Training for the Digital Operational Resilience Act (DORA)



Training program 1: Preparing for the Digital Operational Resilience Act (DORA), tailored-made training

Possible modules of the tailor-made training program

Digital operational resilience is the ability of a financial entity to build, assure and review its operational integrity from a technological perspective. The entity must be able to ensure, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which the entity makes use of, and which support the continued provision of financial services and their quality.

- Are you sure we must comply with the Digital Operational Resilience Act (DORA)? Where can we find this information?
- Subject matter and scope.
- Understanding the important definitions.

ICT risk management.
- The internal governance and control framework that ensures an effective and prudent management of ICT risks.
- The sound, comprehensive and well-documented ICT risk management framework, as part of the overall risk management system.
- ICT systems, protocols and tools.

- The need to identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk.
- The need to continuously monitor and control the security and functioning of ICT systems and tools, to minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
- The need for mechanisms to promptly detect anomalous activities.
- The need fpr response and recovery, and a comprehensive ICT business continuity policy.
- Ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss.

- Learning and evolving, gathering information on vulnerabilities and cyber threats.

- Communication, crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public.

ICT-related incident management, classification and reporting.
- The ICT-related incident management process to detect, manage and notify ICT-related incidents. - Classification of ICT-related incidents and cyber threats.
- Reporting of major ICT-related incidents and voluntary notification of significant cyber threats. - Harmonisation of reporting content and templates.
- Centralisation of reporting of major ICT-related incidents.

Digital operational resilience testing.
- General requirements for the performance of digital operational resilience testing.
- Testing of ICT tools and systems.
- Advanced testing of ICT tools, systems and processes based on threat-led penetration testing (TLPT).
- Requirements for testers for the carrying out of TLPT.

ICT third-party risk.
- General principles.
- Preliminary assessment of ICT concentration risk at entity level.
- Key contractual provisions.
- Designation of critical ICT third-party service providers.
- Structure of the Oversight Framework.
- Tasks of the Lead Overseer.
- Operational coordination between Lead Overseers.
- Powers of the Lead Overseer.
- Exercise of the powers of the Lead Overseer outside the Union.
- General investigations, inspections, ongoing oversight.
- Harmonisation of conditions enabling the conduct of the oversight activities.
- International cooperation.

Competent authorities.
- Cooperation with structures and authorities.
- Cooperation between authorities.
- Financial cross-sector exercises, communication and cooperation.
- Administrative penalties and remedial measures.
- Exercise of the power to impose administrative penalties and remedial measures.
- Criminal penalties.
- Publication of administrative penalties.
- Professional secrecy, data protection.

- Master plan and list of immediate actions, for firms established in the EU.

- Other new EU directives and regulations that introduce compliance challenges.

- Closing remarks.


Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.


Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



Training program 2: Preparing for the NIS 2 Directive, the European Cyber Resilience Act, the Critical Entities Resilience Directive (CER), and the Digital Operational Resilience Act (DORA), for EU and non-EU firms (tailored-made training).

Possible modules of the tailor-made training program

a. The NIS 2 Directive

We will cover the new cybersecurity risk management measures. Essential and important entities must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. The measures must include at least the following:

- (a) risk analysis and information system security policies;

- (b) incident handling (prevention, detection, and response to incidents);

- (c) business continuity and crisis management;

- (d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;

- (e) security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;

- (f) policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures;

- (g) the use of cryptography and encryption.

- The obligations for the EU Member States to adopt a national cybersecurity strategy, and to designate competent national authorities, single points of contact, and CSIRTs.

- The obligations for the EU Member States to adopt cybersecurity risk management and reporting obligations for entities referred to as essential entities and important entities.

- The obligations for the EU Member States to adopt obligations on cybersecurity information sharing.

- Essential entities - certain public or private essential entities (energy; transport; banking; financial market infrastructures; health, drinking water; waste water; digital infrastructure; public administration and space).

- Important entities - (postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing and digital providers).

- Micro and small entities.

- The designation of CSIRTs to act as trusted intermediaries, and to facilitate the interaction between the reporting entities and the manufacturers or providers of ICT products and ICT services.

- The European vulnerability registry for the discovered vulnerabilities.

- The National Cybersecurity Crisis Management Frameworks, and the designation of national competent authorities responsible for the management of large-scale cybersecurity incidents and crises.

- The Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States.

- The European Cyber Crises Liaison Organisation Network (EU - CyCLONe) that supports the coordinated management of large-scale cybersecurity incidents and crises, and ensures the regular exchange of information among Member States and EU institutions.

- The peer-review system allowing regular peer-reviews of the Member States’ effectiveness of cybersecurity policies.

- Management bodies must approve the cybersecurity risk management measures taken by their entities, and they must have cybersecurity-related training.

- Entities must take appropriate and proportionate technical and organisational measures to manage the cybersecurity risks posed to the security of network and information systems.

- Entities must notify the national competent authorities or the CSIRTs of any cybersecurity incident having a significant impact on the provision of the service they provide.

- The rules for TLD registries and the entities providing domain name registration services for the TLD.

- DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers, as well as certain digital providers, are deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.

- Competent authorities are required to supervise the entities under the scope of the Directive, and in particular to ensure their compliance with the security and incident notification requirements.

- Administrative fines to essential and important entities.

- Closing remarks.


b. The European Cyber Resilience Act

- Introduction.

- The Cyber Resilience Act - why it is needed.

- Most hardware and software products were not covered by any EU legislation.

- A uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the EU market.

- Cyberattacks against hardware and software products.

- The strong cross-border nature of cybersecurity.

- The obligation for manufactures to take security seriously throughout a product’s life cycle.

- Scope - "products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network".

- Definitions.

- Requirements for products with digital elements.

- Critical products with digital elements.

- High-risk AI systems.

- Machinery products.

- Obligations of manufacturers.

- Reporting obligations.

- Obligations of importers, distributors, economic operators.

- Conformity of the product with digital elements.

- EU declaration of conformity, and conformity assessment procedures for products with digital elements.

- Notifying authorities, requirements relating to notified bodies.

- Notification procedure.

- Changes to notifications.

- Market surveillance and control of products with digital elements in the Union market.

- Access to data and documentation.

- Compliant products with digital elements which present a significant cybersecurity risk.

- Confidentiality.

- Penalties.

- Entry into force and application.


c. The Digital Operational Resilience Act (DORA)

Digital operational resilience is the ability of a financial entity to build, assure and review its operational integrity from a technological perspective. The entity must be able to ensure, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which the entity makes use of, and which support the continued provision of financial services and their quality.

- Are you sure we must comply with the Digital Operational Resilience Act (DORA)? Where can we find this information?
- Subject matter and scope.
- Understanding the important definitions.

ICT risk management.
- The internal governance and control framework that ensures an effective and prudent management of ICT risks.
- The sound, comprehensive and well-documented ICT risk management framework, as part of the overall risk management system.
- ICT systems, protocols and tools.

- The need to identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk.
- The need to continuously monitor and control the security and functioning of ICT systems and tools, to minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
- The need for mechanisms to promptly detect anomalous activities.
- The need fpr response and recovery, and a comprehensive ICT business continuity policy.
- Ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss.

- Learning and evolving, gathering information on vulnerabilities and cyber threats.

- Communication, crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public.

ICT-related incident management, classification and reporting.
- The ICT-related incident management process to detect, manage and notify ICT-related incidents. - Classification of ICT-related incidents and cyber threats.
- Reporting of major ICT-related incidents and voluntary notification of significant cyber threats. - Harmonisation of reporting content and templates.
- Centralisation of reporting of major ICT-related incidents.

Digital operational resilience testing.
- General requirements for the performance of digital operational resilience testing.
- Testing of ICT tools and systems.
- Advanced testing of ICT tools, systems and processes based on threat-led penetration testing (TLPT).
- Requirements for testers for the carrying out of TLPT.

ICT third-party risk.
- General principles.
- Preliminary assessment of ICT concentration risk at entity level.
- Key contractual provisions.
- Designation of critical ICT third-party service providers.
- Structure of the Oversight Framework.
- Tasks of the Lead Overseer.
- Operational coordination between Lead Overseers.
- Powers of the Lead Overseer.
- Exercise of the powers of the Lead Overseer outside the Union.
- General investigations, inspections, ongoing oversight.
- Harmonisation of conditions enabling the conduct of the oversight activities.
- International cooperation.

Competent authorities.
- Cooperation with structures and authorities.
- Cooperation between authorities.
- Financial cross-sector exercises, communication and cooperation.
- Administrative penalties and remedial measures.
- Exercise of the power to impose administrative penalties and remedial measures.
- Criminal penalties.
- Publication of administrative penalties.
- Professional secrecy, data protection.

- Master plan and list of immediate actions, for firms established in the EU.

- Other new EU directives and regulations that introduce compliance challenges.

- Closing remarks.


d. The Critical Entities Resilience Directive (CER).

- Subject matter, Scope and Definitions.

- Understanding the definitions of a “critical entity”, "resilience", "incident", "critical infrastructure", and "essential service".

Strategy on the resilience of critical entities.
- strategic objectives and priorities;
- a governance framework;
- a description of measures necessary to enhance the overall resilience of critical entities;
- a description of the process by which critical entities are identified;
- a description of the process supporting critical entities;
- a policy framework for coordination between the competent authorities.

Risk assessment by Member States.
- the general risk assessment;
- other relevant risk assessments;
- the relevant risks arising from the dependencies between sectors.

- The risk assessment of the critical entities.

- Resilience measures of critical entities.

- Identification of critical entities.

- What is a "significant disruptive effect".

- Critical entities in the banking, financial market infrastructure and digital infrastructure sectors.

- Competent authorities and single point of contact.

- Member States’ support to critical entities.

- Cooperation between Member States.

Background checks on persons who:
- hold sensitive roles in or for the benefit of the critical entity, notably in relation with the resilience of the critical entity;
- are mandated to have direct or remote access to its premises, information or control systems including in connection with the security of the critical entity;
- are being considered for recruitment to positions that fall under criteria mentioned in the previous points.

Incident notification.
- the number and share of users affected;
- the duration;
- the geographical area affected, taking into account whether the area is geographically isolated.

- Identification of Critical entities of particular European significance.

- The Critical Entities Resilience Group.

- Supervision and enforcement.

- Penalties.

- Sectors, subsectors and categories of entities.

- Transposition.

- Closing remarks.


Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.


Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



Contact us

Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60
Email: george.lekatis@cyber-risk-gmbh.com








Web: https://www.cyber-risk-gmbh.com









We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.


Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. European Data Governance Act (DGA)

11. The Artificial Intelligence Act

12. The European ePrivacy Regulation

13. The European Cyber Defence Policy

14. The Strategic Compass of the European Union

15. The EU Cyber Diplomacy Toolbox