Would You Pass a DORA Supervisory Examination?
7 questions mapped to what competent authorities actually examine. Incident classification, 4-hour notifications, Register of Information, third-party risk. 2 minutes.
Could you classify an ICT incident as "major" within 30 minutes using documented decision criteria?
What does DORA require?
DORA (Digital Operational Resilience Act) applies to all EU-regulated financial entities — banks, insurers, investment firms, payment institutions, and their critical ICT service providers.
Article 17-19 require incident classification and reporting within 4 hours of classification (initial notification), 72 hours (intermediate report), and 1 month (final report). In the ESA's 2025 dry-run, 93.5% of firms failed the Register of Information quality checks.
Article 25-27 mandate scenario-based resilience testing, including threat-led penetration testing (TLPT) for significant entities. Only 50% of institutions achieved full compliance by end of 2025.
Built by Blend Training
Our DORA course puts you in the Head of Compliance's chair during a critical vendor outage on month-end. Incident classification under pressure, 4-hour notification deadlines, and vendor accountability — the exact scenarios supervisors will examine.