The Value of IBITGQ’s First-to-Market Certified DORA Qualifications

The International Board for IT Governance Qualifications (IBITGQ) is a personnel certification body renowned for certifying practitioners in the sectors of IT governance, information security, cyber security, and privacy. Earning a reputation as the ‘practitioner’s certification’, IBITGQ qualifications equip people with not only the theoretical knowledge but also the practical capabilities to identify and respond to information security, cyber security, and data privacy threats. The development of IBITGQ certifications is highly dynamic and responsive to rapidly changing macro-environmental factors, including the Digital Operational Resilience Act (DORA).

DORA defines a compulsory and comprehensive information and communication technology (ICT) risk management framework that complements existing laws and establishes unified technical standards that financial institutions and their third-party technology service providers must implement before 17 January 2025.

In response to this new legislation, IBITGQ has introduced first-to-market DORA qualifications: Certified DORA Foundation, Certified DORA Practitioner, Certified DORA Lead Auditor, Certified DORA Compliance Officer, and Certified DORA Risk Director.

DORA explained

DORA was developed to integrate and strengthen risk and response requirements for ICT throughout the financial services sector in the EU based on a common set of standards for mitigating operational ICT threats and risk. Its objective is to ensure that financial entities in the EU, along with their critical ICT service providers, have the digital operational resilience capabilities and resources to mitigate information and cyber security threats to avoid operational disruptions. DORA consolidates multiple components of operational resilience into one framework based on the following five pillars:

  1. ICT risk management framework: DORA emphasizes the need for financial entities to establish an internal governance and control framework for ICT and to appoint a management body to coordinate and implement ICT risk management measures.
  2. ICT-related incident management, classification, and reporting: DORA provides a streamlined approach to incident management and reporting for entities in the financial service industry and their service providers. This requirement ensures disruptions are managed quickly and effectively, while minimizing the impact on clients and the wider business.
  3. Digital operational resilience testing: To ensure digital operational resilience and provide evidence of that fact, financial entities are required to implement rigorous testing plans. In some cases, this may involve advanced penetration testing, which may need to be conducted every three years.
  4. Third-party ICT risk management: DORA defines principle-based rules for monitoring risks related to outsourced tasks. Outsourcing agreements must comply with minimum contracting requirements, such as a comprehensive description of all functions, ICT services, and service quality.
  5. Information sharing: DORA permits financial entities to share information, which has many benefits such as creating awareness of threats and improving defensive and detection techniques.

People in financial services entities and their critical third-party service providers who should obtain a DORA certification are not limited to managers and professionals in risk management, compliance, audit, ICT, and related roles within financial-sector organizations. It also includes those, particularly in IT, who work for service providers that supply ICT services to financial institutions operating in the EU, and those dedicated to continued professional development with a focus on high-quality information and cyber security practices.

Financial services entities and their critical third-party suppliers that do not comply with DORA face severe penalties and restrictions. Entities found to be in breach of DORA’s requirements may face regulatory fines. The amount of the fine will depend on the seriousness of the violation and the financial entity’s cooperation with authorities.

Financial entities that fail to report major ICT-related incidents or significant cyber threats as required under DORA may also face fines.

Furthermore, entities that fail to comply may face further sanctions, which will restrict operations, resulting in reputational damage and dire economic consequences depending on the size of the entity.

The benefits of certified DORA qualifications for people, organizations, and the entire business environment

Achieving a professional certified DORA qualification has several benefits for people and organizations that directly affect the business environment. The syllabi of IBITGQ’s DORA qualifications have been developed by subject matter experts (SMEs) and are first-to-market from a personnel certification body.

By achieving a certified DORA qualification, a person expands their knowledge of and skills in a highly complex regulation. They become more marketable, and the organization that employs or recruits them will indirectly possess their capabilities. A certified DORA professional can identify vulnerabilities, assess risks, reduce gaps in security, and expose and respond to threats, as well as share knowledge of these practices.

As DORA is a new regulation, financial entities and their employees are still in the research phase as ESAs develop technical standards for compliance. The demand for certified DORA professionals will mean further skill gaps in an already strained information and cyber security workforce.

The personal benefits of a DORA qualification align with the benefits to an organization. The main objective of certified DORA qualifications is to support regulatory compliance, thereby reducing the risk of severe financial penalties, reputational damage, and operational restrictions. As 2024 approaches, the deadline for compliance is only a year away, so organizations must start now before it is too late. Early adopters of the Act will have a competitive advantage in that it demonstrates they are committed to the protection of digital assets, abide by laws, and value business continuity.

In addition to escaping regulatory penalties, the Act provides an opportunity for financial entities and their third-party service providers to strengthen their digital operational resilience. Enhancing these security borders will reduce breaches, which are costly and cause substantial reputational damage.

Internationally recognized information security and business continuity management systems form a basis for effective DORA compliance, which is reflected in our DORA qualifications. By following these international best-practice approaches, learners can easily explore complementary disciplines.

Achieving a DORA qualification

Candidates must pass a certified DORA examination. Each examination is mapped to the major theoretical principles and practical components of the Regulation.

Before sitting a certified DORA examination, a candidate can take training provided by an accredited training organization (ATO). Alternatively, they can purchase an examination voucher, which is valid for a specific period, and take an exam administered by the Global Association for Software Quality (GASQ).

As the DORA deadline approaches, be counted as an early adopter and not a lagger. Either book your certified DORA training or purchase an examination voucher to be awarded this first-to-market certification by IBITGQ.