LEX SPECIALIS FOR FINANCIAL ENTITIES  |  ENFORCEMENT LIVE SINCE JAN 2025

DORA Compliance Training for EU Financial Entities and ICT Providers

The Digital Operational Resilience Act is live. January 17, 2025 enforcement is behind us — a year of regulatory scrutiny, ESA oversight activations, and critical ICT third-party designations are now in the rearview. Year-two brings matured enforcement, ESA-led TLPT mandates, and an expectation that DORA isn't a project you finished, but a capability you operate. Make sure your organization is operating, not just compliant.

Personal — $150 → Executive — $390 → Business — $900 flat → data-ga-event="book_cta_click" data-ga-cta-location="dora">Book DORA Training → Download the Readiness Checklist
500+ professionals trained
20+ financial entity types covered
98% satisfaction rate
Live expert instructors, always

Everything DORA requires — mapped to training outcomes.

DORA has five pillars. Every training session we deliver maps to specific obligations within each one.

Pillar 1
ICT Risk Management
Articles 5–15
Mandatory ICT Risk Management Framework embedded in governance. Annual (minimum) ICT risk identification and assessment. Multilayered controls: prevention, detection, response, recovery. Management body accountability — active oversight, not rubber-stamping. Business continuity and disaster recovery aligned to ICT risk appetite.
Pillar 2
ICT-Related Incident Reporting
Articles 17–23
4-hour initial notification to competent authority for "major" incidents (criteria per RTS). 72-hour intermediate report — updated classification, initial impact assessment. 1-month final report — full root cause, remediation measures, cascade indicators. Cross-border reporting obligations where the incident affects entities in multiple member states.
Pillar 3
Digital Operational Resilience Testing Including TLPT
Articles 24–27
Basic testing: Vulnerability assessments, network security scans, gap analyses — at minimum annually. Advanced testing (TLPT): Threat-led penetration testing for designated entities following TIBER-EU framework. Results fed into remediation and continuous improvement of ICT risk framework.
Pillar 4
ICT Third-Party Risk
Articles 28–44
Register of Information (RoI): Full contractual landscape of ICT arrangements — mandatory, up-to-date, submitted to competent authorities. CTPPs: Designated by ESAs — cloud providers, data centres, critical software vendors. Contractual minimum standards: SLAs, exit clauses, audit rights, incident notification, sub-outsourcing constraints. Intra-group carve-out is conditional — do not treat as blanket exemption.
Pillar 5
Information Sharing
Article 45
Voluntary cyber threat intelligence sharing within CIISI-EU framework. ECRB (European Cyber Resilience Board) coordination. Information sharing does not compromise operational security or individual entity data. Decision record on participation (active or opted-out with rationale) required.
2026 Update: ESA CTPP designation round two is active.
If your ICT providers haven't confirmed their designation status with you, the Register of Information needs a flag — not a gap. Download the RoI template →

20 financial entity types. Critical ICT third-party providers. All subject to DORA enforcement.

Article 2 defines the scope. If your entity type appears on this list, DORA applies — with direct obligations and enforcement consequences.

Financial Entities — Article 2(a–t)
20 entity types in DORA scope
  • 1. Credit institutions
  • 2. Payment institutions
  • 3. Account information service providers (AISPs)
  • 4. Electronic money institutions
  • 5. Investment firms
  • 6. Management companies (UCITS/AIFM)
  • 7. Insurance undertakings
  • 8. Reinsurance undertakings
  • 9. Insurance/reinsurance intermediaries
  • 10. Occupational pension funds (IORPs)
  • 11. Credit servicers
  • 12. Crypto-asset service providers (CASP — MiCA)
  • 13. Crowdfunding service providers
  • 14. DRSPs
  • 15. Securitisation repositories
  • 16. Trustees and depositaries
  • 17. CSDs (central securities depositories)
  • 18. CCPs (central counterparties)
  • 19. Trading venues
  • 20. Benchmark administrators
Critical ICT Third-Party Providers
CTPPs — Direct ESA supervision
  • Cloud providers (IaaS, PaaS, SaaS)
  • Data centre operators (colocation, hosting)
  • Critical software vendors (core banking, payment processing)
  • Managed security service providers (MSSPs)
  • ICT providers designated by ESAs under Art. 33
CTPPs under direct ESA supervision
The Lead Overseer (EBA, ESMA, EIOPA) can impose fines up to 1% of average daily worldwide turnover per day for up to six months. If your ICT provider is a CTPP, their compliance is your exposure.
Deadline passed. Enforcement active.
The January 17, 2025 compliance date is not a starting pistol — it's behind us. NCAs across EU member states are auditing for operational continuity, not just documented frameworks. See where your gaps are →

The gaps that trigger ESA scrutiny — and what DORA training addresses.

These are the threat patterns our DORA training covers — documented from real incidents and ESA supervisory findings.

Threat 1
ICT Concentration Risk
Over-reliance on a single or limited number of ICT providers creates systemic exposure. A failure at one provider cascades across multiple financial entities simultaneously. The RoI must flag concentration; the ICT RMF must include concentration risk assessment. Article 28–44.
Art. 28–44
Threat 2
Sub-Outsourcing Chain Gaps
Tier-2 and tier-3 subcontractors are often invisible in the RoI. If your cloud provider's sub-processor fails, you may not have audit rights or incident notification clauses — because you didn't contract with them directly. The cascade map must go all the way down. Article 30.
Art. 30
Threat 3
Intra-Group TPSP Carve-Out Over-Reliance
Article 30(8) provides a conditional carve-out for intra-group ICT arrangements. It is not a blanket exemption — conditions must be met and documented. Treating it as a blanket exemption is one of the most common gaps ESA supervisors find during RoI review. Article 30(8).
Art. 30(8)
Threat 4
TLPT Red-Team Scoping Failures
Treating TLPT as a standard penetration test is a common mistake. TLPT requires threat intelligence scope, Purple Team involvement, and TIBER-EU framework alignment. Scoping it as a box-ticking exercise means the human element — phishing, BEC, social engineering — doesn't get the coverage it needs. Articles 24–27.
Art. 24–27
Threat 5
Incident Classification Threshold Misalignment
Under-classifying "major" incidents is a serious regulatory exposure. The 4-hour clock doesn't start if you don't classify an incident as major. If the incident meets any RTS threshold (duration, data volume, user impact, financial loss), it must be classified as major — and the clock starts on awareness, not on the incident itself. Articles 17–23.
Art. 17–23
Threat 6
Register of Information Gaps for ESA Reporting
The RoI must meet RTS minimum fields — and the ESA supervisory review is checking. Missing fields, outdated entries, unconfirmed CTPP designation status, absent sub-outsourcer chains, and missing concentration risk flags are all gaps. ESA CTPP designation round two makes this urgent in 2026. Article 28(3).
Art. 28(3)

Not sure where your gaps are?

Personal — $150 → Executive — $390 → Business — $900 flat → data-ga-event="dora_cta_click" data-ga-cta-type="assessment">Take the DORA Readiness Assessment →
📋 Free Download

DORA Year-One Readiness Checklist

Are you still implementing, or already operating? Download the checklist that goes beyond 'done' to 'DORA-mature.'

Register of Information Template
RTS-compliant fields, entity/sub-consolidated/consolidated levels, CTPP cross-reference
Incident Classification Matrix
Decision tree per RTS criteria, impact thresholds, reporting timeline tracker
TLPT Scoping Worksheet
TIBER-EU stages, threat intelligence scope, red-team rules of engagement
Sub-Outsourcer Cascade Map
Tier-1 to tier-N mapping, audit rights per contract tier

No spam. Unsubscribe anytime.

How SecurEveryone solves this

DORA compliance training — documented for ESA and your NCA.

Our Business session ($900) delivers training across all five DORA pillars — ICT risk management, incident reporting, TLPT human element, third-party risk, and threat sharing — in a single 2-hour live webinar. Attendance records with individual timestamps provided for every participant.

Personal — $150 Executive — $390 Business — $900 data-ga-event="compliance_cta_click" data-ga-compliance="dora" data-ga-tier="business"> Book Business Session — $900 →

One flat rate. All five DORA pillars covered. Documented for your compliance file.

All sessions include attendance records with individual timestamps — the documented evidence ESA and NCAs expect to see.

Personal
$150
For individual ICT staff or compliance officers.
  • 60-minute personalised session on Zoom, Meet, or Teams
  • DORA five pillars covered
  • ICT third-party risk focus
  • Incident classification scenario training
Attendance record provided for your DORA training register.
Book this session →
Business
$900
Unlimited users · $900 flat — all five DORA pillars.
  • 2-hour comprehensive live webinar
  • Unlimited participants — no per-seat fees
  • All five DORA pillars in one session
  • ICT RMF + incident reporting + TLPT + CTPP
  • Attendance record + session summary provided
$900 flat. Train your entire organisation at once.
Book this session →

Common questions from DORA-scope financial entities.

How does DORA vs NIS2 scope work for financial entities?

Where a financial entity falls within both DORA and NIS2 scope, DORA takes precedence for ICT operational resilience obligations (risk management, incident reporting, third-party risk). This does not exempt financial entities from NIS2 for non-financial services. DORA is lex specialis — more specific, more granular obligations that sit above the NIS2 baseline for financial sector ICT. If your organization is in scope for both, document DORA compliance as the primary framework and reference NIS2 for non-ICT risk management obligations.

What is the Register of Information (RoI) and what must it contain?

The RoI is a mandatory register of all ICT contractual arrangements, required under Article 28(3) and specified by ESA regulatory technical standards (RTS). It must include: ICT provider name and LEI, contract type and duration, ICT services provided, data processed/stored, CTPP designation status confirmed by each critical provider, sub-contractors (tier-1 to tier-N) with audit rights confirmed, contractual minimum standards confirmed per contract, and concentration risk flags for single/limited provider dependencies. The RoI must be kept up-to-date and submitted to competent authorities on request.

What are the DORA incident reporting timelines?

DORA Article 17 establishes a three-stage notification regime for 'major' ICT incidents: (1) Initial notification within 4 hours of classification as major — this is an early alert, not a full report; (2) Intermediate report within 72 hours — updated incident classification, initial impact assessment, and any cross-border dimensions; (3) Final report within 1 month — full root cause analysis, remediation measures taken and planned, and cascade indicators. The 4-hour clock starts on awareness (when the entity becomes aware), not on the incident itself. Classification criteria are defined in the ESA RTS.

Who are Critical ICT Third-Party Providers (CTPPs)?

CTPPs are ICT third-party providers designated by the European Supervisory Authorities (EBA, ESMA, EIOPA) as critical to the financial sector. This includes major cloud service providers, data centre operators, and critical software vendors. CTPPs are placed under direct ESA supervision and must meet specific contractual minimum standards. Financial entities must confirm CTPP designation status with their ICT providers — if a provider hasn't confirmed their status, the RoI needs a flag, not a gap. ESA CTPP designation round two is active as of 2026.

What is TLPT and which entities need it?

TLPT (Threat-Led Penetration Testing) is an advanced testing requirement under DORA Articles 26-27, following the TIBER-EU framework. It applies to designated entities (significant financial entities) and goes well beyond a standard penetration test — it involves threat intelligence-led scenario planning, a Purple Team, and a full red-team engagement. The scope covers the human element (phishing, social engineering, BEC) and ICT systems, with results fed into the ICT risk framework remediation. Basic testing (vulnerability assessments, network scans, gap analyses) is required annually for all entities; TLPT applies additionally to entities designated under Article 26.