Skip to main content
Image coming soon

DORA Incident Classification for Bank Cyber Practitioners

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

DORA Incident Classification for Bank Cyber Practitioners

Build the classification workflow, evidence pack, and reporting sequence your regulator expects before the next alert fires.

The alert fires on a Sunday evening. You have four hours to deliver an initial notification to the NCA, and the six classification criteria under DORA Article 18 require data points your SIEM does not label the same way the regulation does. Most bank cyber teams discover this gap during their first real incident, not before it.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

DORA's ICT incident reporting requirements look straightforward until you are inside the four-hour window. Geographic spread across retail and corporate banking, affected client count, reputational exposure, monetary loss threshold: each criterion needs a specific data extract, a responsible owner, and a defensible calculation. Without a prepared classification workflow and evidence pack, the first notification goes out late, incomplete, or both. Regulators note it. Follow-up questions compound. This course builds the workflow before the alert fires.

What you walk away with

  • Classify any ICT incident against the six DORA Article 18 criteria in under 60 minutes using a prepared data extraction workflow.
  • Write an initial NCA notification that names what is known, what is estimated, and what is still under investigation, in a form the regulator finds acceptable.
  • Produce the three-report sequence (initial, intermediate, final) with a root cause analysis that closes the regulatory loop without exposing internal control gaps.
  • Assess whether a third-party ICT provider incident triggers your own DORA major-incident obligation and document the determination.
  • Scope a TIBER-EU threat-led penetration test from inside the bank: threat intelligence brief, scope boundary definition, and retesting plan.

The 12 modules

Module 1. DORA ICT Incident Taxonomy and Your SIEM
DORA's five incident categories (cyber, operational, physical, third-party, other) do not map 1:1 to standard SIEM alert classifications. This module builds the translation layer: a taxonomy table that maps your monitoring stack's alert tags to DORA categories so the first responder can classify at alert time rather than at hour three. Artefacts include the taxonomy mapping worksheet and a decision tree for ambiguous alerts that cross category boundaries.
Module 2. The Four-Hour Initial Notification Window
The initial notification to the NCA is due within four hours of classification as a major incident. This module walks through exactly what information the regulator expects at hour one, what is acceptable as 'unknown at this stage,' and how to phrase preliminary impact statements that do not foreclose the intermediate report. Artefacts include the initial notification template pre-filled with known and unknown fields, and the escalation tree that gets the right people on the call within 20 minutes.
Module 3. Applying the Six Classification Criteria
DORA Article 18 sets six criteria for major-incident determination: geographic spread, service criticality, client count, reputational impact, data integrity and confidentiality loss, and monetary loss. Each criterion requires a specific data point your monitoring system, transaction database, or customer record source already holds. This module maps every criterion to its data source and sets out the calculation method and threshold reference so each classification call is defensible and consistent.
Module 4. Building the Evidence Pack for Regulatory Review
NCA examiners review the evidence attached to incident notifications as closely as the narrative. This module covers which log extracts, timeline reconstructions, affected-service inventories, and transaction counts to include, and how to present them in a format that supports the narrative without burying the key finding. Artefacts include the evidence pack checklist, the log pull template, and the affected-service inventory format joint supervisory teams expect.
Module 5. The Intermediate and Final Report Sequence
DORA requires three reports: initial (four hours), intermediate (72 hours), and final (one month). Each has a different audience expectation and a different evidence standard. This module covers the full sequence: what the intermediate report adds beyond the initial, how to write the root cause analysis for the final report without exposing internal control weaknesses, and how to document the lessons-learned section in a form that closes the investigation rather than reopening it.
Module 6. Third-Party ICT Provider Incident Escalation
When a cloud provider or critical SaaS vendor reports a security incident, you must determine within hours whether it triggers your own DORA major-incident obligation. This module walks through the downstream impact assessment: which provider incidents propagate, which do not, and how to document the determination so the compliance team can file correctly. Artefacts include the third-party incident trigger worksheet, the provider escalation notification template, and the impact propagation logic tree.
Module 7. ICT Risk Register and Ongoing Monitoring
DORA Articles 8 and 9 require a maintained ICT risk register linked to control effectiveness monitoring. This module covers what the register must contain, how to link controls to the DORA risk categories, and how to set up a monitoring cadence that feeds incident classification rather than running in parallel to it. Artefacts include the risk register template with DORA-linked control identifiers, the monitoring schedule, and the exception tracking log format.
Module 8. Network and Data Security Controls under DORA Article 9
Article 9 mandates specific security measures for network integrity, data protection in transit and at rest, and access control. This module maps each Article 9 requirement to the closest CIS Control and ISO 27001 clause so practitioners already holding those certifications can see exactly where the gaps sit. Artefacts include the Article 9 control checklist, the gap analysis worksheet, and the remediation priority matrix ordered by incident-reporting risk rather than technical severity.
Module 9. TLPT Scope and Threat Intelligence Preparation
DORA Chapter IV mandates threat-led penetration testing for significant financial entities, aligned with TIBER-EU methodology. This module covers how to scope the test from inside the bank: what the external threat intelligence provider needs from you, how to define the scope boundary across production systems, and what the testing plan document must contain before the NCA approves commencement. Artefacts include the TLPT scope document template, the threat intelligence brief format, and the scope boundary definition worksheet.
Module 10. TLPT Findings, Retesting, and NCA Attestation
After the red team delivers findings, the bank carries defined obligations: severity classification, remediation ownership, retesting schedule, and NCA attestation of closure. This module covers how to write the retesting plan in a form the regulator accepts, how to document remediation evidence, and how to prepare the final TLPT attestation report. Artefacts include the findings tracking spreadsheet, the remediation plan template, and the NCA attestation format used for TIBER-EU close-out.
Module 11. Third-Party ICT Provider Register and Critical Provider Oversight
DORA Chapter V requires a complete register of all ICT third-party providers and a documented oversight plan for critical ones. This module covers the register structure, how to run the criticality assessment that determines oversight intensity, and how to document concentration risk where multiple critical services run on the same underlying provider. Artefacts include the provider register template, the criticality assessment matrix, and the oversight review checklist aligned to DORA's supervisory expectations.
Module 12. Annual ICT Risk Assessment and Board Reporting
The annual ICT risk assessment pulls incident data, control test results, and third-party oversight findings into a format the CISO and board risk committee can act on. This module covers how to structure the assessment, how to translate technical control gaps into risk-appetite language, and how to present residual risk in a way that supports a credible board sign-off. Artefacts include the annual assessment template, the control effectiveness summary matrix, and the board reporting pack outline.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1 to 4 address the immediate incident: classification taxonomy, the four-hour notification window, the six criteria calculation, and the evidence pack that determines whether the regulator accepts your first response.
Modules 5 and 6 cover the full reporting sequence and the third-party escalation pathway, the two areas where most bank cyber teams discover gaps after an incident rather than before.
Modules 7 to 9 build the underlying risk and control infrastructure: the ICT risk register, Article 9 controls, and the TLPT scoping work regulators inspect between incidents.
Modules 10 to 12 close the loop: TLPT remediation and attestation, provider oversight documentation, and the annual reporting cycle that feeds the board risk committee and supports the next supervisory review.

What you get with this course

  • 12 written modules with full implementation guidance for each DORA incident reporting and resilience stage.
  • Downloadable templates: incident taxonomy mapping worksheet, initial notification template, evidence pack checklist, intermediate and final report structures, root cause analysis format, TLPT scope document, provider register, criticality assessment matrix, and board reporting pack.
  • Hand-built implementation playbook tailored to your role and context, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

An alert fires at 18:40. The classification call takes 90 minutes, the initial notification goes out with three fields marked unknown, the intermediate report is filed late, and the final root cause analysis takes three drafts before the NCA accepts it.

After

The classification workflow runs in under 60 minutes from a prepared data extraction template. The initial notification is filed within four hours with every knowable field complete. The three-report sequence closes within the regulatory windows and the NCA does not follow up.

What happens if you do not address this

The first real DORA major incident is when most bank cyber teams discover the gaps in their classification workflow and reporting structure. Filing late, filing incomplete, or misclassifying an incident draws supervisory attention and follow-up questions that compound across the full three-report sequence. The course builds the artefacts before the alert fires, not after.

Who it is for

This course is for cyber security practitioners at EU-regulated banks who own or contribute to ICT incident response. You are the person classifying alerts at 18:40 on a Sunday, building the evidence pack for a notification the compliance team will file, and sitting in the TLPT scope call without a prepared threat intelligence brief. You know the technical detail. This course gives you the DORA-specific artefacts your role requires.

Who this is NOT for. Not for executives who need a DORA overview rather than a practitioner workflow. Not for risk managers who handle operational risk broadly and touch cyber only periodically. Not for teams in non-EU jurisdictions who are not subject to DORA's ICT incident reporting and resilience testing requirements.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 12 modules designed for focused sessions of 45 to 60 minutes each. Most practitioners complete the incident-reporting modules (1 to 6) in one focused week and the resilience and annual cycle modules (7 to 12) across the following two weeks.

Why $199 is the right number

Free DORA guidance from the EBA and ECB covers the regulatory text. It does not provide classification workflows, evidence pack templates, or report structures you can use directly. Consultancy engagements cover compliance gap analysis but do not leave practitioners with the operational artefacts to run the next incident themselves. This course builds the practitioner toolkit a bank cyber team keeps and uses.

FAQ

Does this cover requirements that apply to significant institutions versus other financial entities?
Yes. The course distinguishes between requirements that apply to all EU financial entities and those that apply only to significant institutions designated for TLPT. Modules 9 and 10 on TIBER-EU testing are marked as applicable to significant institutions; modules 1 to 8 apply across the board.
Is the incident reporting sequence the same across all EU member states?
DORA sets the framework; the NCA in each member state implements it with some variation in templates and reporting platforms. The course covers the core DORA requirements and notes where NCAs commonly diverge, particularly on the initial notification template and the root cause analysis format.
How does this relate to ISO 27001 or NIST frameworks the team already uses?
Module 8 maps DORA Article 9 controls directly to ISO 27001 clauses and CIS Controls, so practitioners holding those certifications can see exactly where the gaps sit without starting from scratch. The incident reporting taxonomy in modules 1 to 4 is DORA-specific but cross-referenced to common SIEM taxonomies.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!