Board Training DORA
Level 1

LESSON 1 – THE REGULATORY CONTEXT
This lesson explains how the regulatory framework that led to the “introduction of the DORA Regulation has evolved. It illustrates the concept of digital operational resilience applied to the financial sector, focusing on the” importance of the security of technological infrastructures (ICT) and the need to harmonize regulations among EU member states.

LESSON 2 – OBJECTIVES AND SCOPE OF APPLICATION
This lesson explains how the DORA Regulation aims to ensure continuity and security of European financial services by defining common rules for managing digital risks. It illustrates the entities involved, the measures envisaged, and the principle of proportionality that governs the application to different financial entities.

LESSON 4 – MANAGEMENT, CLASSIFICATION AND REPORTING OF ICT RISKS
This lesson explains how financial entities should behave in the face of ICT incidents. It starts from detection, moves on to classification based on severity and impact, up to mandatory notification according to European regulatory thresholds. It also clarifies the management of cases where DORA and NIS2 obligations overlap.

LESSON 5 – DIGITAL OPERATIONAL RESILIENCE TESTING
This lesson explains how financial entities must organize periodic digital resilience tests to assess their ability to respond to cyber attacks. The tests include technical analyses and realistic simulations, managed by independent entities, and serve to identify vulnerabilities and implement corrective measures.

LESSON 7 – SANCTIONS
This lesson explains how authorities, in case of DORA violations, can apply economic and operational sanctions. These range from fines and remediation plans to suspension of activities or personal liability of managers. The sanctions system also has reputational effects.

LESSON 8 – DELEGATED REGULATIONS
This lesson explains how the EU delegated regulations define the fundamental technical and procedural aspects for implementing DORA. It addresses criteria for classifying incidents, guidelines on contracts with ICT providers, and standards for risk management and “identification of critical providers.”

LESSON 1 – CYBER RISK
Cyber risk management, an integral part of business activities, requires assessing and mitigating risks arising from digital vulnerabilities intentionally exploited by malicious actors. Risk reduction is based on two dimensions: lowering the probability of an attack through prevention and awareness, and limiting the impact through resilient assets and technological best practices.

LESSON 2 – CYBER RISK ANALYSIS
Risk analysis is fundamental for understanding threats, probabilities, and impacts, and defining countermeasures. Following standards like ISO or NIST, it is articulated in six phases: identifying the context and risks, analyzing them, defining priorities, preparing responses, and continuously monitoring. The main output is the Risk Register, which maps cyber and non-cyber risks, essential for multi-risk security strategies as required by DORA.

LESSON 4 – SECURITY CONTROLS
Security incident management is based on analyzing logs generated by digital infrastructures to identify and prevent critical situations. The Security Operations Center (SOC) processes alerts through a structured operational flow articulated in three phases: preliminary analysis, detailed analysis, and definition of containment and remedy actions. The use of Artificial Intelligence (AI) helps reduce false positives, improving operational efficiency.

LESSON 5 – THE DAMAGE
The “impact represents the damage caused by an adverse event, classifiable as direct, civil liability, indirect, and consequential. In cyber risk, damages are distinguished between own (business interruption, system restoration, incident management) and third-party (litigation, data breaches). While material damages are more easily estimable, immaterial ones require complex assessments.”

LESSON 2 – MAIN ATTACK TECHNIQUES
Cyber attack techniques include malware, vulnerability exploitation, and Distributed Denial of Service (DDoS) attacks. Malware, including zero-days, exploits unknown vulnerabilities, while vulnerabilities exposed on the Internet allow data theft and privileged access, often through social engineering. DDoS attacks overload infrastructures or applications, rendering them unusable.

LESSON 3 – VULNERABILITIES
Vulnerabilities represent a risk only if they are not mitigated by technical or procedural controls. Their lifecycle goes through four phases: discovery, disclosure, countermeasure identification, and application, with the first two being particularly critical. Effective vulnerability management requires an industrialized process, based on constant updates, complete asset inventories, and a priority-based strategy.

LESSON 1 – CEO FRAUD
A cybercriminal compromises or falsifies the CEO’s or another Board member’s email and sends an urgent email to the CFO or a financial executive, ordering a wire transfer of millions of euros to a foreign account.

LESSON 2 – RANSOMWARE ATTACK WITH EXTORTION
A leading company in the energy sector suffers a ransomware attack that blocks IT systems and paralyzes operations. The criminals threaten to publish sensitive Board data if the ransom is not paid.

LESSON 4 – DATA BREACH
A targeted attack steals financial and personal data of Board members. The press becomes aware of it, and the company suffers reputational damage, in addition to risks for non-compliance with DORA and GDPR.