other EU laws, and how to design, implement, and govern a robust DORA compliance and digital resilience program in financial entities and ICT providers.
Course Content
14 modules · 3h 30m total
Module 1: What Is DORA and Why It Matters Now
Introduce the Digital Operational Resilience Act (DORA), its policy objectives, and why it fundamentally changes ICT risk and cyber resilience obligations for financial entities and their ICT providers in the EU.
Module 2: Scope of Application – Who and What Is Covered
Dive into the entities, services and activities that fall within DORA’s scope, including financial entities, ICT third‑party providers, and critical ICT service providers.
Module 3: DORA in the EU Regulatory Landscape
Position DORA among other key EU regulations, clarifying overlaps and complementarities with frameworks like GDPR, NIS2, PSD2, and sector‑specific guidelines.
Module 4: Governance and the ICT Risk Management Framework
Examine DORA’s governance expectations and the required ICT Risk Management Framework, including the responsibilities of the management body and the integration of resilience into overall corporate governance.
Module 5: ICT Incident Management, Classification and Reporting
Explore how DORA structures ICT incident management, including classification of incidents, internal handling, and external reporting and notification obligations to authorities and clients.
Module 6: Digital Operational Resilience Testing and TLPT
Detail DORA’s requirements for testing digital operational resilience, from basic testing practices to advanced threat‑led penetration testing (TLPT) for certain entities.
Module 7: Managing ICT Third‑Party Risk and Critical Providers
Analyze DORA’s comprehensive approach to ICT third‑party risk management, including contractual standards, oversight of critical ICT providers, and cross‑border implications.
Module 8: Information and Intelligence Sharing Under DORA
Cover DORA’s provisions on voluntary information sharing about cyber threats and vulnerabilities, and how these mechanisms support sector‑wide resilience.
Module 9: Penalties, Enforcement, and Supervisory Expectations
Examine how DORA is enforced, the range of penalties for non‑compliance, and emerging supervisory expectations as the January 2025 deadline takes effect.
Module 10: Designing a DORA Implementation Roadmap
Translate regulatory requirements into a structured implementation program, including gap analysis, prioritization, and integration with existing risk and compliance initiatives.
Module 11: Operating Model and Control Design for Ongoing Compliance
Focus on the steady‑state operating model required to sustain DORA compliance, including control design, documentation, and assurance mechanisms.
Module 12: Case Studies – Applying DORA in Different Financial Entities
Use practical case studies to apply DORA concepts to different types and sizes of financial entities, highlighting proportionality and sector‑specific challenges.
Module 13: DORA for ICT and Cloud Service Providers
Examine DORA from the perspective of ICT and cloud service providers, especially those that may be designated as critical ICT third‑party providers.
Module 14: Metrics, Reporting, and Continuous Improvement in DORA Programs
Define how to measure the effectiveness of a DORA program using operational and risk metrics, and how to drive continuous improvement over time.
Read the Textbook
Read every chapter for free, right here in your browser.
In January 2025, the **Digital Operational Resilience Act (DORA)** stopped being a future concern and became **binding law** across the EU financial sector.
- **Legal reference**: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector - **Part of**: the **EU Digital Finance Package** (adopted 2020) - **Key date**: DORA entered into force in 2022, and **started applying on 17 January 2025** (relative to today: *earlier this year*).
DORA is **not just another cybersecurity guideline**. It is a **directly applicable EU regulation** that: