Skip to main content
Image coming soon

DORA ICT Risk Classification for Banking Analysts

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

DORA ICT Risk Classification for Banking Analysts

Build the third-party tiering methodology your supervisory review will accept.

The ICT third-party register keeps growing because every vendor assessment arrives without a consistent tiering methodology. The Level 2 RTS on sub-contractors is specific about contractual obligations but says almost nothing about how to practically score a cloud provider chain against the critical function criteria. So the register expands, the tiering stays inconsistent, and when the supervisory team asks for the classification rationale, the answer is harder to give than it should be.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

DORA enforcement shifted from preparation to active supervision, and the gap between the framework documentation most banks produced and the operational programme that actually runs is now the examination risk. Third-party registers built without a scoring methodology cannot survive a supervisory on-site review. Sub-contractor oversight programmes that exist only as contract clauses and not as quarterly operational reviews are exactly what examiners flag first. For a Security Analyst who owns a piece of this programme, the problem is not understanding the regulation. The problem is having the tools to translate the regulatory text into the artefacts the institution needs to produce, in the format the supervisors will accept.

What you walk away with

  • Build and maintain the ICT third-party register structure that satisfies DORA Article 28 and 30 disclosure requirements.
  • Apply the critical and important function classification criteria to every system in your ICT estate using the decision tree from Module 2.
  • Produce the sub-contractor oversight checklist and tiering matrix for your third-party risk programme.
  • Scope and document a TLPT engagement using the TIBER-EU methodology, from initial scoping criteria to post-test gap register.
  • Assemble the audit file structure supervisors request in on-site examinations, with pre-examination readiness checking built in.
  • Run the annual ICT risk assessment cycle integrated with your institution's ICAAP and recovery planning calendar.

The 12 modules

Module 1. The Four-Layer ICT Risk Framework
DORA mandates a layered approach to ICT risk management: governance and strategy, identification and classification, protection and detection, and response and recovery. This module maps each layer to the regulatory obligation it fulfills, identifies the articles that govern it, and establishes the artefact chain each layer produces. By the end you have a single diagram showing how your existing controls map to the four layers, with the gaps annotated for remediation planning.
Module 2. Classifying Critical and Important ICT Functions
The distinction between critical and important functions determines which ICT assets get the full DORA treatment and which get a lighter regime. This module walks through the classification criteria from the Level 2 RTS, applies them to ten worked examples drawn from banking operations, and produces the decision tree your team can use for every new system. Common misclassifications from supervisory findings are annotated throughout, with the corrected rationale for each.
Module 3. Building the ICT Asset Inventory
An accurate ICT asset inventory is the foundation of every downstream DORA obligation. This module covers what must be included, the minimum fields the RTS requires, and the link between your CMDB and the DORA register. A template showing the mandatory columns, the supporting evidence type for each, and the update cadence your governance team will want is included as a downloadable artefact ready for immediate use.
Module 4. Structuring the Third-Party ICT Provider Register
This module builds the third-party register structure from the Article 28 and 30 obligations. It covers the mandatory contract provisions, the minimum disclosure requirements for sub-contractor chains, and the tiering methodology that maps providers to the critical and important functions they support. The worked example uses a core banking infrastructure scenario to walk through the classification logic, so the rationale is explicit and defensible in a supervisory examination.
Module 5. Sub-contractor Oversight Under DORA
Financial entities must flow DORA obligations through to their ICT sub-contractors, but the practical path is unclear in most institutions. This module covers the contractual clauses required, the due diligence methodology for tier-2 providers, and the monitoring cadence the ESAs expect. The sub-contractor oversight checklist included here translates the RTS technical standards into a quarterly review your third-party risk team can run without specialist legal input.
Module 6. Mapping and Documenting ICT Concentration Risk
Concentration risk is one of the areas supervisors probe most directly in banking examinations. This module identifies the three concentration scenarios DORA explicitly references, builds the analysis methodology for identifying them in a complex bank technology stack, and produces the concentration risk register your board-level reporting will draw from. Particular attention is given to cloud provider concentration, geographic concentration, and critical function dependence on a single vendor chain.
Module 7. ICT Threat and Vulnerability Assessment Methodology
DORA requires documented threat intelligence integration and vulnerability management processes. This module covers the threat scenarios the EBA uses in on-site examination, the vulnerability scoring methodology that connects your existing CVE workflow to the DORA risk register, and the gap between a standard patch management programme and the DORA-compliant threat assessment your CISO will need to sign off. A scoring rubric for prioritising remediation against DORA exposure is included.
Module 8. ICT Business Continuity Planning Under DORA
DORA sets specific RTO and RPO parameters for critical functions and requires documented continuity tests. This module builds the ICT continuity plan structure from the regulatory requirements, connects it to your existing BCP programme, and identifies the three areas where banking ICT continuity plans most often fail supervisory review. The scenario test template covers the tabletop exercise your operational resilience team will run as part of the annual DORA programme.
Module 9. TLPT Scoping and Digital Operational Resilience Testing
Threat-led penetration testing is the highest-visibility DORA requirement for security teams. This module covers the scoping criteria for identifying systems in scope, the intelligence-led methodology the TIBER-EU framework mandates, the role of the Security Analyst in the engagement lifecycle, and the documentation the lead overseer will review after the test. The scope document template and control gap register are included as downloadable artefacts for your first TLPT cycle.
Module 10. ICT Incident Classification and Regulatory Reporting
The DORA incident classification thresholds and the 4-hour initial report deadline create a workflow challenge for security operations teams. This module maps the classification criteria to the incident taxonomy your SOC already uses, builds the escalation decision tree for the analyst who makes the initial severity call, and produces the major incident report template the ESAs have indicated they will use in supervisory review. Common classification errors and their remediation are annotated.
Module 11. Audit File Assembly for DORA Supervisory Examination
A supervisory examination will request evidence across all four ICT risk management layers simultaneously. This module builds the audit file structure from the ESA examination approach, identifies the twelve evidence categories supervisors request most frequently, and maps each to the artefact your programme should be producing already. The checklist included here is the pre-examination readiness review your compliance team can use to identify gaps before the regulator arrives on-site.
Module 12. The Annual ICT Risk Assessment Cycle
DORA requires an annual ICT risk assessment integrated with your institution's broader ICAAP and recovery planning cycle. This module builds the governance calendar, the data collection methodology for the annual assessment, the board reporting template, and the continuous monitoring indicators that feed the annual review. The twelve-month programme plan synchronises DORA's annual requirements with EBA stress testing timelines and the supervisory review cycle your institution follows.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The ICT third-party register has no consistent tiering methodology and the sub-contractor chain is only documented at the contractual level.
TLPT scoping has not started and the TIBER-EU criteria have not been applied to identify systems in scope.
The annual ICT risk assessment cycle is not yet integrated with the ICAAP or supervisory review calendar.
The audit file structure does not yet reflect the evidence categories supervisors request in on-site examination.

What you get with this course

  • 12 text-based modules in the Art of Service learning environment
  • Downloadable templates for every module: ICT asset register, third-party tiering matrix, sub-contractor oversight checklist, TLPT scope document, incident classification decision tree, audit file structure checklist, and annual assessment programme plan
  • Hand-built implementation playbook covering your specific role and institution type, delivered alongside course access

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

The DORA ICT register is growing without a consistent tiering methodology. Sub-contractor obligations are documented at the contractual level but the operational oversight programme does not yet exist. TLPT scoping has not been started. The annual risk assessment structure has not been connected to the regulatory timeline.

After

The ICT third-party register is tiered against critical and important functions with documented evidence. The sub-contractor oversight cycle runs quarterly. The TLPT scope document is ready for the lead overseer. The annual ICT risk assessment feeds the board report and connects to the supervisory review calendar.

What happens if you do not address this

A supervisory examination finding on ICT risk management gaps carries a formal corrective action plan with a deadline. In the banking sector, a DORA finding at a major institution is disclosed to the joint supervisory team and can escalate to the ECB level for systemically important banks. The analyst who owns the register without a defensible methodology is the first person the examination team asks to walk through the evidence.

Who it is for

Information Security Analysts at major banking groups who own or co-own the DORA ICT risk management programme and are responsible for translating regulatory obligations into operational controls, evidence artefacts, and supervisory-ready documentation. Typically two to six years into a security career, already familiar with ISO 27001 or NIST CSF, but encountering DORA's specific financial services overlay for the first time.

Who this is NOT for. CISOs or VPs of Risk who need strategic alignment guidance. Legal or compliance teams building the contractual overlay. Third-party risk managers whose sole focus is vendor scoring outside the DORA framework. Security analysts working outside the EU financial services sector.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Two to three weeks at one module per day alongside normal work. Each module includes a downloadable template, so the time investment produces usable output from day one.

Why $199 is the right number

Major consulting firm DORA readiness assessments are priced for enterprise-level engagements and designed for C-suite alignment, not for the analyst who has to run the actual register. The EBA guidelines and Level 2 RTS are public documents but require substantial interpretation before they become operational tools. This course provides the working methodology, the templates, and the implementation playbook for the analyst doing the work.

FAQ

My institution already has an ICT register. Will this course help me improve what exists or start over?
The course is built around improving and operationalising an existing register, not starting from a blank sheet. Module 3 covers how to audit what you have against the DORA RTS minimum fields, and Module 11 covers how to structure the evidence file from existing documentation.
I am not directly responsible for TLPT. Will Module 9 still be useful?
Yes. The Security Analyst's role in TLPT is primarily in scoping and evidence documentation, not in executing the test. Module 9 specifically covers the analyst's input to the engagement rather than the red team methodology itself.
Does this course cover ISO 27001 integration with DORA?
Module 1 maps DORA's four-layer framework to the ISO 27001 control structure and identifies the overlap and the gaps. SWIFT CSCF is addressed in Module 6 in the context of concentration risk for SWIFT-connected institutions.
How long will it take to complete?
At a pace of one module per day alongside normal work, most participants complete the course in two to three weeks. The implementation playbook is delivered with course access and can be used in parallel from day one.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!