Ozona Consulting · ISO 20000, ISO 270001, ISO 22301 consultancy

DORA Notification & Communication Course

DORA COURSE ON NOTIFICATION AND COMMUNICATION

DORA Notification & Communication is a reference training program in the field of Business Continuity and Digital Operational Resilience.

 

Based on the accumulated experience of our consulting team specializing in management systems (ISO 22301, ISO 27001, ISO 20000) and in good practice guides, this course examines in detail the articles of the DORA Regulation and its Regulatory Technical Standards (RTS) that address the areas of notification and communication, providing a comprehensive view of the operational resilience requirements demanded by European regulation.

image002

The course will address the key mechanisms for complying with the DORA Regulation in relation to: ICT incident notification, the management of communication with the competent authorities, the classification of incidents and the materiality thresholds, thereby ensuring effective and timely notification.

 

The thirteen chapters that make up the course are designed to provide a detailed understanding of the notification and reporting obligations under the DORA Regulation. Throughout this content, we will explore how financial entities can integrate notification processes into their continual improvement cycle, optimizing the management of operational resilience and ensuring compliance with regulatory requirements. In addition, the course will highlight the importance of reports, internal communication and reporting to senior management as essential tools for the effective governance of digital operational resilience.

DORA REGULATION — DORA NOTIFICATION & COMMUNICATION

(1) Introduction to the DORA Regulation and its focus on digital operational resilience

  • Context of the DORA Regulation and key objectives.
  • Impact of digitalization and reliance on third parties in the financial sector.
  • Evolution of the regulatory framework and recent changes.

(2) Notification and reporting obligations under DORA

  • Summary of the key articles on ICT incident notification.
  • Importance of transparency in notification and standardization of formats.
  • Types of ICT incidents that must be reported and materiality criteria.

(3) ICT incident classification and materiality thresholds

  • Assessment of both direct and indirect impacts, and methodologies for determining materiality.
  • Adapting materiality thresholds to the evolution of emerging risks.

(4) ICT incident notification process and communication to authorities

  • Steps for identifying, classifying and reporting incidents.
  • Coordination with the competent authorities for efficient incident management.
  • Use of standardized formats and the importance of traceability and transparency in reports.

(5) Information sharing with authorities and supervisors

  • Need to establish formal procedures for information sharing.
  • Interoperability standards and use of technology platforms for standardized communication.
  • Promotion of international cooperation to manage cross-border risks.

(6) Management of recurring or ongoing incidents

  • Identification of underlying causes and root cause analysis (RCA).
  • Corrective measures and prevention of recurrences.
  • Notification of recurrences and action plan for unresolved vulnerabilities.

(7) Documentation and recordkeeping

  • Requirements for retention of information on ICT incidents.
  • Document management systems, digitalization and data protection.
  • Efficient audit and review of records to ensure traceability and compliance.

(8) Reporting of new ICT contracts

  • Reporting obligations for new contracts with ICT providers.
  • Risk assessment and notification requirements to authorities.
  • Integration of ICT contracts into the operational resilience framework.

(9) Reporting of TLPT test results

  • Definition and objectives of threat-led penetration testing (TLPT).
  • Frequency of tests and reporting requirements.
  • Evaluation of results and their impact on security improvement.

(10) Reporting of backup and restore test results

  • Importance of backup and restore tests for business continuity.
  • Requirements for documenting the results.
  • Effectiveness assessment and corrective actions to ensure data availability.

(11) Reporting of costs and losses related to ICT incidents

  • Importance of quantifying direct and indirect costs associated with incidents.
  • Preparation of annual cost reports and their use in evaluating mitigation strategies.
  • Financial recovery plans and communication to senior management.

(12) Lessons learned and post-incident review

  • Evaluation of each incident to identify improvement opportunities.
  • Formalization of lessons learned in new operating procedures.
  • Communication of results and recommendations to senior management and employees.

(13) Continuous compliance and improvement of the notification and communication process

  • Integration of incident notification into a continual improvement cycle.
  • Development of key performance indicators (KPIs) and periodic review of their effectiveness.
  • Internal audits and tracking of the recommended corrective actions

Date and price

REGISTRATION REQUEST

    No editions currently scheduled · Notify me when new dates are availableInterested in an in-company session