Curriculum Reference Resources
Core DORA legal framework and official EU policy
EUR-Lex — Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA)
https://eur-lex.europa.eu/eli/reg/2022/2554/oj
EUR-Lex — Regulation (EU) 2022/2554 legal summary
https://eur-lex.europa.eu/legal-content/ENG/LSU/?uri=oj%3AJOL_2022_333_R_0001
EUR-Lex — Directive (EU) 2022/2556 amending financial-services directives for DORA alignment
https://eur-lex.europa.eu/eli/dir/2022/2556/oj
European Commission — Cyber resilience in digital finance
https://finance.ec.europa.eu/digital-finance/cyber-resilience_en
European Commission — DORA implementing and delegated acts
https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en
Open-access video — Key requirements of DORA
https://www.youtube.com/watch?v=ez5vcQjEr0U
European Supervisory Authorities and DORA overview materials
ESMA — Digital Operational Resilience Act (DORA) overview
https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
EBA — Digital Operational Resilience Act and oversight framework
https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act
EIOPA — Digital Operational Resilience Act (DORA)
https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
EBA — Operational resilience and DORA policy products
https://www.eba.europa.eu/regulation-and-policy/operational-resilience
ESAs — First set of DORA rules for ICT, third-party risk and incident classification
https://www.eba.europa.eu/publications-and-media/press-releases/esas-publish-first-set-rules-under-dora-ict-and-third-party
ESAs — Second batch of DORA policy products
https://www.esma.europa.eu/press-news/esma-news/esas-published-second-batch-policy-products-under-dora
ICT risk management and governance references
EBA — RTS on ICT risk management framework and simplified ICT risk management framework
https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/regulatory-technical-standards-ict-risk-management-framework-and-simplified-ict-risk-management
CSSF — ICT and cyber risk for DORA entities
https://www.cssf.lu/en/ict-and-cyber-risk-for-dora-entities/
Austrian FMA — DORA ICT risk management
https://www.fma.gv.at/en/cross-sectoral-topics/dora/dora-ict-risk-management/
ENISA — EU financial entities cybersecurity upgrade: DORA is now alive and kicking
https://www.enisa.europa.eu/news/eu-financial-entities-cybersecurity-upgrade-dora-is-now-alive-and-kicking
ICT-related incidents and reporting references
EBA — Joint technical standards on major ICT-related incident reporting under DORA
https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/joint-technical-standards-major-incident-reporting
Commission Delegated Regulation (EU) 2024/1772 — RTS on incident classification
https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj
Commission Delegated Regulation (EU) 2025/301 — RTS on major incident reporting content and time limits
https://eur-lex.europa.eu/eli/reg_del/2025/301/oj
Commission Implementing Regulation (EU) 2025/302 — ITS on incident reporting templates and procedures
https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj
Central Bank of Ireland — DORA reporting major ICT-related incidents and significant cyber threats
https://www.centralbank.ie/regulation/digital-operational-resilience-act-dora/reporting-major-ict-related-incidents-and-significant-cyber-threats
Austrian FMA — DORA ICT-related incidents
https://www.fma.gv.at/en/cross-sectoral-topics/dora/dora-ict-related-incidents/
EBA — Joint Guidelines on estimation of aggregated annual costs and losses caused by major ICT-related incidents
https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/joint-guidelines-estimation-aggregated-annual-costs-and-losses-caused-major-ict-related-incidents
Digital operational resilience testing, TLPT and TIBER references
EBA — Joint RTS specifying elements related to threat-led penetration testing
https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/joint-regulatory-technical-standards-specifying-elements-related-threat-led-penetration-tests
ESMA — Final report on DORA RTS on TLPT (PDF)
https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-29_-_Final_report_DORA_RTS_on_TLPT.pdf
Commission Delegated Regulation (EU) 2025/1190 on DORA TLPT RTS
https://eur-lex.europa.eu/eli/reg_del/2025/1190/oj
ECB — What is TIBER-EU?
https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html
ECB — TIBER-EU framework updated to align with DORA
https://www.ecb.europa.eu/press/intro/news/html/ecb.mipnews250211.en.html
ECB — TIBER-EU Framework 2025
https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework_2025~b32eff9a10.en.pdf
ECB — TIBER-EU Guidance for Service Provider Procurement
https://www.ecb.europa.eu/pub/pdf/annex/ecb.tiber_eu_service_provider_procurement_2025.en.pdf
ECB — TIBER-EU Control Team Guidance
https://www.ecb.europa.eu/pub/pdf/annex/ecb.tiber_control_team_2025.en.pdf
ECB — TIBER-EU Targeted Threat Intelligence Report Guidance
https://www.ecb.europa.eu/pub/pdf/annex/ecb.tiber_targeted_threat_intelligence_report_guidance_2025.en.pdf
ECB — TIBER-EU Red Team Test Plan Guidance
https://www.ecb.europa.eu/pub/pdf/annex/ecb.tiber_red_team_test_plan_guidance_2025.en.pdf
ECB — TIBER-EU Attestation Guidance
https://www.ecb.europa.eu/pub/pdf/annex/ecb.tiber_attestation_guidance_2025.en.pdf
Austrian FMA — DORA digital operational resilience testing
https://www.fma.gv.at/en/cross-sectoral-topics/dora/dora-digital-operational-resilience-testing/
Central Bank of Ireland — TIBER-IE and DORA TLPT
https://www.centralbank.ie/financial-system/operational-resilience-and-cyber/cyber-resilience/tiber-ie
ICT third-party, cloud, register of information and oversight references
EBA — ITS templates for the register of information on ICT third-party arrangements
https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/implementing-technical-standards-establish-templates-register-information
EBA — Preparation for DORA application and registers of information
https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act/preparation-dora-application
EIOPA — Key findings from the 2024 ESAs dry run exercise on DORA registers of information
https://www.eiopa.europa.eu/publications/key-findings-2024-esas-dry-run-exercise-dora_en
EBA — RTS on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers
https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/regulatory-technical-standards-policy-ict-services-supporting-critical-or-important-functions
Commission Delegated Regulation (EU) 2024/1773 on ICT third-party policy
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1773
Commission Implementing Regulation (EU) 2024/2956 on register templates
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956
EBA — Joint RTS on subcontracting ICT services supporting critical or important functions
https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/joint-regulatory-technical-subcontracting
Austrian FMA — DORA managing of ICT third-party risk
https://www.fma.gv.at/en/cross-sectoral-topics/dora/dora-managing-of-ict-third-party-risk/
EBA — DORA oversight of critical ICT third-party providers
https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act/dora-oversight
ESMA — DORA oversight
https://www.esma.europa.eu/dora-oversight
ESAs — DORA oversight of critical third-party providers: guide on oversight activities (PDF)
https://www.esma.europa.eu/sites/default/files/2025-07/JC_2025_29__DORA_Guide_on_oversight_activities.pdf
ESMA — List of designated critical ICT third-party providers (PDF)
https://www.esma.europa.eu/sites/default/files/2025-11/List_of_designated_CTPPs.pdf
EIOPA — ESAs designate critical ICT third-party providers under DORA
https://www.eiopa.europa.eu/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital-2025-11-18_en
ECB Banking Supervision — Guide on outsourcing cloud services to cloud service providers
https://www.bankingsupervision.europa.eu/press/pr/date/2025/html/ssm.pr250716~c0401b1b6b.en.html
Threat information sharing and cybersecurity supporting references
EBA Interactive Single Rulebook — DORA Article 45 information-sharing arrangements
https://www.eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook/17772
EBA Interactive Single Rulebook — DORA Chapter VI information-sharing arrangements
https://www.eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook/17716
ENISA — Good Practice Guide on Information Sharing
https://www.enisa.europa.eu/publications/good-practice-guide
ENISA — Cyber Security Information Sharing overview
https://www.enisa.europa.eu/publications/cybersecurity-information-sharing
ENISA — Threat Landscape
https://www.enisa.europa.eu/topics/cyber-threats/threat-landscape
ENISA — Threat Landscape: Finance Sector
https://www.enisa.europa.eu/publications/enisa-threat-landscape-finance-sector
ENISA — CSIRT Maturity Framework
https://www.enisa.europa.eu/topics/incident-response/csirt-capabilities/csirt-maturity
OWASP — Application Security Verification Standard (ASVS)
https://owasp.org/www-project-application-security-verification-standard/
OWASP Cheat Sheet Series — Logging Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
OWASP — Software Assurance Maturity Model (SAMM)
https://owasp.org/www-project-samm/
Cross-programme coordination references
European Commission — NIS2 Directive policy overview
https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
EUR-Lex — Regulation (EU) 2016/679 General Data Protection Regulation
https://eur-lex.europa.eu/eli/reg/2016/679/oj

