Digital Operational Resilience Act Trained Professional (DORATPro) program
Overview
According to preamble 45 of the Digital Operational Resilience Act (DORA), to ensure full alignment and overall consistency between financial entities’ business strategies, on the one hand, and the conduct of ICT risk management, on the other hand, the financial entities’ management bodies should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital operational resilience strategy.
The approach to be taken by management bodies should not only focus on the means of ensuring the resilience of the ICT systems, but should also cover people and processes through a set of policies which cultivate, at each corporate layer, and for all staff, a strong sense of awareness about cyber risks and a commitment to observe a strict cyber hygiene at all levels.
The ultimate responsibility of the management body in managing a financial entity’s ICT risk should be an overarching principle of that comprehensive approach, further translated into the continuous engagement of the management body in the control of the monitoring of the ICT risk management.
According to Article 5 of the Digital Operational Resilience Act (DORA), the management body shall:
(a) bear the ultimate responsibility for managing the financial entity’s ICT risk;
(b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
(c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
(d) bear the overall responsibility for setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk of the financial entity;
(e) approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans;
(f) approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;
(g) allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 13(6), and ICT skills for all staff;
(h) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
(i) put in place, at corporate level, reporting channels enabling it to be duly informed of the following:
(i) arrangements concluded with ICT third-party service providers on the use of ICT services,
(ii) any relevant planned material changes regarding the ICT third-party service providers,
(iii) the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.
3. Financial entities, other than microenterprises, shall establish a role in order to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
4. Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.
The Digital Operational Resilience Act must be implemented by financial entities and their service providers. According to Article 50, Member States must establish appropriate administrative penalties and remedial measures for breaches of this regulation and shall ensure their effective implementation. The penalties and measures must be effective, proportionate and dissuasive. Financial entities need assurance that employees and contractors have the knowledge and skills needed to comply with the regulation, mitigate risks and accept responsibility.
Supervisors and auditors ask for independent evidence that the process owners are qualified, and that the controls can operate as designed, because the persons responsible for these controls have the necessary knowledge and experience.
The marketplace is clearly demanding qualified professionals that have the knowledge and skills needed to comply with this regulation.
Objectives
The program has been designed to provide with the skills needed to understand and support compliance with the Digital Operational Resilience Act (DORA).
It also provides with the skills needed to pass the Digital Operational Resilience Act Trained Professional (DORATPro) exam, and to receive the Certificate of Completion, that provides independent evidence to firms and organizations that you have a quantifiable understanding of the subject matter.
Target Audience
The program is beneficial to risk and compliance managers and professionals, auditors, consultants, suppliers and service providers that work for companies and organizations that have to comply with the Digital Operational Resilience Act (DORA).
Who must comply with the Digital Operational Resilience Act (DORA)?
According to Article 2 (Scope) of the Digital Operational Resilience Act (DORA), this Regulation applies to the following entities:
(a) credit institutions;
(b) payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
(c) account information service providers;
(d) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
(e) investment firms;
(f) crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens;
(g) central securities depositories;
(h) central counterparties;
(i) trading venues;
(j) trade repositories;
(k) managers of alternative investment funds;
(l) management companies;
(m) data reporting service providers;
(n) insurance and reinsurance undertakings;
(o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
(p) institutions for occupational retirement provision;
(q) credit rating agencies;
(r) administrators of critical benchmarks;
(s) crowdfunding service providers;
(t) securitisation repositories;
(u) ICT third-party service providers.
For the purposes of this Regulation, entities referred to in paragraph 1, points (a) to (t), shall collectively be referred to as ‘financial entities’.
Course Synopsis.
Introduction.
- The Digital Operational Resilience Act Trained Professional (DORATPro) exam.
- The certificate of completion.
The European Union - how does the legislative process work?
- Key institutions.
- The European Commission, the most important institution for risk and compliance professionals.
- How does the legislative process work?
- The European System of Financial Supervision (ESFS).
- Legal acts after the Treaty of Lisbon.
- Delegated acts, supplementing or amending certain non-essential elements of a basic act.
- Implementing acts.
- Regulatory technical standards (RTS), Implementing technical standards (ITS).
- The European Data Protection Supervisor and the European Data Protection Board.
- The Committee of European Auditing Oversight Bodies (CEAOB).
- The European External Action Service.
- The Common Foreign and Security Policy (CFSP).
- The Common Security and Defence Policy (CSDP).
- The European Network and Information Security Agency (ENISA).
- The NIS Cooperation Group.
- The European cyber crisis liaison organisation network (EU-CyCLONe).
The need for the Digital Operational Resilience Act.
- The FinTech Action Plan of 2018.
- The Digital Finance Package.
- NIS, NIS 2 and DORA.
- Public security, defence, national security.
- Outsourcing in financial services.
The Digital Operational Resilience Act, Important Articles.
CHAPTER I, General provisions.
- Subject matter.
- Scope.
- Definitions.
- Proportionality principle.
CHAPTER II, ICT risk management.
- Governance and organisation.
- ICT risk management framework.
- ICT systems, protocols and tools.
- Identification.
- Protection and prevention.
- Detection.
- Response and recovery.
- Backup policies and procedures, restoration and recovery procedures and methods.
- Learning and evolving.
- Communication.
- Further harmonisation of ICT risk management tools, methods, processes and policies.
- Simplified ICT risk management framework.
CHAPTER III, ICT-related incident management, classification and reporting.
- ICT-related incident management process.
- Classification of ICT-related incidents and cyber threats.
- Reporting of major ICT-related incidents and voluntary notification of significant cyber threats.
- Harmonisation of reporting content and templates.
- Centralisation of reporting of major ICT-related incidents.
- Supervisory feedback.
- Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions.
CHAPTER IV, Digital operational resilience testing.
- General requirements for the performance of digital operational resilience testing.
- Testing of ICT tools and systems.
- Advanced testing of ICT tools.
- Requirements for testers for the carrying out of TLPT.
CHAPTER V, Managing of ICT third-party risk.
- Section I, Key principles for a sound management of ICT third-party risk.
- General principles.
- Preliminary assessment of ICT concentration risk at entity level.
- Key contractual provisions.
- Section II, Oversight Framework of critical ICT third-party service providers.
- Designation of critical ICT third-party service providers.
- Structure of the Oversight Framework.
- Tasks of the Lead Overseer.
- Operational coordination between Lead Overseers.
- Powers of the Lead Overseer.
- Exercise of the powers of the Lead Overseer outside the Union.
- Request for information.
- General investigations.
- Inspections.
- Ongoing oversight.
- Harmonisation of conditions enabling the conduct of the oversight activities.
- Follow-up by competent authorities.
- Oversight fees.
- International cooperation.
CHAPTER VI, Information-sharing arrangements.
- Information-sharing arrangements on cyber threat information and intelligence.
CHAPTER VII, Competent authorities.
- Competent authorities.
- Cooperation with structures and authorities established by Directive (EU) 2022/2555 (the NIS 2 Directive).
- Cooperation between authorities.
- Financial cross-sector exercises, communication and cooperation.
- Administrative penalties and remedial measures.
- Exercise of the power to impose administrative penalties and remedial measures.
- Criminal penalties.
- Notification duties.
- Publication of administrative penalties.
- Professional secrecy.
- Data Protection.
CHAPTER VIII, Delegated acts.
- Exercise of the delegation.
CHAPTER IX, Transitional and final provisions.
- Review clause.
- Amendments.
- Entry into force and application.
Deadlines, references to NIS 2, National discretions.
- So many deadlines … Mark your calendar.
- All the 35 references to the NIS 2 Directive (Directive (EU) 2022/2555) in one list.
- Important national discretions (even in a regulation…).
Other new EU Directives and Regulations.
- The European Cyber Resilience Act.
- The NIS 2 Directive.
- The Critical Entities Resilience Directive (CER).
- The Digital Services Act (DSA).
- The Digital Markets Act (DMA).
- The European Health Data Space (EHDS).
- The European Chips Act.
- The European Data Act.
- The European Data Governance Act (DGA).
- The Artificial Intelligence Act.
- The European ePrivacy Regulation.
NIS 2, DORA, or both?
- The Commission's Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA).
The first set of final draft technical standards under the Digital Operational Resilience Act (DORA).
Note: There are no exam questions from the draft standards. When we will have final standards, published in the Official Journal of the European Union, we will add exam questions that cover these standards.
1. JC 2023 83. Final report on Draft Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under Regulation (EU) 2022/2554.
- Classification criterion ‘Clients, financial counterparts and transactions.’
- Classification criterion ‘Reputational impact.’
- Classification criterion ‘Duration and service downtime.’
- Classification criterion ‘Geographical spread.’
- Classification criterion ‘Data losses.’
- Classification criterion ‘Critical services affected.’
- Classification criterion ‘Economic impact.’
- Major incidents.
- Materiality thresholds for the classification criterion ‘Clients, financial counterparts - and transactions.’
- Materiality thresholds for the classification criterion ‘Reputational impact.’
- Materiality thresholds for the classification criterion ‘Duration and service downtime.’
- Materiality thresholds for the classification criterion ‘Geographical spread’.
- Materiality thresholds for the classification criterion ‘Data losses.’
- Materiality threshold for the classification criterion ‘Economic impact.’
- Criteria and high materiality thresholds for determining significant cyber threats.
2. JC 2023 84. Final report on Draft Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by Regulation (EU) 2022/2554.
- Overall risk profile and complexity.
- Group application.
- Main phases of the life cycle for the use of ICT services.
- Ex-ante risk assessment.
- Due diligence.
- Conflict of interests.
- Contractual clauses for the use of ICT services.
Monitoring of the contractual arrangements for the use of ICT services.
- Exit and termination of contractual arrangements.
3. JC 2023 85. Final Report On Draft Implementing Technical Standards on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers under Article 28(9) of Regulation (EU) 2022/2554.
- The register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
- The register of information is composed of 15 templates.
- Subject matter
- Definitions - ‘direct ICT third-party service provider’, ‘subcontractor’, ‘ICT service supply chain’, ‘rank’
- General requirements for maintaining and updating the register of information
- Data format requirements
- Content of the register of information
- Scope of the register of information at sub-consolidated and consolidated level.
4. JC 2023 86. Final report, Draft Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of Regulation (EU) 2022/2554.
- Overall risk profile and complexity.
- General elements of ICT security policies.
- ICT risk management.
- ICT asset management policy.
- ICT asset management procedure.
- Encryption and cryptographic controls.
- Cryptographic key management.
- Policies and procedures for ICT operations.
- Capacity and performance management.
- Vulnerability and patch management.
- Data and system security.
- Logging.
- Securing information in transit.
- ICT project management.
- ICT systems acquisition, development, and maintenance.
- ICT change management.
- Physical and environmental security.
- Human resources policy.
- Identity management.
- Access control.
- ICT-related incident management policy.
- Anomalous activities’ detection and criteria for ICT-related incidents’ detection and response.
- Components of the ICT business continuity policy.
- Testing of the ICT business continuity plans.
- ICT response and recovery plans.
- Closing remarks.
Become a Digital Operational Resilience Act Trained Professional (DORATPro)
This is a Distance Learning with Certificate of Completion program, provided by Cyber Risk GmbH. The General Terms and Conditions for all legal transactions made through the Cyber Risk GmbH websites (hereinafter “GTC”) can be found at: https://www.cyber-risk-gmbh.com/Impressum.html
Each Distance Learning with Certificate of Completion program (hereinafter referred to as “distance learning program”) is provided at a fixed price, that includes VAT. There is no additional cost, now or in the future, for any reason.
We will send the distance learning program via email up to 24 hours after the payment (working days). Please remember to check the spam folder of your email client too, as emails with attachments are often landed in the spam folder.
You have the option to ask for a full refund up to 60 days after the payment. If you do not want one of our distance learning programs for any reason, all you must do is to send us an email, and we will refund the payment, no questions asked.
Your payment will be received by Cyber Risk GmbH (Dammstrasse 16, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). Cyber Risk GmbH will also send the certificates of completion to all persons that will pass the exam.
The all-inclusive cost is 297 USD (US Dollars).
First option: You can purchase the Digital Operational Resilience Act Trained Professional (DORATPro) program with VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.
Purchase the DORATPro program here (VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.)
Second option: QR code payment.
i. Open the camera app or the QR app on your phone.
ii. Scan the QR code and possibly wait for a few seconds.
iii. Click on the link that appears, open your browser, and make the payment.
Third option: You can purchase the Digital Operational Resilience Act Trained Professional (DORATPro) program with PayPal
When you click "PayPal" below, you will be redirected to the PayPal web site. If you prefer to pay with a card, you can click "Debit or Credit Card" that is also powered by PayPal.
What is included in the cost of the distance learning program:
A. The official presentations (1501 slides).
The presentations are effective and appropriate to study online or offline. Busy professionals have full control over their own learning and are able to study at their own speed. They are able to move faster through areas of the course they feel comfortable with, but slower through those that they need a little more time on.
B. Up to 3 online exam attempts per year.
Candidates must pass only one exam. If they fail, they must study the official presentations and retake the exam. Candidates are entitled to 3 exam attempts every year.
If candidates do not achieve a passing score on the exam the first time, they can retake the exam a second time.
If they do not achieve a passing score the second time, they can retake the exam a third time.
If candidates do not achieve a passing score the third time, they must wait at least one year before retaking the exam. There is no additional cost for additional exam attempts. To learn more, you may visit: https://www.digital-operational-resilience-act.com/Distance_Learning_Programs_Exam_Certificate_of_Completion.pdf
C. The certificate of completion, with a scannable QR code for verification.
You will receive your certificate via email in Adobe Acrobat format (pdf), with a scannable QR code for verification, 7 business days after you pass the exam. A business day refers to any day in which normal business operations are conducted (in our case Monday through Friday), excluding weekends and public holidays.
D. Cyber Risk GmbH will develop a web page dedicated to each certified professional (https://www.cyber-risk-gmbh.com/Your_Name.htm).
When third parties scan the QR code on your certificate, they will visit this web page (https://www.cyber-risk-gmbh.com/Your_Name.htm), and they will be able to verify that you are a certified professional, and your certificates are valid and legitimate.
In this web page we will have your name, all the certificates you have received from us, and pictures of your certificates.
This is an example: https://www.cyber-risk-gmbh.com/Monika_Meier.html
You can print your certificate that you will receive in Adobe Acrobat format (pdf). With the scannable QR code, all third parties can verify the authenticity of each certificate in a matter of seconds. Professional certificates are some of the most frequently falsified documents. Employers and third parties need an easy, effective, and efficient way to check the authenticity of each certificate. QR code verification is a good response to this demand.
E. If you purchase the DORATPro program now, you can receive all the updated and amended DORATPro programs at no cost until January 31, 2028.
Every time we have important developments that affect regulatory compliance with the Digital Operational Resilience Act (DORA), we will update and amend this training program, especially when we have important:
- Joint final draft technical standards, from the European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA).
- Regulatory Technical Standards (RTS),
- Implementing Technical Standards (ITS),
- Delegated Acts, that supplement or amend non‑essential parts of EU legislative acts, and
- Implementing Acts, that ensure that EU laws are applied uniformly.
The all-inclusive cost of your first program is $297. The all-inclusive cost of your second (and each additional) program is $197. It includes the exam, the certificate of completion, and all the updated and amended programs at no cost until January 31, 2028. You can take the exam and receive the certificate of completion only once. You cannot take the exam again, and it is not possible to receive a new certificate of completion every time you receive an updated and amended program at no cost.
If you want to take the exam again, to receive a certificate of completion having a later date on it, and to have both certificates of completion with different dates at your dedicated web page, you must purchase the updated program at a discounted cost ($197). This is not required, your original certificate will not expire.
In order to receive the updated and amended program (you have purchased the program in the past, and now you want to receive the updated and amended program at no cost), please follow the simple steps:
Please check the “Course synopsis” of the program at the registration page, to check if you have the latest version.
If we have updated the program, please send us an email with title: “Please send me the updated DORATPro program.”
In the email, please let us know which was the name and email address of the person or legal entity that had initially purchased the program.
You will receive the updated program in less than 48 hours (working days). Please remember to check your spam folder too.
Frequently Asked Questions for the distance learning programs.
1. I want to know more about Cyber Risk GmbH.
Cyber Risk GmbH is a company incorporated in Switzerland.
Company number: CHE-244.099.341.
Cantonal Register of Commerce: Canton of Zürich.
Registered address: Dammstrasse 16, 8810 Horgen, Switzerland.
Swiss VAT number: CHE-244.099.341 MWST.
EU VAT number: EU276036462. Cyber Risk GmbH is registered for EU VAT purposes in Germany (Bundeszentralamt für Steuern, Verfahren One-Stop-Shop, Nicht EU-Regelung) for the sale of services in the EU. Cyber Risk GmbH declares and pays EU VAT in a single electronic quarterly return submitted to Germany, and the German Bundeszentralamt für Steuern forwards the EU VAT due to each member State of the EU.
The owner and general manager of Cyber Risk GmbH is George Lekatis, a well-known expert in risk management and compliance. George is also the general manager of Compliance LLC, incorporated in Wilmington, NC, and offices in Washington, DC. It is a provider of risk and compliance training and executive coaching in 57 countries.
Several business units of Compliance LLC are very successful associations that offer membership, weekly or monthly updates, training, certification, Authorized Certified Trainer (ACT) programs, and other services to their members.
The business units of Compliance LLC include:
- The Sarbanes-Oxley Compliance Professionals Association (SOXCPA), the largest Association of Sarbanes-Oxley professionals in the world. You may visit: https://www.sarbanes-oxley-association.com
- The Basel iii Compliance Professionals Association (BiiiCPA), the largest association of Basel iii Professionals in the world. You may visit: https://www.basel-iii-association.com
- The Solvency II Association, the largest association of Solvency II professionals in the world. You may visit: https://www.solvency-ii-association.com
- The International Association of Risk and Compliance Professionals (IARCP). You may visit: https://www.risk-compliance-association.com
The Certified Risk and Compliance Management Professional (CRCMP) program, from the IARCP, has become one of the most recognized certificates in risk management and compliance. There are CRCMPs in 57 countries. Companies and organizations around the world consider the CRCMP a preferred certificate.
You can find more about the demand for CRCMPs at: https://www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf
“Cyber Risk GmbH Training Programs” are training programs developed, updated and provided by Cyber Risk GmbH, and include:
a) In-House Instructor-Led Training programs,
b) Online Live Training programs,
c) Video-Recorded Training programs,
d) Distance Learning with Certificate of Completion programs.
“Cyber Risk GmbH websites” are all websites that belong to Cyber Risk GmbH, and include the following:
a. Sectors and Industries.
2. Social Engineering Training
12. Transport Cybersecurity Toolkit
14. Sanctions Risk
15. Travel Security
b. Understanding Cybersecurity.
4. What is Synthetic Identity Fraud?
c. Understanding Cybersecurity in the European Union.
2. The Digital Operational Resilience Act (DORA)
3. The Critical Entities Resilience Directive (CER)
5. The European Data Governance Act (DGA)
6. The European Cyber Resilience Act (CRA)
7. The Digital Services Act (DSA)
8. The Digital Markets Act (DMA)
10. The Artificial Intelligence Act
11. The Artificial Intelligence Liability Directive
12. The Framework for Artificial Intelligence Cybersecurity Practices (FAICP)
13. The EU Cyber Solidarity Act
14. The Digital Networks Act (DNA)
15. The European ePrivacy Regulation
16. The European Digital Identity Regulation
17. The European Media Freedom Act (EMFA)
18. The Corporate Sustainability Due Diligence Directive (CSDDD)
19. The European Health Data Space (EHDS)
20. The European Financial Data Space (EFDS)
21. The Financial Data Access (FiDA) Regulation
22. The Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR)
23. The European Cyber Defence Policy
24. The Strategic Compass of the European Union
25. The EU Cyber Diplomacy Toolbox
2. Is there any discount available for the distance learning programs?
We do not offer a discount for your first program. You have a $100 discount for your second and each additional program.
After you purchase the Digital Operational Resilience Act Trained Professional (DORATPro) program at $297, you can purchase:
a. The NIS 2 Directive Trained Professional (NIS2DTP) program at $197. You can find more about the program at: https://www.nis-2-directive.com/NIS_2_Directive_Trained_Professional_(NIS2DTP).html.
b. The Critical Entities Resilience Directive Trained Professional (CERDTPro) program at $197. You can find more about the program at: https://www.critical-entities-resilience-directive.com/Critical_Entities_Resilience_Directive_Trained_Professional_(CERDTPro).html.
c. The Digital Services Act Trained Professional (DiSeActTPro) program at $197. You can find more about the program at: https://www.eu-digital-services-act.com/DiSeActTPro_Training.html.
d. The Digital Markets Act Trained Professional (DiMaActTPro) program at $197. You can find more about the program at: https://www.eu-digital-markets-act.com/DiMaActTPro_Training.html.
e. The Data Governance Act Trained Professional (DatGovActTP) program at $197. You can find more about the program at: https://www.european-data-governance-act.com/DatGovActTP_Training.html.
f. The European Chips Act Trained Professional (EChipsActTPro) program at $197. You can find more about the program at: https://www.european-chips-act.com/European_Chips_Act_Trained_Professional_(EChipsActTPro).html .
g. The Data Act Trained Professional (DataActTPro) program at $197. You can find more about the program at: https://www.eu-data-act.com/Data_Act_Trained_Professional_(DataActTPro).html .
In order to receive the URL for the discounted cost for your second and each additional program, please send us an email with title: “Please send me the URL for the discounted cost.”
In the email, please let us know:
a. Which was the name and email address of the person or legal entity that had purchased the first program.
b. Which is the program you want to purchase now at $197 instead of $297.
You will receive the URL for the discounted cost for your second and each additional program in less than 48 hours (working days). Please remember to check your spam folder too.
3. Are there any entry requirements or prerequisites required for enrolling in the training programs?
There are no entry requirements or prerequisites for enrollment. Our programs give the opportunity to individuals of all levels to learn, grow, and develop new skills without the need for prior qualifications or specific experience.
4. I want to learn more about the exam.
You can take the exam online from your home or office, in all countries.
It is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.
You will be given 90 minutes to complete a 35-question exam. You must score 70% or higher.
The exam contains only questions that have been clearly answered in the official presentations.
All exam questions are multiple-choice, composed of two parts:
a. A stem (a question asked, or an incomplete statement to be completed).
b. Four possible responses.
In multiple-choice questions, you must not look for a correct answer, you must look for the best answer. Cross out all the answers you know are incorrect, then focus on the remaining ones. Which is the best answer? With this approach, you save time, and you greatly increase the likelihood of selecting the correct answer.
TIME LIMIT - This exam has a 90-minute time limit. You must complete this exam within this time limit, otherwise the result will be marked as an unsuccessful attempt.
BACK BUTTON - When taking this exam you are NOT permitted to move backwards to review/change prior answers. Your browser back button will refresh the current page instead of moving backward.
RESTART/RESUME – You CANNOT stop and then resume the exam. If you stop taking this exam by closing your browser, your answers will be lost, and the result will be marked as an unsuccessful attempt.
SKIP - You CANNOT skip answering questions while taking this exam. You must answer all the questions in the order the questions are presented.
When you are ready to take the exam, you must follow the steps described at "Question h. I am ready for the exam. What must I do?", at:
5. How comprehensive are the presentations? Are they just bullet points?
The presentations are not bullet points. They are effective and appropriate to study online or offline.
6. Do I need to buy books to pass the exam?
No. If you study the presentations, you can pass the exam. All the exam questions are clearly answered in the presentations. If you fail the first time, you must study more. Print the presentations and use Post-it to attach notes, to know where to find the answer to a question.
7. Is it an open book exam? Why?
Yes, it is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.
8. Do I have to take the exam soon after receiving the presentations?
No. You can take the exam any time. Your account never expires. You have lifetime access to the training program. If there are any updates to the training material and you have not passed the exam, you will receive the updated program free of charge.
9. Do I have to spend more money in the future to keep my certificate of completion valid?
No. Your certificate of completion will remain valid, without the need to spend money or to take another exam in the future.
10. Ok, the certificate of completion never expires, but things change.
Recertification would be a great recurring revenue stream for Cyber Risk GmbH, but it would also be a recurring expense for our clients. We resisted the temptation to "introduce multiple recurring revenue streams to keep business flowing", as we were consulted. No recertification is needed for our programs.
Things change, and this is the reason you need to visit the "Reading Room" of Cyber Risk GmbH every month, and read the monthly newsletter with updates, alerts, and opportunities, to stay current. You may visit:
https://www.cyber-risk-gmbh.com/Reading_Room.html
11. Which is your refund policy?
Cyber Risk GmbH has a very clear refund policy: You have the option to ask for a full refund up to 60 days after the payment. If you do not want one of our programs for any reason, all you must do is to send us an email, and we will refund the payment after one business day, no questions asked.
12. I want to receive a printed certificate. Can you send me one?
Unfortunately this is not possible. You will receive your certificate via email in Adobe Acrobat format (pdf), with a scannable QR code for verification, 7 business days after you pass the exam. A business day refers to any day in which normal business operations are conducted (in our case Monday through Friday), excluding weekends and public holidays.
Cyber Risk GmbH will develop a dedicated web page for each professional (https://www.cyber-risk-gmbh.com/Your_Name.html). In your dedicated web page we will add your full name, all the certificates you have received from Cyber Risk GmbH, and the pictures of your certificates.
When third parties scan the QR code on your certificate, they will visit your dedicated web page, and they will be able to verify that you are a certified professional, and your certificates are valid and legitimate.
Professional certificates are some of the most frequently falsified documents. Employers and third parties need an easy, effective, and efficient way to check the authenticity of each certificate. QR code verification is a good response to this demand.
You can print your certificate that you will receive in Adobe Acrobat format. With the scannable QR code, all third parties can verify the authenticity of each certificate in a matter of seconds.
13. Why should I choose your training programs?
I. There are many new Directives and Regulations in the EU, and our target audience is overwhelmed and has little time to spare. Cyber Risk GmbH has developed training programs that can assist them in understanding the new requirements, and in providing evidence that they are qualified, as they must pass an exam to receive their certificate of completion.
II. Our training programs are flexible and convenient. Learners can access the course material and take the exam at any time and from any location. This is especially important for those with busy schedules.
III. The all-inclusive cost of our programs is very low. There is no additional cost for each program, now or in the future, for any reason.
IV. If you purchase a second program, you have a $100 discount. The all-inclusive cost for your second (and each additional) program is $197.
V. There are 3 exam attempts per year that are included in the cost of each program, so you do not have to spend money again if you fail.
VI. No recertification is required. Your certificates of completion never expire.
VII. If you purchase the DORATPro program now, you can receive all the updated and amended DORATPro programs at no cost until January 31, 2028.
Every time we have important developments that affect regulatory compliance with the Digital Operational Resilience Act (DORA), we will update and amend this training program, especially when we have important:
- Joint final draft technical standards, from the European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA).
- Regulatory Technical Standards (RTS),
- Implementing Technical Standards (ITS),
- Delegated Acts, that supplement or amend non‑essential parts of EU legislative acts, and
- Implementing Acts, that ensure that EU laws are applied uniformly.
VIII. The marketplace is clearly demanding qualified professionals in risk and compliance management. Certified professionals enjoy industry recognition and have more and better job opportunities.
IX. Firms and organizations hire and promote fit and proper professionals who can provide evidence that they are qualified. Employers need assurance that managers and employees have the knowledge and skills needed to mitigate risks and accept responsibility. Supervisors and auditors ask for independent evidence that the process owners are qualified, and that the controls can operate as designed, because the persons responsible for these controls have the necessary knowledge and experience.
X. Professionals that gain more skills and qualifications often become eligible for higher-paying roles. Investing in training can have a direct positive impact on a manager's or employee's earning potential.
Cyber Risk GmbH, some of our clients
