Digital Resilience Act Training (DORA) Course​
Description: The course provides a comprehensive understanding of the Digital Operational Resilience Act (DORA) and its impact on financial institutions. Participants will gain knowledge about DORA's regulatory framework, its key elements and practical strategies to ensure compliance. Through interactive case studies, group discussions and hands-on exercises, participants will learn to effectively implement DORA requirements, improve ICT risk management and strengthen the digital resilience of their organizations. The course provides participants with practical knowledge and real-world applications to drive DORA compliance in their organizations.
Objectives: The DORA course aims to achieve the following objectives:
✔ Understand the scope and objectives of DORA;
✔ Identify and apply the key components of the legislation;
✔ Implement ICT risk management frameworks aligned with DORA requirements;
✔ Develop incident reporting and response mechanisms;
✔ Strengthen the risk management strategies of third-party suppliers;
✔ Conduct operational resilience tests and supervision activities.
Recipients:
✔ CISOs, IT Security & Risk Managers;
✔ Compliance officers and legal advisors;
✔ Financial executives and governance professionals;
✔ ICT suppliers working with financial institutions.
1. Introduction to DORA (2h)
• What is DORA? Overview of EU legislation and its relevance;
• DORA Objectives: Strengthen digital resilience in the financial sector;
• Scope: Who needs to comply? Banks, insurance companies, investment companies, payment service providers and third-party ICT providers.
• Key components of DORA: o ICT risk management;
o Incident reporting;
o Operational resilience tests;
o Risk management of third party suppliers;
o Sharing information
Case study: Real-life examples of financial institutions affected by ICT failures and cyber incidents.
2. ICT Risk Management Framework (3h)
• Build a resilient digital strategy
o Identification and management of ICT risks;
o Governance and accountability structures;
o Policies, procedures and controls;
• Compliance with DORA ICT risk management requirements
o Identification, protection, detection, response and recovery from ICT risks;
o Key DORA articles related to ICT risk management;
• Best practices for risk monitoring
o Continuous threat detection and proactive mitigation.
Group discussion: How does your organization currently manage ICT risk? Identify gaps in governance.
3. Incident Reporting and Response (3h)
• DORA Incident Reporting Requirements
o Times and procedures for reporting significant ICT incidents;
o Internal and external reporting obligations;
o Role of CERT-EU, Europol and national supervisory authorities.
• Develop an effective incident response plan
o Steps to take before, during and after a cyber incident;
o Incident detection and escalation procedures;
o Communication with interested parties.
Case Study: Target Data Breach (2013) – Lessons learned on incident response governance failures.
​
​
4. Risk Management of Third Party Suppliers (2h)
• DORA requirements for third-party supplier risk management
o Supervision of critical ICT suppliers;
o Contractual obligations and risk assessment;
o Supplier monitoring and compliance assurance;
• Supplier risk management
o Evaluation of suppliers and implementation of controls;
o Ensure the resilience of outsourced ICT services;
o Exit strategies for high-risk suppliers.
Case Study: Marriott International Data Breach (2018) – Third Party Vendor Risk Governance Failures.
Practical Implementation and Testing
​
5. Operational Resilience Test (3h)
• DORA testing requirements
o Penetration testing and vulnerability assessments;
o Threat-driven penetration testing (TIBER-EU Framework);
o Scenario-based resilience testing.
• Development of a cyber resilience testing program o Identification of critical ICT systems;
o Simulation of cyber attacks;
o Evaluation of systems response and recovery.
Practical exercise: Participants design and discuss a resilience testing framework for their organizations.
​
6. Sharing of Information and Intelligence (2h)
• Role of information sharing in DORA compliance
o Collaboration between financial bodies and regulators;
o Reduction of systemic risk through the exchange of information;
• Challenges and considerations
o Privacy issues;
o Balancing transparency and security;
Panel Discussion: How can financial institutions benefit from sharing cyber threat intelligence?
​
7. Governance and Accountability in DORA Compliance (3h)
• Roles and responsibilities of senior management
o DORA governance requirements (Articles 4-6);
o Role of boards of directors and executive committees;
• Ensure compliance and avoid penalties o Periodic reports to management;
o Regulatory audits and assessments;
Case study: Failures of board oversight in cybersecurity governance and their consequences.
8. Final Workshop: DORA in Action (2h)
Interactive Case Study: Participants will work in teams to apply DORA principles to a simulated financial institution facing ICT risks. They will develop a Compliance Plan, covering:
✔ ICT risk management strategies;
✔ Incident response and reporting procedures;
✔ Third party supplier risk mitigation measures;
✔ Resilience testing programs.
Teams will present their DORA Implementation Plans, followed by expert feedback
​
The course is taught by Jelena Zelenovic Matone is a distinguished cybersecurity leader, known for her strategic vision and impactful contributions to the field of cybersecurity and risk management. With extensive experience spanning multiple continents, he has held senior leadership roles in global financial institutions, currently serving as Senior Head and Chief Information Security Officer (CISO) at the European Investment Bank.
Throughout her career, Jelena has been honored with numerous prestigious awards, including CISO of the Year in Luxembourg (2019), CISO Sentinel World (2020) and CISO Europe (2021), which highlight her exemplary leadership in the field of cybersecurity . She is a passionate advocate for diversity and inclusion and founded the Luxembourg chapter of Women4Cyber ​​and the WomenCyberForce association to promote resilience and growth in the cybersecurity sector.
An expert in EU banking best practices, risk management and technology transformation, Jelena excels at building strong client relationships, driving organizational innovation and providing strategic insights at senior levels. His leadership is characterized by a commitment to continually improve, foster collaboration, and guide teams in managing complex cybersecurity and risk challenges in today's rapidly evolving digital landscape.