The Digital Operational Resilience Act is live. January 17, 2025 enforcement is behind us — a year of regulatory scrutiny, ESA oversight activations, and critical ICT third-party designations are now in the rearview. Year-two brings matured enforcement, ESA-led TLPT mandates, and an expectation that DORA isn't a project you finished, but a capability you operate. Make sure your organization is operating, not just compliant.
DORA has five pillars. Every training session we deliver maps to specific obligations within each one.
Article 2 defines the scope. If your entity type appears on this list, DORA applies — with direct obligations and enforcement consequences.
These are the threat patterns our DORA training covers — documented from real incidents and ESA supervisory findings.
Not sure where your gaps are?
Personal — $150 → Executive — $390 → Business — $900 flat → data-ga-event="dora_cta_click" data-ga-cta-type="assessment">Take the DORA Readiness Assessment →Are you still implementing, or already operating? Download the checklist that goes beyond 'done' to 'DORA-mature.'
No spam. Unsubscribe anytime.
Our Business session ($900) delivers training across all five DORA pillars — ICT risk management, incident reporting, TLPT human element, third-party risk, and threat sharing — in a single 2-hour live webinar. Attendance records with individual timestamps provided for every participant.
Personal — $150 Executive — $390 Business — $900 data-ga-event="compliance_cta_click" data-ga-compliance="dora" data-ga-tier="business"> Book Business Session — $900 →All sessions include attendance records with individual timestamps — the documented evidence ESA and NCAs expect to see.
Where a financial entity falls within both DORA and NIS2 scope, DORA takes precedence for ICT operational resilience obligations (risk management, incident reporting, third-party risk). This does not exempt financial entities from NIS2 for non-financial services. DORA is lex specialis — more specific, more granular obligations that sit above the NIS2 baseline for financial sector ICT. If your organization is in scope for both, document DORA compliance as the primary framework and reference NIS2 for non-ICT risk management obligations.
The RoI is a mandatory register of all ICT contractual arrangements, required under Article 28(3) and specified by ESA regulatory technical standards (RTS). It must include: ICT provider name and LEI, contract type and duration, ICT services provided, data processed/stored, CTPP designation status confirmed by each critical provider, sub-contractors (tier-1 to tier-N) with audit rights confirmed, contractual minimum standards confirmed per contract, and concentration risk flags for single/limited provider dependencies. The RoI must be kept up-to-date and submitted to competent authorities on request.
DORA Article 17 establishes a three-stage notification regime for 'major' ICT incidents: (1) Initial notification within 4 hours of classification as major — this is an early alert, not a full report; (2) Intermediate report within 72 hours — updated incident classification, initial impact assessment, and any cross-border dimensions; (3) Final report within 1 month — full root cause analysis, remediation measures taken and planned, and cascade indicators. The 4-hour clock starts on awareness (when the entity becomes aware), not on the incident itself. Classification criteria are defined in the ESA RTS.
CTPPs are ICT third-party providers designated by the European Supervisory Authorities (EBA, ESMA, EIOPA) as critical to the financial sector. This includes major cloud service providers, data centre operators, and critical software vendors. CTPPs are placed under direct ESA supervision and must meet specific contractual minimum standards. Financial entities must confirm CTPP designation status with their ICT providers — if a provider hasn't confirmed their status, the RoI needs a flag, not a gap. ESA CTPP designation round two is active as of 2026.
TLPT (Threat-Led Penetration Testing) is an advanced testing requirement under DORA Articles 26-27, following the TIBER-EU framework. It applies to designated entities (significant financial entities) and goes well beyond a standard penetration test — it involves threat intelligence-led scenario planning, a Purple Team, and a full red-team engagement. The scope covers the human element (phishing, social engineering, BEC) and ICT systems, with results fed into the ICT risk framework remediation. Basic testing (vulnerability assessments, network scans, gap analyses) is required annually for all entities; TLPT applies additionally to entities designated under Article 26.