Description

A focused course, tailored for you

DORA Operational Resilience Programme Build for Bank Platform Engineering

Build a DORA-compliant operational-resilience programme from scratch in 12 weeks. ICT risk framework + third-party risk + incident reporting + threat-led penetration testing.

DORA (Digital Operational Resilience Act) was effective January 2025 across the EU and now binds every bank's EU subsidiaries and major third-party ICT providers. Bank platform-engineering teams that have not built the DORA-aligned operational-resilience programme are in regulatory backlog. Here's the 12-week build.

$199 one-time

Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

DORA (EU 2022/2554) is the most significant operational-resilience regulation in EU financial services since SOX in the US. It binds banks, insurers, investment firms, payment institutions, and (importantly) their ICT third-party providers. Effective January 2025, DORA mandates: ICT risk-management framework, ICT-related incident reporting (with strict timelines), digital operational-resilience testing including threat-led penetration testing (TLPT), ICT third-party risk-management framework with concentration-risk controls, and information sharing arrangements.

US bulge-bracket banks with EU subsidiaries (NL, IE, LU, DE, FR typical structure) are in scope through their EU branches. The platform-engineering function carries the operational-implementation burden: the ICT risk framework, the incident-reporting infrastructure, the third-party risk register, and the TLPT programme.

This course walks you through the build: ICT risk-framework design, incident classification and reporting workflow, TLPT engagement model, third-party risk register, concentration-risk controls, and the joint-supervisory-team engagement protocol. Twelve modules, each ending with a deliverable artefact. Plus a hand-built implementation playbook with your firm's specific DORA exposure.

What you walk away with

A documented DORA-aligned ICT risk-management framework.
An incident-classification and incident-reporting workflow meeting DORA Article 19 timelines.
A TLPT (threat-led penetration testing) programme design.
An ICT third-party risk register with concentration-risk controls.
A joint-supervisory-team engagement protocol.
A 12-week build plan with weekly deliverables.

The 12 modules

Module 1. DORA regulatory landscape and scope

Detailed walkthrough of DORA (EU 2022/2554), the RTS (Regulatory Technical Standards) and ITS (Implementing Technical Standards) finalised in 2024-2025, scope determination (entity-type by entity-type), proportionality assessment, and competent-authority designation by member state. How DORA interacts with NIS2, CRD VI/CRR3, and ECB SREP. Specific impact on bank platform engineering through EU subsidiary structure.

Module 2. ICT risk-management framework design

Build the ICT risk-management framework: ICT asset register, vulnerability management, ICT risk assessment methodology, ICT risk-appetite statement, risk-controls inventory aligned to NIST CSF and ISO 27001, and the risk-and-control register. The framework is the backbone of every DORA artefact. Deliverable: ICT risk framework document v1.

Module 3. ICT-related incident classification

DORA Article 18 defines major ICT-related incidents with specific classification criteria. Build the classification matrix: financial impact thresholds, downtime thresholds, geographic-impact criteria, criticality-of-affected-function determination, data-loss assessment. The classification matrix must be defensible to the competent authority and reproducible across incidents. Deliverable: incident-classification matrix and SOP.

Module 4. Incident reporting workflow and timelines

DORA Article 19 mandates strict incident-reporting timelines: initial notification within 4 hours of classification as major, intermediate report within 72 hours, final report within 1 month. Build the reporting workflow: detection-to-classification cadence, escalation chain, regulator-facing reporting infrastructure, the standardised reporting templates per the RTS. Deliverable: incident-reporting workflow document and report templates.

Module 5. Digital operational-resilience testing programme

DORA Article 24-26 mandates digital operational-resilience testing including vulnerability assessments, penetration testing, scenario-based testing, and (for significant entities) threat-led penetration testing (TLPT) every 3 years. Build the testing programme: test-scope definition, frequency model, integration with existing vulnerability management, and the test-finding remediation workflow. Deliverable: testing programme document.

Module 6. TLPT (threat-led penetration testing) engagement model

TLPT is the most demanding DORA testing requirement. Build the TLPT engagement model: TIBER-EU framework alignment (ECB's framework that informs DORA TLPT), red-team scope definition, threat-intelligence integration, blue-team coordination, white-team governance, and the competent-authority engagement during TLPT. Deliverable: TLPT engagement model and red-team scope document.

Module 7. ICT third-party risk register

DORA Article 28-30 mandates a comprehensive ICT third-party risk-management framework. Build the third-party risk register: identification of ICT services (including critical or important functions), risk-tier classification, due-diligence framework, contractual-requirement template per the RTS, exit-strategy requirement, and the ongoing-monitoring cadence. Deliverable: third-party risk register and contract template.

Module 8. Concentration-risk controls

DORA Article 29 requires concentration-risk assessment for ICT third-party providers. Build the concentration-risk controls: provider-by-provider concentration assessment, criticality-weighted concentration model, sub-outsourcing transparency, geographic-concentration assessment, and the board-reporting cadence. How to reduce concentration without disrupting operations. Deliverable: concentration-risk methodology and dashboard.

Module 9. Information sharing arrangements

DORA Article 45 enables financial entities to share threat intelligence and cyber-incident information through dedicated arrangements. Build the information-sharing framework: legal-basis analysis, sharing-protocol design, ISAC (Information Sharing and Analysis Center) membership, and the contribution-and-consumption model. How to balance information sharing with confidentiality. Deliverable: information-sharing framework.

Module 10. Joint-supervisory-team engagement

DORA created joint supervisory teams for significant ICT third-party providers and significant financial entities. Build the JST engagement protocol: pre-engagement posture (documentation organisation), JST-meeting cadence, finding-response workflow, designation criteria for significant entities. How to position your firm as cooperative without giving away leverage. Deliverable: JST engagement playbook.

Module 11. Budgeting and stakeholder management

DORA programmes need substantial budget: framework build, testing programme, third-party risk infrastructure, ongoing-resource. The budgeting and stakeholder-management module covers: business-case construction, CFO-engagement protocol, CRO-and-COO sponsorship, board-engagement, and the budget-cycle timing. How to defend DORA budget in cost-tightening cycles. Deliverable: business case and budget proposal.

Module 12. Your 12-week build plan

Week-by-week plan with weekly deliverables. Weeks 1-2: regulatory mapping for your firm's exposure (EU entities + critical ICT providers). Weeks 3-4: ICT risk framework v1. Weeks 5-6: incident classification + reporting workflow. Weeks 7-8: testing programme + TLPT engagement model. Weeks 9-10: third-party risk register + concentration controls. Weeks 11-12: JST engagement playbook + budget proposal. Deliverable: full programme documentation package.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1 and 2 cover the regulatory landscape and your specific exposure.

Modules 3 to 6 produce the ICT risk framework, incident workflow, testing programme, and TLPT engagement model.

Modules 7 to 9 cover third-party risk register, concentration controls, and information sharing.

Modules 10 to 12 cover JST engagement, budgeting, and the 12-week build plan.

What you get with this course

The 12-module course delivered as text plus downloadable templates.
Templates for ICT risk framework, incident classification matrix, incident-reporting workflow, testing programme, third-party risk register, contract clauses, and JST engagement.
A hand-built implementation playbook generated for your specific DORA exposure (EU entities + critical ICT services).
Three worked examples of DORA programme builds at bulge-bracket banks.
Scripted talking points for the CRO budget conversation.

What you will have in hand by Day 1, Week 1, Month 1

Day 1: Regulatory mapping for your firm's EU exposure.

Week 2: ICT risk framework v1 drafted.

Week 4: Incident-reporting workflow operational.

Month 1: Testing programme + TLPT engagement model approved.

Quarter 1: Full programme documented and approved by CRO + board ICT-risk committee.

Before and after

Before

Your bank has EU exposure. DORA is in force. The ICT risk framework is incomplete. Incident reporting is ad-hoc. TLPT has not been scoped. Third-party risk is fragmented.

After

A DORA-aligned operational-resilience programme is running. ICT risk framework is documented. Incident-reporting workflow meets Article 19 timelines. TLPT is scoped. Third-party risk register is complete with concentration controls. JST engagement protocol is in place.

What happens if you do not address this

DORA is in force since January 2025. Competent authorities are now in active supervision. Non-compliance triggers penalties up to 2% of total annual turnover or 1% of average daily turnover.

Who it is for

For platform engineers, SRE leads, technology-risk leads, and operational-resilience programme owners at banks, insurers, and investment firms with EU exposure.

Who this is NOT for. Firms with no EU exposure. Firms that already have a DORA-aligned programme. Pure consulting firms (this is for in-house teams).

How it arrives

Text-based course via LMS, plus downloadable templates and the hand-built implementation playbook.

Time investment. Roughly 18 hours of reading and 30 to 45 hours producing your real artefacts and running the first incident classification.

Why $199 is the right number

External DORA consultants charge $250K-$1M for programme builds. Big4 advisory engagement runs $500K-$2M. A DORA-specialist law firm would charge $1000-$1500 per hour for regulator engagement. $199 buys the focused playbook plus the implementation document for your specific exposure.

FAQ

Will this replace hiring a DORA consultant?

Partially. It teaches you how to build the framework, run the workflows, and engage the JST. You may still want legal counsel for ambiguous classification calls.

What if my firm uses Article 4 proportionality?

Module 1 walks through proportionality determination by entity-type.

Does this cover NIS2 overlay (since NIS2 also applies to financial entities)?

Module 1 covers the DORA-NIS2 boundary and how to align both.

What about Bank of England SS1/21 (UK) since we have UK exposure?

Module 9 covers UK SS1/21 alignment as adjacent framework. Course focus is DORA.

What is in the implementation playbook for me specifically?

A regulatory map for your firm's exact EU exposure; an ICT risk framework template tailored to your platform; a 12-week build plan.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.