Skip to main content
Image coming soon

IT Security Compliance for European Banking Regulations

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

IT Security Compliance for European Banking Regulations

Turn DORA, NIS2, and EBA ICT guidelines into testable controls and audit-ready evidence packs.

The audit finding that comes back three times is almost never about missing controls. It is about controls that were designed without the evidence structure regulators need to close their checklist. For IT Security Managers at large European banks, the practical gap is knowing how to build one control implementation that satisfies DORA operational resilience requirements, NIS2 detection and response obligations, and EBA ICT risk classification guidance simultaneously.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

DORA's ICT risk framework, NIS2's network and information systems obligations, and the EBA ICT and security risk guidelines each have different evidence expectations even when they address the same underlying control domain. An access control procedure that satisfies your internal audit team may still fail a DORA supervisory assessment because the testing records do not document the resilience scenario being tested. The same third-party security assessment that satisfies procurement may not satisfy DORA Article 28 because the concentration risk narrative is missing. IT Security Managers spend more time on remediation cycles than on building the control right the first time because no one taught them to design controls with the evidence chain already baked in.

What you walk away with

  • Build an ICT risk taxonomy that maps directly to DORA, NIS2, and EBA classification requirements without maintaining three separate inventories.
  • Design testable controls with the evidence chain already specified so audit findings do not require rework upstream.
  • Produce a DORA Article 28 third-party ICT assessment that satisfies both internal audit and supervisory authority review.
  • Construct an incident classification matrix that meets NIS2 reporting thresholds and DORA major incident notification timelines.
  • Deliver an operational resilience testing record that documents the threat scenario, the test methodology, and the outcome in the format regulators expect.
  • Close the gap between your internal security governance documentation and the external supervisory evidence packages without duplicating work.

The 12 modules

Module 1. The European Banking ICT Regulatory Stack
DORA, NIS2, and EBA ICT guidelines each impose obligations on the same security functions but use different vocabularies and evidence formats. This module maps the three frameworks against each other at the control-domain level: what overlaps, what conflicts, and where a single implementation can satisfy all three. You leave with a cross-framework gap analysis template tailored to the IT security function at a significant institution.
Module 2. ICT Risk Taxonomy Design Under DORA
DORA Article 6 requires an ICT risk taxonomy that classifies assets, threats, and impacts in a way that feeds directly into the ICT Business Continuity Policy and the supervisory reporting templates. This module covers how to build that taxonomy so it is not a standalone document but a live classification system that your incident management, third-party assessment, and resilience testing processes all draw from.
Module 3. Control Design With Evidence Architecture Built In
A control designed without specifying the evidence it will generate creates audit debt. This module teaches how to define each control with three elements already written: the test procedure, the artefact the test produces, and the regulatory clause the artefact closes. You practice on three common IT security control domains (access management, network segmentation, patch management) and rewrite each one using the evidence-first template.
Module 4. Access Control and Identity Governance Under EBA ICT Guidelines
EBA ICT and security risk guidelines Section 5.3 covers privileged access management, segregation of duties, and identity lifecycle requirements in detail. This module translates those requirements into a concrete access control framework: what your IAM system configuration needs to document, what periodic review evidence looks like, and how to write the access control policy so it maps to the EBA checklist rather than to a generic ISO 27001 clause.
Module 5. Third-Party ICT Risk Assessment Under DORA Article 28
DORA Article 28 introduces mandatory requirements for assessing ICT third-party service providers that go beyond standard supplier due diligence. This module covers the contractual clauses that must be present, the security assessment methodology the regulation expects, the concentration risk narrative that supervisors look for, and how to structure the ongoing monitoring programme so it produces the right evidence at the right frequency without overwhelming the security team.
Module 6. Network Security and Perimeter Controls for NIS2 Obligations
NIS2 Article 21 requires measures on network security, access controls, and supply chain security that overlap with but are not identical to DORA requirements. This module maps the NIS2 network security obligations to the specific technical controls your team manages: network segmentation documentation, perimeter monitoring records, and the security policy artefacts that a NIS2 national competent authority inspection would expect to review.
Module 7. Incident Classification and the NIS2 Reporting Matrix
NIS2 requires significant incident reports within 24 hours of detection and detailed reports within 72 hours. DORA has separate major incident classification thresholds with different timelines. This module builds the incident classification matrix that covers both: the criteria that trigger each reporting obligation, the evidence your team needs to capture in the first hours of an incident, and the internal escalation chain that makes the 24-hour notification achievable without sacrificing investigation quality.
Module 8. DORA Operational Resilience Testing Records
DORA requires that financial entities test their ICT systems, including threat-led penetration testing (TLPT) for significant institutions, and maintain records that document the scope, the threat scenario, the methodology, the findings, and the remediation. This module covers what a complete resilience testing record looks like from the regulator's perspective, how to write the threat scenario narrative, and how to structure the TLPT findings report so it meets both the DORA RTS requirements and your internal audit standard.
Module 9. Patch and Vulnerability Management Evidence Packs
Both DORA and EBA ICT guidelines require documented patch management procedures with evidence of timely remediation tied to the ICT asset classification. This module covers the evidence pack structure: the vulnerability scan records, the risk-acceptance documentation for deferred patches, the remediation timeline logs, and the quarterly review report that demonstrates the programme is functioning. Emphasis is on building the pack so it satisfies both supervisory review and internal audit in the same document set.
Module 10. Cryptography, Data Protection, and EBA Technical Standards
EBA ICT guidelines Section 5.6 on cryptographic controls and the related EBA Guidelines on ICT Risk Assessment cover encryption requirements, key management documentation, and data classification obligations that affect how IT security controls are designed and evidenced. This module translates those technical standards into a practical cryptography and data protection control framework with the specific evidence artefacts each standard requires.
Module 11. Security Awareness and Human-Risk Controls Under Both Frameworks
DORA Article 13 and NIS2 Article 21 both require security awareness training and measures to manage human-factor risk. The evidence expectations differ: DORA wants training completion tied to role-based ICT risk exposure, NIS2 wants a broader security culture programme. This module covers how to design the awareness programme so the same delivery produces evidence that satisfies both frameworks, and how to write the annual review report that regulators expect.
Module 12. The Annual ICT Risk Assessment Report Supervisors Actually Accept
The ICT risk assessment report pulls together everything else: the risk taxonomy, control test results, third-party assessment findings, the incident analysis, and the residual risk position. This module covers the structure supervisors expect, the narrative sections regulators typically find inadequate in first submissions, and how to present residual risk in a way that supports the management body approval DORA requires. You produce a template and a review checklist reusable each assessment cycle.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You are preparing for a DORA supervisory assessment and need to ensure your ICT risk assessment and control evidence meet the format regulators expect.
Internal audit has returned your third-party ICT assessment with gaps in the concentration risk narrative and the contractual clause documentation.
An incident classification question has come up: does this event meet the NIS2 significant incident threshold or the DORA major incident threshold, and what does each require you to document?
Your operational resilience testing programme needs to produce records that satisfy the DORA RTS on TLPT, and you are not sure what the testing narrative needs to contain.

What you get with this course

  • Twelve written modules covering the full ICT security compliance cycle under DORA, NIS2, and EBA ICT guidelines.
  • Downloadable templates: cross-framework gap analysis, evidence-first control design worksheet, third-party ICT assessment structure, incident classification matrix, operational resilience testing record, annual ICT risk assessment report outline.
  • Hand-built implementation playbook tailored to your role and institution, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Course access and the hand-built implementation playbook are both provisioned within 24 hours of purchase.

Each module is designed for a 45-60 minute working session with the downloadable template open alongside.

Most participants complete the full programme over three to four weeks while applying the frameworks to their live assessment cycle.

Before and after

Before

ICT risk assessments and control evidence packs cycle through internal audit and supervisory review with different gaps identified each time, requiring rework upstream rather than fixing the artefact structure once.

After

Controls are designed with the evidence architecture already specified, third-party assessments meet DORA Article 28 requirements on first submission, and the annual ICT risk report is structured so it satisfies both internal audit and supervisory authority review without producing separate document sets for each.

What happens if you do not address this

DORA applies from January this year with supervisory assessments already underway at significant institutions. NIS2 national transpositions are active across the EU. An ICT risk assessment that does not meet the supervisory evidence standard is not a minor finding; it is a material deficiency that requires a remediation plan and creates personal accountability for the function head. Getting the control and evidence architecture right now is cheaper than remediating it under supervisory pressure.

Who it is for

IT Security Managers and Senior IT Risk Analysts at large European banks who are directly accountable for ICT risk assessments, control testing, and regulatory submissions under DORA, NIS2, and EBA guidelines. They have hands-on security operations experience and understand the technical substance of what they are building. What they need is the regulatory evidence architecture that connects their technical work to the documentation regulators actually review.

Who this is NOT for. Security engineers focused purely on tooling and detection without regulatory reporting accountability. Consultants who advise on frameworks from the outside rather than owning the compliance artefacts internally. Junior analysts who do not yet manage the full ICT risk assessment cycle end to end.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately 45-60 minutes per module across 12 modules. The implementation playbook is designed to be used live against your current ICT risk assessment cycle, so working time and application overlap.

Why $199 is the right number

EBA and DORA published guidance documents are publicly available but written for regulators, not for the security function that has to implement them. External compliance consultants can guide framework interpretation at hourly rates that quickly exceed 199 USD for a single advisory session. Internal legal and risk teams understand the regulatory obligations but typically do not own the security control design or the evidence architecture. This course is for the person who owns the implementation and needs to understand the evidence expectations well enough to get it right without a consultant in the room.

FAQ

Does this course assume I already know the technical security controls, or does it teach those from scratch?
It assumes you already manage IT security controls operationally. The course teaches how to design and document them to meet DORA, NIS2, and EBA evidence requirements, not how to build a firewall or configure an IAM system.
Is this focused on DORA specifically or does it cover NIS2 and EBA equally?
DORA gets the most coverage because it is the most prescriptive about evidence format and testing requirements. NIS2 and EBA ICT guidelines are covered in the modules where they add requirements or where the evidence structures differ. The cross-framework gap analysis in Module 1 maps all three explicitly.
Will the implementation playbook be generic or specific to my institution?
The playbook is hand-built for your role after purchase. It is specific to the IT security function at a large European bank, not a repackaged generic compliance checklist.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!