Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is an integrated approach to digital operational resilience across the EU’s financial sector. It comprises a regulation and three directives, which were published in the Official Journal of the European Union on 27 December 2022.
DORA amends several existing EU directives relating to the financial sector, while the Regulation defines network and information security requirements for organisations in the financial sector and their third-party information and communication technology (ICT) service providers.
DORA has two objectives: to address ICT risk management in the financial services sector, and to enhance the coordination of existing ICT risk management regulations in individual EU member states. The EU aims to establish a universal framework for managing and mitigating ICT risk in the financial sector. DORA’s purpose is to eliminate gaps, overlaps and conflicts that exist or could arise between disparate regulations in different EU states, providing a shared set of rules for institutions to be held to the same standard.
The Digital Operational Resilience Act (DORA) regulation requirements
The principal part of the Act is regulation (EU) 2022/2554 on digital operational resilience for the financial sector.
This sets out requirements covering five critical areas:
- ICT risk management framework: DORA emphasises the need for financial entities to establish an internal governance and control framework for ICT, and to appoint a management body to coordinate and implement ICT risk management measures.
- ICT-related incident management, classification and reporting: DORA provides a streamlined approach to incident management and reporting for entities in the financial service industry and their service providers. This requirement ensures disruptions are managed quickly and effectively, while minimising the impact on clients and the wider business.
- Digital operational resilience testing: To ensure digital operational resilience and provide evidence of that fact, financial entities are required to implement rigorous testing plans. In some cases, this may involve advanced penetration testing, which may need to be conducted every three years.
- Third-party ICT risk management: DORA defines principle-based rules for monitoring risks related to outsourced tasks. Outsourcing agreements must comply with minimum contracting requirements, which are outlined in the full text of the Regulation.
- Information sharing: DORA permits financial entities to share information, which has many benefits such as creating awareness of threats and improving defensive and detection techniques.
The Regulation also establishes:
- Rules for a supervisory framework for critical ICT third-party service providers when providing services to financial entities; and
- Rules on cooperation among supervisory authorities, and on supervision and enforcement.
Financial entities and third-party ICT service providers have until 17 January 2025 to comply with DORA before enforcement starts.
What does a DORA qualification from IBITGQ mean?
A certified DORA qualification asserts that a person or accredited trainer has achieved the required examination pass mark for one or more of IBITGQ’s DORA certification schemes. Our courses are designed to meet your organisation's needs in relation to DORA. Qualifications range from basic, foundational understanding through to the expertise required of directors
Certified DORA Foundation
Certified DORA Practitioner
Certified DORA Lead Auditor
Certified DORA Compliance Officer
Certified DORA ICT Risk Director
Who should obtain a certified DORA qualification?
Our certifications typically appeal to managers and professionals in risk management, compliance, audit, ICT, and related roles within financial-sector organisations. Certification would also be useful for those working, particularly in IT, for service providers that supply ICT services to financial institutions operating in the EU, and those dedicated to continued professional development with a focus on high-quality information and cyber security practices.
However, our courses are ideal for people in the following roles:
- Certified DORA Foundation: Those who provide the following responsibilities in the financial services sector:
- General management of the organisation.
- Management of online services and processing.
- Payment processing operations.
- Cash distribution services.
- Customer service processing.
- Processing claims.
- Renewal of insurance.
- Debt repayment management.
- Aiding of corporate and retail lending.
- Support functions for the above roles, such as finance and IT staff.
- Certified DORA Practitioner: Senior management, critical service providers and those involved in essential financial services.
- Certified DORA Lead Auditor: Managers and professionals responsible for preparing for regular audits and for improving or amending systems and processes to ensure compliance.
- Certified DORA Compliance Officer: Managers and professionals in risk management, compliance and auditing who are responsible for ensuring that service providers in the supply chain meet their contractual responsibilities and compliance requirements in relation to DORA. Managers and professionals in ICT service providers and subcontractors to financial-sector organisations operating in Europe.
- Certified DORA ICT Risk Director: Senior managers and directors in financial-sector organisations with accountability for their organisation’s DORA compliance. Senior managers and directors in ICT service providers that serve financial-sector organisations operating in the EU and who, therefore, are also accountable for the deeper supply chain’s DORA compliance.
The benefits of a DORA qualification
There are several benefits of IBITGQ’s DORA qualification for organisations, people and accredited training organisations (ATOs):
- People become credible information security leaders and contribute to their continuing professional development.
- Organisations implementing DORA compliance early have a competitive advantage and can operate without restrictions.
- Provides an opportunity for employees and organisations to strengthen the organisation’s digital operational resilience to reduce the cost of cyber threats and legal infringements while increasing productivity and sustainability.
- As this is a first-to-market certification scheme by an accredited certification body, it gives accredited training organisations (ATOs) the opportunity to gain a competitive advantage as there are no other certified DORA schemes offered by accredited certification bodies.
For organisations
Regulatory compliance: To comply with DORA, an organisation must have employees who not only understand the Regulation’s principles but are also able to implement them to the highest standard. An employee holding one or more DORA qualifications provides evidence of compliance. The specific certification scheme is determined by the level of compliance required by the organisation and the employee’s role.
Cost reduction: Being able to demonstrate a good-faith effort to comply with DORA through the ongoing certification of employees reduces the risk of regulatory fines. Certified DORA professionals can also strengthen an organisation’s digital operational resilience, minimising the risk of costly security breaches.
Risk mitigation: Certified DORA professionals can identify vulnerabilities, assess risks, reduce gaps in security and expose threats.
Enhanced reputation: Ensuring compliance with DORA secures an organisation’s reputation by proving to clients, partners and affiliates that the highest standards are implemented. Certified DORA professionals help the organisation avoid reputational damage by securing its digital operational resilience, contributing to business continuity and a safer data environment.
Competitive advantage: Complying with DORA before the deadline helps business continuity for both the organisation and its clients, partners and affiliates.
Data governance: Compliance with DORA proves an organisation’s commitment to the security of data and complementary data governance regulations such as the General Data Protection Regulation (GDPR).
Extension of frameworks: ISO/IEC 27001:2022 and ISO 22301 form the basis of our DORA qualifications because they present a clear path to compliance with the Regulation.
Skills gaps: Encouraging employees to achieve DORA qualifications reduces future information security skills gaps.
For people
Increased knowledge and skills: DORA qualifications cover a range of knowledge requirements, from foundational to expert. They enhance your knowledge of a complex regulation while teaching you how to apply and integrate DORA-specific practices.
Continued professional development: Achieving one or more DORA qualifications earns CPD points, thus contributing to your professional development and making you more marketable.
Career advancement: Achieving a DORA qualification, depending on the certification level, can distinguish you as knowledgeable or an expert on DORA requirements and practices. DORA qualifications also provide opportunities for career advancement in the financial and related sectors.
Critical thinking: DORA qualifications prove that you can conduct an objective analysis to make an informed decision, allowing you to confidently address risk assessments, incident response and potential threats at the highest standard.
Network development: DORA qualifications expose you to likeminded peers and experts within the fields of IT governance, data protection and cyber security. This is valuable for shared learning and initiatives, collaboration, and maintaining knowledge of industry and regulatory trends.
Integrity and security: A DORA qualification demonstrates commitment to the organisation’s security and a willingness to contribute to a safer cyber environment. You will be perceived as having a certain level of integrity, which is also beneficial to the organisation when building an information security team.
Related frameworks: Achieving a Certified DORA qualification can provide a platform to explore additional areas of learning such information security, cyber security, data security and business continuity.
For ATOs
First-to-market: There are limited DORA-specific training courses and certifications from ATOs and certification bodies. IBITGQ’s DORA qualifications are first-to-market by a certification body and can be marketed as such. The syllabi have been developed by industry leaders with a focus on theoretical and practical components to equip learners and organisations with the tools to address real-world scenarios.
Breaking through the clutter: There are several frameworks an organisation could implement to comply with DORA, but the issue is deciding which one is suitable. Offering DORA-specific training courses and certifications based on ISO 27001:2022 directs learners and organisations through the clutter of frameworks to a family of schemes that focus on compliance in a new era of information security regulations.
Increased offering: Adding DORA to an ATO’s portfolio will increase the organisation’s training course offerings. Increasing and diversifying an ATO’s training portfolio provides the opportunity to migrate into different sectors and become a consolidated training provider.
Existing training: Accredited trainers in ISO 27001:2022, cyber security and data protection will be able to adapt certified DORA certifications more effectively.
Complementary schemes: DORA qualifications benefit from a deeper understanding of ISO/IEC 27001:2022 and ISO 22301:2019. ATOs should consider adding these complementary qualifications to their portfolios.
How can IBITGQ help people, organisations or accredited training organisations?
IBITGQ’s DORA qualifications are designed to equip people and organisations with the knowledge and skills to comply with DORA and equip ATOs with specific syllabi developed by leaders within the sector to develop certified DORA training courses.
To achieve an IBITGQ DORA qualification, candidates must complete a certified DORA examination. Each examination is mapped to the major theoretical principles and practical components of the Regulation.
Before sitting a certified DORA examination, a candidate can take training provided by an ATO. Alternatively, they can purchase an examination voucher, which is valid for a specific period, and take an exam administered by the Global Association for Software Quality (GASQ).
ATOs seeking to add DORA qualifications to their portfolio can contact IBITGQ directly through the service email: servicecentre@ibitgq.org. Accredited trainers will be required to become DORA qualified in the relevant courses before conducting training, and organisations will need to meet IBITGQ’s ATO criteria.