DORA Training

DORA TRAINING — DIGITAL OPERATIONAL RESILIENCE ACT

The digital resilience standard of the European financial sector; its effect spreads over a much wider perimeter.

DORA Training; Avrupa Birliği’nde 17 Ocak 2025’te yürürlüğe giren Dijital Operasyonel Dayanıklılık Yasası’nın (Digital Operational Resilience Act) gerekliliklerini, Türkiye’deki finans sektrünü ve AB iş yapan teknoloji tedarikçilerini nasıl etkilediğini, IT risk management, olay raporlama, dayanıklılık testleri, üçüncü taraf ynetimi ve bilgi paylaşımı başlıkları altında uçtan uca ele alır. Eğitim, BDDK düzenlemeleriyle karşılaştırmalı yürütülür.

Check out the Training Flow Request a Training Plan
EU Regulation 2022/2554 IT Risk Management Incident Reporting Resilience Testing ICT Third Party
DORA Compliance Maturity Dashboard
5 COLUMNS + TRACKING
IT risk management
çerçeve
incident reporting
4 saat
3rd party monitoring
critical ICT
5basic compliance column
TLPTthreat led penetration testing
22 / 537Number of RTS/ITS
202517 Ocak 2025’te yürürlüğe giren AB tüzüğü; doğrudan uygulanan, üye devlet kanunu beklemeyen düzenleme.
5 SütunIT risk management, incident reporting, durability testing, third-party management, information sharing.
TLPTThreat-led penetration testing; Mandatory for critical organizations every 3 years.
CTPPCritical third party service provider; Suppliers subject to direct EU control.
PURPOSE OF EDUCATION

DORA is not a regulation that only concerns European banks; It directly or indirectly connects the entire finance and technology ecosystem doing business with the EU.

DORA (Digital Operational Resilience Act / EU Regulation 2022/2554), Avrupa Birliği’nin finans sektrünün dijital dayanıklılığını sağlamak amacıyla çıkardığı kapsamlı bir tüzüktür. 17 Ocak 2025’te yürürlüğe girmiş olan tüzük; bankalardan sigorta şirketlerine, yatırım kuruluşlarından deme hizmeti sağlayıcılarına, kripto varlık hizmet sağlayıcılarına ve hatta bu kurumlara hizmet veren bulut, yazılım ve veri merkezi sağlayıcılarına kadar geniş bir perimetreyi düzenler.

Türkiye’deki finans kurumları DORA’ya doğrudan tabi olmasa da; Avrupa’da iştiraki olan, AB pazarında müşterisi bulunan, AB merkezli kurumlara hizmet sağlayan, ya da bu zincirde alt yüklenici konumunda olan tüm Türkiye merkezli kuruluşlar DORA gerekliliklerinden etkilenir. Eğitim, DORA’nın 5 temel sütununu (IT risk management, olay raporlama, dayanıklılık testleri, üçüncü taraf ynetimi, bilgi paylaşımı) BDDK düzenlemeleriyle karşılaştırmalı olarak ele alır; uyum yapısının nasıl kurulacağını pratik rneklerle aktarır.

Purpose: Participants should clearly understand the scope and applicability of the DORA regulation, see its common and different aspects with BRSA regulations, adapt the obligations under the 5 pillars to the institution, establish an IT risk framework, design an incident reporting flow, and establish the discipline of third-party management and durability tests.
Every financial and technology organization doing business with the EU falls under the DORA window.AB merkezli müşterisi olan bankalar, sigortalar, deme hizmeti sağlayıcıları; Avrupa’ya hizmet sunan bulut sağlayıcıları, SaaS satıcıları ve veri merkezleri; AB iştiraki olan grup şirketleri; bunlar hep DORA’nın doğrudan ya da szleşme yoluyla etkilediği gruptur.
Incident reporting deadlines are very strict.DORA requires that initial notification of serious IT incidents be made within hours of detection, an interim report within 72 hours, and a final report within one month. This time discipline is much stricter than classical legislation and poses a serious risk for unprepared institutions.
The third-party regime directly controls the supply chain.DORA; It subjects financial institutions' critical IT service providers to a strict regime in terms of contracting, monitoring and auditing. Providers that meet certain criteria come under direct EU supervision as a Critical Third Party (CTPP). If Turkish technology providers have EU customers, this regime also binds them.
BRSA and DORA are parallel but different.BRSA Information Systems and Electronic Banking Regulation and DORA run parallel in many topics, but there are significant differences in details. Turkish banks doing business with the EU must comply with both regimes simultaneously. Education clearly demonstrates this parallel adaptation structure.
CLASSIC IT RISK APPROACH AND DORA APPROACH

Bu eğitim, klasik IT risk managementnin üzerine DORA’nın bütüncül dayanıklılık çerçevesini ekler.

In many financial institutions, IT risk is treated as an internal matter for the IT department. DORA revolutionizes this approach: digital resilience is defined as a holistic corporate discipline with board responsibility.

Classic IT Risk Approach IT department-focused, granular application

  • IT risk is solely a matter for the IT department
  • Loosely defined incident reporting deadlines
  • Third-party management contract-oriented
  • Endurance testing is irregular or not performed
  • Board of directors has limited visibility
  • Intersectoral information sharing is weak
  • Interaction with the editor is limited
  • The result: fragmented, immeasurable durability

DORA Holistic Resilience Framework 5 pillars, board responsibility

  • IT risk is the direct responsibility of the board of directors
  • Incident reporting hourly, 72-hour and monthly stream
  • ICT third party regime strict monitoring and inspection
  • Regular endurance tests and TLPT obligation
  • Board reporting structured
  • Sector information sharing incentive mechanism
  • Structured communication with the competent authority
  • The result: measurable, auditable durability
EĞİTİM KAZANIMLARI — DORA’NIN 5 TEMEL SÜTUNU

Katılımcılar DORA’yı 5 sütun yapısı altında bütüncül bir dayanıklılık disiplini olarak ğrenir.

Instead of having students read the statute article by article, education builds it around 5 main pillars. Each column is discussed through comparison with BRSA regulations, concrete examples and supplier contract examples.

COLUMN 1 — IT RISK MANAGEMENT

It moves IT risk to the board level.

DORA’nın temel sütunu; IT risk management çerçevesi, varlık inventory, risk değerlendirme metodolojisi, koruma ve nleme kontrolleri ve sürekli izleme süreçlerinin ynetim kurulu sorumluluğunda kurulması.

  • IT risk framework (clause 5-15)
  • Board responsibility
  • Policy and document hierarchy
COLUMN 2 — INCIDENT REPORTING

It establishes the discipline of classifying and reporting events.

Classification of IT incidents, identification of serious incidents, initial notification, interim report (72 hours) and final report periods; structured communication flow with the competent authority.

  • Event classification criteria
  • Initial, interim, final report timeline
  • Competent authority flow
COLUMN 3 — DURABILITY TESTS

Its durability is proven by testing.

Düzenli dayanıklılık testleri (zafiyet taraması, sızma testi, senaryo testi); kritik kuruluşlar için her 3 yılda bir Tehdit Liderliğinde Penetration Testing (TLPT) zorunluluğu; bulgu ynetim disiplini.

  • Test types and frequency
  • TLPT methodology
  • Finding closing tracking
COLUMN 4 — THIRD PARTY

It puts the IT supplier on a strict regime.

BT tedarikçi yaşam dngüsü, szleşme zorunlu maddeleri, critical ICT üçüncü taraf (CTPP) tanımı, critical supplier kayıt yükümlülüğü ve doğrudan AB denetim rejimine giriş.

  • Contract mandatory clauses
  • CTPP definition and impact
  • Exit strategy planning
COLUMN 5 — INFORMATION SHARING

Promotes cross-industry threat intelligence.

Threat indicator sharing, sectoral intelligence networks, ISAC structures; how the organization's decisions to participate in information sharing agreements will be made and the legal framework.

  • Types of threat indicators
  • ISAC and industry networks
  • Legal and contractual framework
PARALLEL COMPLIANCE WITH BRSA

Dual compliance structure for Turkish financial institutions.

BDDK Bilgi Sistemleri ve Elektronik Bankacılık Ynetmeliği ile DORA’nın paralel ilerlediği ve ayrıştığı noktalar; her iki rejimin tek bir uyum çerçevesinde nasıl ynetileceği.

  • Common and distinct obligations
  • Parallel adaptation strategy
  • One-time control mapping
TRAINING FLOW

Two-day intensive program; Comprehensive content ranging from getting to know the statute to a company-specific compliance roadmap.

Program; It can be adapted as 1 day senior management briefing, 2 days practitioner or 3 days expert/responsible competency depending on the institution's finance-technology position and participant profile.

01General framework of the regulationEU Regulation 2022/2554’ün çıkış amacı, kapsamı, kimleri bağladığı; AB’de finans-teknoloji ekosisteminin dayanıklılık tanımı.
02Türkiye effect and BRSA comparisonDORA’nın doğrudan ve dolaylı bağladığı Türk kuruluşları; BDDK Bilgi Sistemleri Ynetmeliği ile paralel ve fark noktaları.
03Pillar 1 — IT risk frameworkIT risk management çerçevesi, varlık inventory, risk değerlendirme metodolojisi, kontrol katmanları ve ynetim kurulu raporlaması.
04Column 2 — Incident classification and reportingSerious incident definition, classification criteria, initial notification, interim report (72 hours) and final report discipline, competent authority flow.
05Column 3 — Endurance testsType and frequency of regular endurance tests; TLPT obligation for critical organizations, scope design, external provider selection.
06Pillar 4 — ICT third-party managementBT tedarikçi yaşam dngüsü, szleşme zorunlu maddeleri, critical supplier kaydı, çıkış stratejisi, CTPP rejimi.
07Pillar 5 — Information sharingThreat indicator sharing, ISAC mechanisms, sectoral networks, legal framework and participation decision criteria.
08Management, control and road mapInternal management structure, internal audit, communication with the competent authority and a 90-day DORA compliance roadmap specific to the participating institution.
TRAINING MODULES

Regulation, implementation and audit discipline come together in a single program.

M1
DORA basics and scope analysisThe reason for the creation of the regulation, its scope, the organizations it directly and indirectly connects; Definition of resilience in the EU finance-technology ecosystem; Impact map for Türkiye.
M2
Pillar 1 — IT risk management frameworkIT risk management çerçevesinin yapısı, varlık inventory, risk değerlendirme metodolojisi, koruma kontrolleri, sürekli izleme ve ynetim kurulu raporlaması disiplini.
M3
Column 2 — Incident reporting flowSerious CT incident definition, classification criteria, initial notification, interim report (72 hours) and final report times; structured communication flow with the competent authority.
M4
Column 3 — Endurance test programRegular testing types (vulnerability, penetration, scenario), TIBER-EU framework and TLPT mandate, scope design, external provider selection and findings closure discipline.
M5
Pillar 4 — ICT third party regimeBT tedarikçi yaşam dngüsü, szleşme zorunlu maddeleri, critical supplier kayıt yükümlülüğü, CTPP rejimi, çıkış stratejisi planlaması ve szleşme şablonu.
M6
Column 5, BRSA parallel harmonization, road mapInformation sharing mechanisms; Compliance strategy in line with the BRSA Information Systems Regulation; one-time control mapping; 90 day road map design.
DOMALI ATÖLYELER

The training makes learning permanent through real finance-technology cases.

Participants don't just listen; conducts scope analysis, designs IT risk framework, establishes incident classification matrix, prepares third-party agreement and creates roadmap for their own organizations.

SCOPE ANALİZİOrganization impact mappingHow a sample Turkish bank, payment service provider or technology company falls within the scope of DORA is analyzed step by step.
IT RISK FRAMEWORKFrame template setupIT risk management framework template doldurulur; varlık inventory, risk metodolojisi ve ynetim kurulu raporlama akışı tasarlanır.
EVENT CLASSIFICATIONThreshold and reporting10 rnek BT olayı senaryosu DORA lçütlerine gre sınıflandırılır; hangisinin “ciddi” olduğu ve raporlama yolunun ne olduğu tartışılır.
72 HOURS ANIMATIONInitial-interim-final reportIn a ransomware scenario, the contents of the initial notification (within 4 hours), interim report (72 hours) and final report (1 month) are animated.
ICT AGREEMENTMandatory item designBir bulut sağlayıcısı szleşmesinde DORA’nın talep ettiği zorunlu maddeler eklenir; eksiklikler ve müzakere noktaları tartışılır.
ROADMAP90-day DORA planA road map consisting of maturity determination, quick gains and sustainable adaptation steps is prepared for the participating institutions.
WHO SHOULD JOIN

Training designed for DORA-covered financial institutions, technology providers and advisors.

CIO and Information Systems
CISO and Information Security
Operational Risk
Compliance Unit
Internal Audit and Risk
Business Continuity Managers
ICT Procurement and Contracting
Senior Management and Board of Directors
ÇIKTILAR

At the end of the training, the institution's DORA compliance maturity becomes measurable and sustainable.

Participant gains

  • Ability to clearly explain the scope and impact perimeter of the DORA regulation
  • Ability to analyze whether the organization is within the scope of DORA
  • Ability to design an IT risk management framework
  • Ability to establish serious incident classification and reporting flow
  • Ability to plan an endurance test program
  • Ability to add mandatory clauses to ICT third party contract
  • Ability to manage parallel compliance structure with BRSA

Institutional outputs

  • DORA coverage analysis template
  • IT risk management framework template
  • Incident classification and reporting matrix
  • 72-hour initial-interim-final report timeline
  • Endurance testing program template
  • ICT third party contractual clauses library
  • Compliance control map parallel to BRSA
  • 90-day DORA compliance roadmap specific to the institution
EDUCATION IDENTIFICATION

Everything you want to know about education at a glance.

Duration, format, number of participants, certificate, content scope and delivered materials have been clarified. In institution-specific programs, parameters are adapted according to need.

Training Duration 14 Hours / 2 Full Days Option of 1 day briefing or 3 days of expert competence depending on the maturity of the institution.
Training Format Face to Face or Online Classroom training at the institution location, online live session or hybrid structure.
Certification Certificate of Participation OKlayan tüm katılımcılara Secure Fors imzalı dijital sertifika.
Language of Education Türkçe English training and material presentation upon request.
Training NameDORA Training (Dijital Operasyonel Dayanıklılık Yasası — EU Regulation 2022/2554)
Süre2 days (14 hours). Depending on the maturity of the institution, it can be adapted as a 1-day senior management briefing or a 3-day expert/responsible competency program.
Training Format Face to Face (Institution Location) Online Live (Zoom / Teams) Hibrit
Training TopicsDORA regulation general framework · Scope and impact map · Turkey impact and BRSA comparison · IT risk management framework · IT incident classification and reporting (4 hours / 72 hours / 1 month) · Digital durability testing program · TIBER-EU and TLPT · ICT third party life cycle · Contractual clauses · Critical third party regime (CTPP) · Information sharing and ISAC · BRSA parallel compliance strategy.
Target AudienceCIO and information systems managers, CISO and information security teams, operational risk managers, compliance unit, internal audit and risk managers, business continuity managers, ICT procurement and contract management, senior management and board members.
PrerequisiteBasic knowledge of IT risk management, ISO 27001 or BRSA Information Systems Regulation is recommended; but it is not mandatory. Separate adaptations can be made to the executive briefing format for senior management participants.
Number of ParticipantsOptimum verim için 8 – 20 kişi. Kuruma zel programlarda en fazla 25 kişiye kadar grup açılabilir.
Sertifika Certificate of Participation When the training is completed, a signed digital participation certificate is issued by Secure Fors. Contains verifiable QR code.
Educational MaterialPresentation file (PDF) · Workshop workbook · DORA scope analysis template · IT risk management framework template · Incident classification and reporting matrix · 72-hour initial-interim-final report timeline · Durability testing program template · ICT third-party contract mandatory clauses library · BRSA parallel compliance control map · 90-day DORA compliance roadmap template.
UygulamaIt includes workshops on enterprise impact mapping, IT risk framework template setup, incident classification matrix design, 72-hour initial-interim-final report animation, ICT contract mandatory clause design, BRSA parallel control mapping and 90-day road map design.
EğitmenISO 27001 Lead Auditor, senior consultant with experience in CEH and financial services security. He has carried out projects in the EU and Turkish financial sector regulatory frameworks; Professional with field experience in parallel compliance between BRSA Information Systems Regulation and DORA.
PricingSpecial offer for the institution. The price is determined according to the number of participants, format (face-to-face / online), program duration and customization need.
FREQUENTLY ASKED QUESTIONS

Answers to questions you may have before the training.

Türk bankaları DORA’ya doğrudan tabi mi?

No, Türk bankaları doğrudan tabi değildir; ancak AB’de iştiraki olan, AB merkezli müşterileri bulunan veya AB kurumlarına hizmet sağlayan Türk bankaları DORA gerekliliklerinden szleşme yoluyla etkilenir. Eğitim, Türkiye perspektifinden bu dolaylı etkiyi netlikle gsterir.

Bulut sağlayıcısı veya SaaS satıcısı isek DORA’dan etkilenir miyiz?

Evet, AB finans kuruluşlarına hizmet veren bulut, SaaS veya veri merkezi sağlayıcıları DORA’nın ICT üçüncü taraf rejimine dahil olur. Belirli kriterleri aşan sağlayıcılar Kritik Üçüncü Taraf (CTPP) olarak doğrudan AB denetimine girer. Eğitim bu konuyu detaylandırır.

BDDK Bilgi Sistemleri Ynetmeliği uyumumuz var, DORA’ya uyum kolay mı olur?

It is an important advantage, but it is not sufficient. BRSA and DORA are parallel in many areas, but DORA is stricter in areas such as incident reporting periods, third-party regime stringency, TLPT obligation and board reporting details. The training concretely demonstrates the parallel adaptation strategy and differences.

Who does the TLPT obligation affect?

Tehdit Liderliğinde Penetration Testing (TLPT) zorunluluğu, DORA kapsamında “kritik” sayılan finans kuruluşları için her 3 yılda bir uygulanır. TIBER-EU çerçevesine uyumlu yürütülür. Tüm DORA kapsamındaki kuruluşların TLPT yapması zorunlu değildir; ancak kapsam dışı olanlar için bile düzenli sızma testi şarttır. Eğitim, kimlerin TLPT yapmak zorunda olduğunu net biçimde gsterir.

Is the training technical or managerial?

The training has a hybrid structure: While topics such as IT risk framework, durability tests and incident reporting are covered on a technical level; Topics such as board responsibility, contract management, audit preparation and road map are handled at the administrative level. A separate 1-day briefing format is also available for senior management participants.

Will we be ready for the DORA audit after the training?

Training is a key step on the path to DORA compliance. For full compliance, the organization's IT risk framework, incident reporting procedure, durability testing program, third-party contracts and documentation set must be created and made ready for competent authority review. The training clearly outlines the checklist of this preparation and the missing areas; Secure Fors offers compliance project consultancy upon request.

DORA is a new standard of resilience for the entire fintech ecosystem doing business with the EU; Preparation for adaptation should start today.

Make a measurable start to your compliance journey with the DORA training program tailored to your organization's location and current IT risk maturity.

Request a Training Plan

References: EU Regulation 2022/2554 — Digital Operational Resilience Act · ESA (EBA, ESMA, EIOPA) Joint Committee Final Reports · TIBER-EU Framework · BRSA Information Systems and Electronic Banking Regulation · ISO/IEC 27001:2022 · ISO/IEC 22301 · NIST Cybersecurity Framework · Basel III Operational Resilience Principles.